Free Malware Removal Forum

[a1sound]

Hi Askey127,

I'm not so sure the server is out of the woods yet. I just ran another DDS scan and found a "ROOTKIT" entry.

If it can't be fixed, how can I cold start the drives and be sure to wipe it out?

Here is the latest scan..


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by buzz at 14:16:52 on 2011-06-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1442 [GMT -7:00]
.
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\GEEK SQUAD UPS\pppeuser.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Meter\DUMeter.exe
D:\Lists\Animal-List\SVList-Animal-List.exe
D:\Lists\UNJO\SVList-UNJO.exe
D:\Lists\WhiteGold-List\SVList-WhiteGold-List.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\GEEK SQUAD UPS\ppped.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DPH-50U Utility.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
D:\_downloads\2011\110602\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\geek squad ups\pppeuser.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ServUTrayIcon] c:\program files\rhinosoft.com\serv-u\Serv-U-Tray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [DLinkMonitor.exe] c:\program files\d-link\d-link usb voip adapter\DLinkMonitor.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [OutpostMonitor] "c:\progra~1\agnitum\outpos~1\op_mon.exe" /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite free\feedback.exe" /dump:os_startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstall ... AA4ADYARwA"&"inst=NwA3AC0ANgAzADgANQA1ADUAMQA5ADMALQBGAEwAKwA5AC0AWABPADkAKwAxAC0AWABPADMANgArADEA"&"prod=90"&"ver=9.0.901
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\d4exe~1.lnk - c:\program files\d4\D4.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\dumeter.lnk - c:\program files\du meter\DUMeter.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~2.lnk - d:\lists\animal-list\SVList-Animal-List.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~3.lnk - d:\lists\unjo\SVList-UNJO.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~1.lnk - d:\lists\whitegold-list\SVList-WhiteGold-List.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoexec.lnk - c:\autoexec.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dusupe~1.lnk - c:\program files\du super controler\DUSuperControler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\buzz\application data\mozilla\firefox\profiles\bpgjtaxx.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2007-1-2 37208]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-30 11608]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-5-31 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-5-31 2072592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-30 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-30 61960]
R2 hMailServer;hMailServer;c:\program files\hmailserver\bin\hmailserver.exe runasservice --> c:\program files\hmailserver\bin\hMailServer.exe RunAsService [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-2 366640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 VService;VService;c:\program files\d-link\d-link usb voip adapter\VServ.exe [2007-1-2 105208]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-5-31 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-5-31 267624]
R3 HomeQOS;HomeQOS Miniport;c:\windows\system32\drivers\homeqos.sys [2004-1-20 36096]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-2 22712]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2007-1-2 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-1-2 85656]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2011-5-31 72352]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2011-5-31 242040]
S3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2011-5-31 36288]
.
=============== File Associations ===============
.
txtfile=c:\pfiles\editpad\EditPad.exe "%1"
.
=============== Created Last 30 ================
.
2011-06-02 17:56:02 -------- d-----w- c:\documents and settings\buzz\application data\Malwarebytes
2011-06-02 17:55:53 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 17:55:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-02 17:55:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 17:55:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 18:26:31 -------- d-sha-r- C:\cmdcons
2011-05-31 18:25:14 98816 ----a-w- c:\windows\sed.exe
2011-05-31 18:25:14 518144 ----a-w- c:\windows\SWREG.exe
2011-05-31 18:25:14 256512 ----a-w- c:\windows\PEV.exe
2011-05-31 18:25:14 208896 ----a-w- c:\windows\MBR.exe
2011-05-31 07:33:59 1025824 ----a-w- c:\windows\system32\drivers\vbcorent.sys
2011-05-31 07:21:59 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-05-31 07:21:59 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-05-31 07:21:48 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-05-31 07:21:17 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-05-31 07:21:07 -------- d-----w- c:\windows\system32\Filt
2011-05-31 07:21:07 -------- d-----w- c:\documents and settings\buzz\application data\Agnitum
2011-05-31 07:21:06 -------- d-----w- c:\program files\Agnitum
2011-05-31 07:20:14 -------- d-----w- c:\documents and settings\all users\application data\Agnitum
2011-05-30 22:32:21 -------- d-----w- c:\windows\system32\NtmsData
2011-05-30 22:31:20 -------- d-----w- c:\documents and settings\buzz\application data\Avira
2011-05-30 22:26:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-30 22:26:39 -------- d-----w- c:\program files\Avira
2011-05-30 22:26:39 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-05-30 21:36:10 -------- d-----w- C:\$AVG
2011-05-27 10:35:00 -------- d-----w- c:\documents and settings\all users\application data\avg9
2011-05-27 09:50:43 -------- d-----w- c:\documents and settings\buzz\application data\GlarySoft
2011-05-27 09:50:42 -------- d-----w- c:\program files\Absolute Uninstaller
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-27 05:41:16 -------- d-----w- c:\program files\Trend Micro
2011-05-24 03:18:42 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2011-05-24 03:17:33 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-24 03:17:10 -------- d-----w- c:\program files\AVG
2011-05-24 03:03:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-05-26 09:29:24 298016 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A708AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8A7249E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-7[0x8A6A4940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 14:17:29.49 ===============


Let me know what you'd do next, OK? I found the network drivers for this motherboard and reinstalled them. Still bad news.

I see that there are others on this forum with the same rootkit listing. There must be a way to dump this sucker!

Cheers,
Buzz.

[askey127]

The ONLY way to remove the bootkit is the way I showed.
Please review what I instructed, and do it again if you wish.

There are no other remedies.

[a1sound]

Hi askey127,

Sorry--I didn't see that you had answered my last post. Oh, well..

Cheers,
Buzz.

[askey127]

As this issue will need to be resolved by removing and re-installing all partitions, and reformatting the drive, this thread is closed.