Jump to content

  2. Viewing Profile: Topics: helpme33

helpme33

Member Since 13 Jul 2012
Offline Last Active Jul 18 2012 01:19 PM
-----

Topics I've Started

Suspected rootkit/bootkit

13 July 2012 - 06:44 AM

Hi everyone Desperately need help here. Basically I'm fairly sure the pc is infected with something that has root access, possibly a hidden boot partition on the hard drive, or worse (bios).

Basically there's all sorts of processes, services & things running that I don't think should be. Windows Update won't work, there are now Group Policy controls running, even though the pc is a home pc. The firewall seems to be configured to leave the system wide open, there's quite a few DCOM things running. Also, this may be normal I'm not sure, but I'm using a 500GB hdd that has the system reserved partition that windows sets up automatically, but this partition is marked as active, & the actual c: drive partition is marked at BOOT, PAGEFILE, CRASHDUMP & Primary.

I've wiped the hardrive partitions & reinstalled a few times, cleared & updated the bios but it just reinstalls back this way. All these logs are from a clean install with nothing but the programs themselves installed. There's also a hidden group of non-plug & play objects in the device manager controlling a lot of network authority stuff. I also have another blank 500gb installed, but this been formatted & had its partitions wiped. Please HHEELLPP!Posted Image

MBAM Quick sCAN

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.13.03
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
pc1 :: pc [administrator]
Protection: Enabled
26/01/2011 00:55:26
mbam-log-2011-01-26 (00-55-26).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201673
Time elapsed: 58 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)



DDS SCAN

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by pc1 at 0:59:36 on 2011-01-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2871 [GMT 0:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/
mWinlogon: Userinit=userinit.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE} : NameServer = 89.101.160.4,89.101.160.5
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-1-26 655944]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
.
=============== Created Last 30 ================
.
2011-01-26 08:28:43 -------- d-----w- C:\Windows\Panther
2011-01-26 00:54:59 -------- d-----w- C:\Users\pc1\AppData\Roaming\Malwarebytes
2011-01-26 00:54:53 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-26 00:54:53 -------- d-----w- C:\ProgramData\Malwarebytes
2011-01-26 00:54:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-26 00:54:20 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll
2011-01-26 00:44:38 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2011-01-26 00:44:26 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-01-26 00:44:26 186752 ----a-w- C:\Windows\System32\wuwebv.dll
.
==================== Find3M ====================
.
.
============= FINISH: 0:59:55.25 ===============






COMBOFIX LOG

ComboFix 12-07-13.01 - pc1 26/01/2011 1:06.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2879 [GMT 0:00]
Running from: c:\users\pc1\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))))))))
.
.
2011-01-26 08:28 . 2011-01-26 00:37 -------- d-----w- c:\windows\Panther
2011-01-26 00:54 . 2012-07-03 13:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\programdata\Malwarebytes
2011-01-26 00:54 . 2012-06-18 03:12 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll
2011-01-26 00:44 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2011-01-26 00:44 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2011-01-26 00:44 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2011-01-26 00:44 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2011-01-26 00:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2011-01-26 00:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2011-01-26 00:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2011-01-26 00:44 . 2012-06-02 15:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2011-01-26 00:44 . 2012-06-02 15:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- c:\users\pc1
2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NSIPROXY
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ie/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE}: NameServer = 89.101.160.4,89.101.160.5
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2011-01-26 01:12:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-26 01:12
.
Pre-Run: 484,271,935,488 bytes free
Post-Run: 484,153,880,576 bytes free
.
- - End Of File - - 8655822A4F1CA92D69687DBF9A1F2EFC


ASWMBR LOG

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2011-01-26 01:58:37
-----------------------------
01:58:37.227 OS Version: Windows x64 6.1.7600
01:58:37.227 Number of processors: 4 586 0xF0B
01:58:37.227 ComputerName: PC UserName:
01:58:38.024 Initialize success
01:59:19.970 AVAST engine defs: 12071300
01:59:39.658 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052
01:59:39.658 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
01:59:39.673 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000053
01:59:39.673 Disk 1 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
01:59:39.673 Disk 0 MBR read successfully
01:59:39.689 Disk 0 MBR scan
01:59:39.689 Disk 0 Windows 7 default MBR code
01:59:39.689 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 476938 MB offset 2048
01:59:39.705 Disk 0 scanning C:\Windows\system32\drivers
01:59:43.142 Service scanning
01:59:52.564 Modules scanning
01:59:52.564 Disk 0 trace - called modules:
01:59:52.580 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
01:59:52.580 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d4a060]
01:59:52.580 3 CLASSPNP.SYS[fffff8800199343f] -> nt!IofCallDriver -> [0xfffffa8004aefd80]
01:59:52.595 5 ACPI.sys[fffff88000f17781] -> nt!IofCallDriver -> \Device\00000052[0xfffffa8004ae0540]
01:59:53.439 AVAST engine scan C:\
02:08:49.573 Scan finished successfully
02:10:01.354 Disk 0 MBR has been saved successfully to "C:\Users\pc1\Desktop\MBR.dat"
02:10:01.354 The log file has been saved successfully to "C:\Users\pc1\Desktop\aswMBR.txt"

Can anyone help with this? Do I even have anything suspicious running or is it all normal? PLEASE ADVISE.....

  1. Malwarebytes Forum
  2. Viewing Profile: Topics: helpme33
  3. Privacy Policy
  4. Terms of Use ·