also @ TechSpot: Updated Microsoft EULA prohibits class action lawsuits

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Need help removing rootkit

Discussion in 'Virus and Malware Removal' started by jakobdk, Nov 8, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. jakobdk Newcomer, in training

    Okay, I'm back :)

    I have installed all the programs (FileHippo Update, WOT etc.) and have set Secunia PSI and the FileHippo Checker to run at startup. Tomorrow I will then talk my parents through the programs (it is around 2.30 AM in Denmark at the moment).

    One last thing, though:
    Just to make sure, I ran Bootkit Remover (the program that started all this fuzz), and it still reports an infected MBR ("PhysicalDrive0 Controlled by rootkit!" "Boot code on some of your physical discs is hidden by a rootkit.").

    I then ran MBRCheck and it said everything is OK (the MBR is standard Windows 7). I have copied the log below.

    I still think that there was a rootkit in the MBR in the beginning (since MBRCheck also reported a suspicious MBR), but I'm beginning to suspect, that the latest check done with Bootkit Remover is a false positive in some way. Could it be, that this program (that I chose to use on my own initiative, and that you did not ask me to use, I should add) is not compatible with Windows 7 64bit?

    Please advice if you think I should do anything further :)

    The latest MBRCheck log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: (build 7600), 64-bit
    Base Board Manufacturer: FOXCONN
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: Hewlett-Packard
    System Product Name: SG3-110SC
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 183):
    0x02A1E000 \SystemRoot\system32\ntoskrnl.exe
    0x02FFA000 \SystemRoot\system32\hal.dll
    0x00BC0000 \SystemRoot\system32\kdcom.dll
    0x00C01000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    0x00C0E000 \SystemRoot\system32\PSHED.dll
    0x00C22000 \SystemRoot\system32\CLFS.SYS
    0x00C80000 \SystemRoot\system32\CI.dll
    0x00D40000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00DE4000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00E84000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x00EDB000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x00EE4000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x00EEE000 \SystemRoot\system32\DRIVERS\pci.sys
    0x00F21000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x00F2E000 \SystemRoot\System32\drivers\partmgr.sys
    0x00F43000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x00F58000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00FB4000 \SystemRoot\System32\drivers\mountmgr.sys
    0x00FCE000 \SystemRoot\system32\DRIVERS\amdsata.sys
    0x00E00000 \SystemRoot\system32\DRIVERS\storport.sys
    0x00E62000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x01030000 \SystemRoot\system32\drivers\fltmgr.sys
    0x0107C000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01219000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01090000 \SystemRoot\System32\Drivers\msrpc.sys
    0x013BC000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x010EE000 \SystemRoot\System32\Drivers\cng.sys
    0x013D6000 \SystemRoot\System32\drivers\pcw.sys
    0x013E7000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x0148E000 \SystemRoot\system32\drivers\ndis.sys
    0x01580000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01400000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01601000 \SystemRoot\System32\drivers\tcpip.sys
    0x0142B000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01161000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x01475000 \SystemRoot\System32\Drivers\spldr.sys
    0x011AD000 \SystemRoot\System32\drivers\rdyboost.sys
    0x015E0000 \SystemRoot\System32\Drivers\mup.sys
    0x015F2000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x01898000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x018D2000 \SystemRoot\system32\DRIVERS\disk.sys
    0x018E8000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x01957000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x01981000 \SystemRoot\System32\Drivers\Null.SYS
    0x0198A000 \SystemRoot\System32\Drivers\Beep.SYS
    0x01991000 \SystemRoot\System32\drivers\vga.sys
    0x0199F000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x019C4000 \SystemRoot\System32\drivers\watchdog.sys
    0x019D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x019DD000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x019E6000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x019EF000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x01800000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x01811000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x0182F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x0183C000 \SystemRoot\System32\Drivers\avgtdia.sys
    0x02C9B000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x02CE0000 \SystemRoot\system32\drivers\afd.sys
    0x02D6A000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x02D73000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x02D99000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x02DAF000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x02DBE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x02DD9000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x02C00000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x02C51000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x02C5D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x02C68000 \SystemRoot\System32\drivers\discache.sys
    0x02C77000 \SystemRoot\System32\Drivers\dfsc.sys
    0x02DED000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x0188D000 \SystemRoot\System32\Drivers\avgmfx64.sys
    0x03A20000 \SystemRoot\System32\Drivers\avgldx64.sys
    0x03A67000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x03A8D000 \SystemRoot\system32\DRIVERS\amdppm.sys
