Hey all,
Dealing with what I believe to be a rootkit, but can't figure out what specifically it is. What's been done so far (32-bit Windows XP Home machine):
1. TDSSKiller; initial scans showed "No threats", but under found said "1 threat". Clicking "Details" showed "Supicious---\Device\Hardisk 0\DR0 (TDSS File System). Had to check all options for 2 threats to show, which included the above and "PXHelp20" Service. I deleted these both and rebooted; subsequent scans with TDSSKiller showed clean.
2. GMER, however, showed the following:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-19 00:11:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e rev.
Running: T5I9SbfA.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxxdrpob.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ComcastSecureBackupShare.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Naturally, I didn't like this, but had no idea what the heck it meant, so I ran aswMBR, which said the following:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-18 22:17:16
-----------------------------
22:17:16.203 OS Version: Windows 5.1.2600 Service Pack 3
22:17:16.203 Number of processors: 1 586 0x401
22:17:16.203 ComputerName: OWNER-361108A6C UserName: Owner
22:17:16.453 Initialize success
22:17:31.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:17:31.156 Disk 0 Vendor: Size: 0MB BusType: 0
22:17:31.156 Disk 1 \Device\Harddisk1\DR3 -> \Device\00000060
22:17:31.156 Disk 1 Vendor: Size: 0MB BusType: 0
22:17:33.171 Disk 0 MBR read successfully
22:17:33.171 Disk 0 MBR scan
22:17:33.171 Disk 0 Windows XP default MBR code
22:17:33.171 Disk 0 MBR hidden
22:17:33.218 Disk 0 scanning C:\WINDOWS\system32\drivers
22:17:38.328 Service scanning
22:17:39.203 Modules scanning
22:17:43.421 Disk 0 trace - called modules:
22:17:43.453 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:17:43.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86584ab8]
22:17:43.453 3 CLASSPNP.SYS[f7630fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8657bb00]
22:17:43.453 Scan finished successfully
22:18:12.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
22:18:12.171 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
So, from this, I couldn't tell if the two programs are telling me CLASSPNP.SYS is infected, so I thought I'd just boot into a Windows XP CD and run FIXMBR and FIXBOOT, however, the two disks I ran went straight to the partition listings without giving me an option for repair or the Recovery Console, and weirdly showed a C and an H partition that were identical in size of partition, but not of size used (H partition shows up as I: New Volume---free and used space of 74.4 in Windows---drive is a 160GB Hitachi, nothing shows on the I volume but a "Recycler" folder). So...
I booted the Windows Recovery Console on the existing partition, ran FIXMBR then FIXBOOT and...everything still looks the same to GMER and aswMBR. So now I'm stumped. Any ideas?
Customer's initial issue was that AVG Internet Security 2011 suddenly disappeared on her (not in Program Files, systray or Add/Remove), but after seeing the uninstall tool for AVG suddenly stop after execution, I was starting to suspect other issues, ergo how I've gotten to this point.
BTW, Combofix found several items, but nothing rootkit-wise. Here's the partial file: Look forward to everyone's thoughts. One other note: the DVD-RW is not working either, with a Code 19 error in the Device Manager. Leads me to believe possible ATAPI.SYS infection, but not sure.
ComboFix 11-10-18.04 - Owner 10/18/2011 21:31:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.596 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\D7\3rd Party Tools\cf8675309.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Favorites\.url
c:\documents and settings\Owner\WINDOWS
c:\program files\CouponAlert_2p
c:\program files\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST
c:\program files\CouponAlert_2p\bar\1.bin\INSTALL.RDF
c:\program files\CouponAlert_2p\bar\1.bin\LOGO.BMP
c:\program files\CouponAlert_2pEI
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
c:\windows\system32\d3d9caps.dat
.
---- Previous Run -------
.
c:\documents and settings\Owner\WINDOWS
c:\program files\Search Toolbar
Dealing with what I believe to be a rootkit, but can't figure out what specifically it is. What's been done so far (32-bit Windows XP Home machine):
1. TDSSKiller; initial scans showed "No threats", but under found said "1 threat". Clicking "Details" showed "Supicious---\Device\Hardisk 0\DR0 (TDSS File System). Had to check all options for 2 threats to show, which included the above and "PXHelp20" Service. I deleted these both and rebooted; subsequent scans with TDSSKiller showed clean.
2. GMER, however, showed the following:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-19 00:11:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e rev.
Running: T5I9SbfA.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxxdrpob.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ComcastSecureBackupShare.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Naturally, I didn't like this, but had no idea what the heck it meant, so I ran aswMBR, which said the following:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-18 22:17:16
-----------------------------
22:17:16.203 OS Version: Windows 5.1.2600 Service Pack 3
22:17:16.203 Number of processors: 1 586 0x401
22:17:16.203 ComputerName: OWNER-361108A6C UserName: Owner
22:17:16.453 Initialize success
22:17:31.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:17:31.156 Disk 0 Vendor: Size: 0MB BusType: 0
22:17:31.156 Disk 1 \Device\Harddisk1\DR3 -> \Device\00000060
22:17:31.156 Disk 1 Vendor: Size: 0MB BusType: 0
22:17:33.171 Disk 0 MBR read successfully
22:17:33.171 Disk 0 MBR scan
22:17:33.171 Disk 0 Windows XP default MBR code
22:17:33.171 Disk 0 MBR hidden
22:17:33.218 Disk 0 scanning C:\WINDOWS\system32\drivers
22:17:38.328 Service scanning
22:17:39.203 Modules scanning
22:17:43.421 Disk 0 trace - called modules:
22:17:43.453 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:17:43.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86584ab8]
22:17:43.453 3 CLASSPNP.SYS[f7630fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8657bb00]
22:17:43.453 Scan finished successfully
22:18:12.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
22:18:12.171 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
So, from this, I couldn't tell if the two programs are telling me CLASSPNP.SYS is infected, so I thought I'd just boot into a Windows XP CD and run FIXMBR and FIXBOOT, however, the two disks I ran went straight to the partition listings without giving me an option for repair or the Recovery Console, and weirdly showed a C and an H partition that were identical in size of partition, but not of size used (H partition shows up as I: New Volume---free and used space of 74.4 in Windows---drive is a 160GB Hitachi, nothing shows on the I volume but a "Recycler" folder). So...
I booted the Windows Recovery Console on the existing partition, ran FIXMBR then FIXBOOT and...everything still looks the same to GMER and aswMBR. So now I'm stumped. Any ideas?
Customer's initial issue was that AVG Internet Security 2011 suddenly disappeared on her (not in Program Files, systray or Add/Remove), but after seeing the uninstall tool for AVG suddenly stop after execution, I was starting to suspect other issues, ergo how I've gotten to this point.
BTW, Combofix found several items, but nothing rootkit-wise. Here's the partial file: Look forward to everyone's thoughts. One other note: the DVD-RW is not working either, with a Code 19 error in the Device Manager. Leads me to believe possible ATAPI.SYS infection, but not sure.
ComboFix 11-10-18.04 - Owner 10/18/2011 21:31:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.596 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\D7\3rd Party Tools\cf8675309.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Favorites\.url
c:\documents and settings\Owner\WINDOWS
c:\program files\CouponAlert_2p
c:\program files\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST
c:\program files\CouponAlert_2p\bar\1.bin\INSTALL.RDF
c:\program files\CouponAlert_2p\bar\1.bin\LOGO.BMP
c:\program files\CouponAlert_2pEI
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
c:\windows\system32\d3d9caps.dat
.
---- Previous Run -------
.
c:\documents and settings\Owner\WINDOWS
c:\program files\Search Toolbar