Avast WEBforum

Other => General Topics => Topic started by: quicksilver123 on February 16, 2013, 05:03:13 AM

Title: aswmbr
Post by: quicksilver123 on February 16, 2013, 05:03:13 AM

hi,

i ran aswmbr because my comp has been hacked. thought there may be a rootkit keylogger or something of the like.

22:53:43.574 OS Version: Windows 6.0.6002 Service Pack 2
22:53:43.574 Number of processors: 2 586 0x403
22:53:43.575 ComputerName: xxxxxxx UserName: xxxx
22:53:44.919 Initialize success
22:53:54.973 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
22:53:54.977 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
22:53:55.001 Disk 0 MBR read successfully
22:53:55.005 Disk 0 MBR scan
22:53:55.009 Disk 0 Windows VISTA default MBR code
22:53:55.016 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 125 MB offset 63
22:53:55.020 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238348 MB offset 258048
22:53:55.027 Disk 0 scanning sectors +488394752
22:53:55.083 Disk 0 scanning C:\Windows\system32\drivers
22:54:02.331 Service scanning
22:54:18.986 Modules scanning
22:54:45.161 Disk 0 trace - called modules:
22:54:45.186 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8405b1f8]<<
22:54:45.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x850a1200]
22:54:45.189 3 CLASSPNP.SYS[885a68b3] -> nt!IofCallDriver -> [0x84a15a70]
22:54:45.190 5 acpi.sys[87f6c6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x84a1b030]
22:54:45.191 \Driver\atapi[0x84a00470] -> IRP_MJ_CREATE -> 0x8405b1f8
22:54:45.191 Scan finished successfully
22:56:51.519 Disk 0 MBR has been saved successfully to "C:\Users\xxxx\Desktop\MBR.dat"
22:56:51.529 The log file has been saved successfully to "C:\Users\xxxx\Desktop\aswMBR.txt"

are these entries malicious?

the hackers initially gathered info from google chrome's appdata database files... after i disabled chome's storing of history (+ start in incognito mode), they have moved on to other avenues to gather information. i assume a keylogger is involved because some have been quoting my search history... though they may have found another way to get search history.

i use windows firewall and a router firewall (although some ports have been opened for the use of various applications) as well as spybot's teatimer

Title: Re: aswmbr
Post by: essexboy on February 16, 2013, 01:44:46 PM

Hi looks like there may be an infected file there

Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application
(https://dl.dropbox.com/u/73555776/tdss%20start.JPG)
Then click on Change parameters.

(https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG)
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.

(https://dl.dropbox.com/u/73555776/tdss%20threat.JPG)
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Get the report by selecting Reports

(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach the log at C:\TDSSKiller date time .

THEN

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)

Select All Users
Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs

Title: Re: aswmbr
Post by: quicksilver123 on February 16, 2013, 09:48:20 PM

the cure option was not available in tdsskiller so i'll just attach the log (it was too big to post normally)

i've also attached the otl log

Title: Re: aswmbr
Post by: essexboy on February 16, 2013, 09:58:22 PM

All drivers are legitimate, are you experiencing any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\..\URLSearchHook: {535ae879-ef3b-449c-8726-e1e644ae2290} - No CLSID value found
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CA&userid=7959d9e0-022f-4e8e-a131-04f3b8991633&searchtype=ds&q={searchTerms}
[2012/12/21 21:21:30 | 000,000,000 | ---D | M] (NewFreeScreensavers) -- C:\Users\Harb\AppData\Roaming\mozilla\Firefox\extensions\{535ae879-ef3b-449c-8726-e1e644ae2290}
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1176274579-2877504528-4232536130-1000\..\Toolbar\WebBrowser: (no name) - {535AE879-EF3B-449C-8726-E1E644AE2290} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download AdwCleaner from here (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) to your desktop
Run AdwCleaner and select Delete

(https://dl.dropbox.com/u/73555776/AdwCleaner.GIF)

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 01:52:28 AM

otl log attached

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 02:16:29 AM

adwcleaner log post reboot attached

Title: Re: aswmbr
Post by: DavidR on February 17, 2013, 03:20:34 AM

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists. It is now 2:20am in the UK and essexboy should be back on-line later today.

Title: Re: aswmbr
Post by: essexboy on February 17, 2013, 12:57:43 PM

How is the computer behaving ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.[/b]

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 08:20:19 PM

my computer has been running somewhat more slowly

also, i'm fairly certain that its still hacked. some settings in my browser (chrome) were changed. i also have reason to believe that my appdata folders for chrome are being read by hackers in real-time. is there a way to encrypt these files?

combofix log attached.

there were two errors when running combofix.

at stage 50, a dialog popped up saying that: "pev.3xe has stopped working"

and after the log was created, a dialog popped up with a window header "TBIA" saying "Access is denied"

Title: Re: aswmbr
Post by: essexboy on February 17, 2013, 08:37:46 PM

No indications of a keylogger were showing
Your MBR and drivers are all good

What changes are happening to Chrome ?

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 08:44:24 PM

i had history options set up to NOT record typed URLs for predictive typing. this was changed back to its default, without any updates or anything like that.
it was easily fixed, though.

my only real concern (in lieu of a keylogger) is the appdata folder. would i be able to encrypt this folder (say, with truecrypt) without causing the system to malfunction?
is there any way to encrypt this folder?

Title: Re: aswmbr
Post by: essexboy on February 17, 2013, 08:46:49 PM

As it is the appdata then it will need to be accessed by chrome, I have never used trucrypt so I do not know if it decrypts on the fly

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 08:53:28 PM

thanks for your help so far.

are you aware of any programs (preferably free... though its ok if not) that would have the necessary properties to encrypt said folder?

Title: Re: aswmbr
Post by: essexboy on February 17, 2013, 09:06:48 PM

Off the top of my head this is the first one I will have a look around http://www.truecrypt.org/docs/

Title: Re: aswmbr
Post by: quicksilver123 on February 17, 2013, 11:48:31 PM

that was the one i mentioned, you said it wouldnt decrypt on the fly

Title: Re: aswmbr
Post by: essexboy on February 18, 2013, 04:11:48 PM

Reading it, it does mention decrypting on the fly so it may work