    0x03AA2000 \SystemRoot\system32\DRIVERS\atikmpag.sys
    0x048BF000 \SystemRoot\system32\DRIVERS\atipmdag.sys
    0x03AD6000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x04F23000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x04F69000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
    0x04FC0000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x04800000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x04856000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x04867000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x0488B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x04894000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x048A4000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x04FCB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x04FEF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x03BCA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x03A00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x01000000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x00FE2000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x0147D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x013F1000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x04FFB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x03CCF000 \SystemRoot\system32\DRIVERS\ks.sys
    0x03D12000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x03D24000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x03D7E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x042D5000 \SystemRoot\system32\drivers\RTKVHD64.sys
    0x0450D000 \SystemRoot\system32\drivers\portcls.sys
    0x0454A000 \SystemRoot\system32\drivers\drmk.sys
    0x0456C000 \SystemRoot\system32\drivers\ksthunk.sys
    0x04572000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x04580000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x04599000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x045A2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x045A4000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x045C1000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x045CF000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0x045D9000 \SystemRoot\System32\Drivers\dump_amdsata.sys
    0x045ED000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x050F9000 \SystemRoot\system32\DRIVERS\netr28ux.sys
    0x051D5000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x051E2000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x051EF000 \SystemRoot\system32\DRIVERS\LVUSBS64.sys
    0x0526E000 \SystemRoot\system32\DRIVERS\LV302V64.SYS
    0x05380000 \SystemRoot\system32\DRIVERS\lv302a64.sys
    0x05383000 \SystemRoot\system32\drivers\usbaudio.sys
    0x00090000 \SystemRoot\System32\win32k.sys
    0x0539E000 \SystemRoot\System32\drivers\Dxapi.sys
    0x053AA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x053B8000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x005D0000 \SystemRoot\System32\TSDDD.dll
    0x00620000 \SystemRoot\System32\cdd.dll
    0x053C6000 \SystemRoot\system32\drivers\luafv.sys
    0x05200000 \SystemRoot\system32\drivers\WudfPf.sys
    0x05221000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x05000000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x05236000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x05249000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x04200000 \SystemRoot\system32\drivers\HTTP.sys
    0x05053000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x05071000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x05089000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x03DA0000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x050B6000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x03C00000 \SystemRoot\system32\drivers\peauth.sys
    0x05261000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x01918000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x053E9000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x062AE000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x06315000 \SystemRoot\System32\DRIVERS\srv.sys
    0x06271000 \SystemRoot\system32\DRIVERS\psi_mf.sys
    0x77080000 \Windows\System32\ntdll.dll
    0x47E70000 \Windows\System32\smss.exe
    0xFF3A0000 \Windows\System32\apisetschema.dll
    0xFF200000 \Windows\System32\autochk.exe
    0xFF2C0000 \Windows\System32\usp10.dll
    0xFF2B0000 \Windows\System32\lpk.dll
    0xFF260000 \Windows\System32\Wldap32.dll
    0xFF240000 \Windows\System32\imagehlp.dll
    0xFF160000 \Windows\System32\advapi32.dll
    0xFF0C0000 \Windows\System32\clbcatq.dll
    0xFEF40000 \Windows\System32\urlmon.dll
    0xFED30000 \Windows\System32\ole32.dll
    0xFEC90000 \Windows\System32\comdlg32.dll
    0x77250000 \Windows\System32\normaliz.dll
    0xFEC70000 \Windows\System32\sechost.dll
    0x76F60000 \Windows\System32\kernel32.dll
    0xFEA10000 \Windows\System32\iertutil.dll
    0xFE900000 \Windows\System32\msctf.dll
    0xFE8B0000 \Windows\System32\ws2_32.dll
    0xFE830000 \Windows\System32\difxapi.dll
    0xFE820000 \Windows\System32\nsi.dll
    0xFE7F0000 \Windows\System32\imm32.dll
    0xFE6C0000 \Windows\System32\rpcrt4.dll
    0xFE620000 \Windows\System32\msvcrt.dll
    0xFD890000 \Windows\System32\shell32.dll
    0xFD7B0000 \Windows\System32\oleaut32.dll
    0xFD730000 \Windows\System32\shlwapi.dll
    0x77240000 \Windows\System32\psapi.dll
    0xFD550000 \Windows\System32\setupapi.dll
    0xFD420000 \Windows\System32\wininet.dll
    0x76E60000 \Windows\System32\user32.dll
    0xFD3B0000 \Windows\System32\gdi32.dll
    0xFD310000 \Windows\System32\comctl32.dll
    0xFD2D0000 \Windows\System32\wintrust.dll
    0xFD260000 \Windows\System32\KernelBase.dll
    0xFD240000 \Windows\System32\devobj.dll
    0xFD0D0000 \Windows\System32\crypt32.dll
    0xFD090000 \Windows\System32\cfgmgr32.dll
    0xFD080000 \Windows\System32\msasn1.dll

    Processes (total 64):
    0 System Idle Process
    4 System
    272 C:\Windows\System32\smss.exe
    408 csrss.exe
    488 C:\Windows\System32\wininit.exe
    504 csrss.exe
    512 C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
    520 C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
    576 C:\Windows\System32\services.exe
    592 C:\Windows\System32\lsass.exe
    600 C:\Windows\System32\lsm.exe
    652 C:\Windows\System32\winlogon.exe
    780 C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
    804 C:\Windows\System32\svchost.exe
    1000 C:\Windows\System32\svchost.exe
    424 C:\Windows\System32\atiesrxx.exe
    332 C:\Windows\System32\svchost.exe
    396 C:\Windows\System32\svchost.exe
    1052 C:\Windows\System32\svchost.exe
    1208 C:\Windows\System32\svchost.exe
    1316 C:\Windows\System32\atieclxx.exe
    1416 C:\Windows\System32\svchost.exe
    1608 C:\Windows\System32\spoolsv.exe
    1640 C:\Windows\System32\svchost.exe
    1728 C:\Windows\System32\taskhost.exe
    1832 C:\Windows\System32\dwm.exe
    1920 C:\Windows\explorer.exe
    1152 C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
    2148 C:\Windows\SysWOW64\ezSharedSvcHost.exe
    2284 C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
    2304 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    2404 C:\Program Files (x86)\PDF Complete\pdfsvc.exe
    2436 C:\Windows\System32\svchost.exe
    2540 C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
    2696 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    2724 C:\Program Files (x86)\AVG\AVG9\avgemc.exe
    2940 C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
    2960 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
    2984 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    3096 C:\Windows\System32\svchost.exe
    3188 C:\Windows\System32\svchost.exe
    3404 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    3564 C:\Windows\System32\SearchIndexer.exe
    3572 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3660 C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
    3688 C:\Program Files (x86)\AVG\AVG9\avgtray.exe
    3696 C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    3708 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    3948 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3680 C:\Windows\System32\svchost.exe
    4212 dllhost.exe
    4584 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    4656 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    152 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    3000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    3144 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    5044 C:\Program Files (x86)\Secunia\PSI\psi.exe
    3928 C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe
    4132 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    4276 C:\Windows\System32\SearchProtocolHost.exe
    4360 C:\Windows\System32\SearchFilterHost.exe
    4944 C:\Users\Schmidt\Desktop\MBRCheck.exe
    3752 C:\Windows\System32\conhost.exe
    2140 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06507e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000048`28600000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200AAJS-60Z0A0, Rev: 03.03E03

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
    jakobdk, Nov 8, 2010
    #21

  2. jakobdk Newcomer, in training

    OK - I'm off to bed (almost 3.30 AM!).

    I will check for replies in the morning.
    jakobdk, Nov 8, 2010
    #22

  3. Broni Malware Annihilator

    That's not necessary. It's little bit of an overkill.
    It's enough, if you run them once in a while.

    Regarding a rootkit...
    I trust MBRCheck and since you're not reporting any other issues, I see no reason to worry.
    Resetting MBR, like we did will get rid of any MBR infection.

    Good luck and stay safe :)
    Broni, Nov 8, 2010
    #23

  4. jakobdk Newcomer, in training

    Okay :)

    I have talked with my mother and have located what seems to cause the popups (it happened again this morning). She is using an application on Facebook called "Cute Catz" and it seems to have been hijacked by hackers (in general, not on my parents' computer as such). In the application, you can "feed" your friends' cats, and when you click to do this, the popup appears asking you to install a virus killer (scareware). Of course (and luckily) my mother didn't do so when asked - I have rescanned with MBRCheck and it says that everything is still OK.

    I did a bit of Google searching and found that Cute Catz' sister application "Pet Pupz" has had this problem: http://www.facebook.com/topic.php?uid=7235357217&topic=16546
    At the same time, Cute Catz users on Facebook complain that their application isn't maintained/updated nearly as often as Pet Pupz, so perhaps it is still vulnerable to the hackers.

    I also found a (Dutch) page where a user wrote that Bootkit Remover gave a warning ("Unknown MBR code" - not exacly a rootkit warning, but still), but MBRCheck said everything was OK. The user was told that Bootkit Remover was producing a false positive.
    In Dutch: http://www.nucia.eu/forum/showthread.php?t=59345
    Translated with Google Translate: http://translate.google.com/transla...p://www.nucia.eu/forum/showthread.php?t=59345

    Thanks for helping me :)
    jakobdk, Nov 9, 2010
    #24

  5. Broni Malware Annihilator

    Thank you for an extra info :)
    Broni, Nov 9, 2010
    #25
Page 2 of 2
Thread Status:
Not open for further replies.