Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help Please: Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby srs » November 7th, 2006, 8:09 pm

Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:41:56 AM 8/11/2006

+ Scan result:



C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP18\A0007049.dll -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP18\A0007047.dll -> Downloader.Small.ddx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP18\A0007048.dll -> Downloader.Small.ddx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP18\A0007051.exe -> Dropper.Small.aok : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32:lzx32.sys -> Hijacker.Costrat.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP18\A0007053.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).


::Report end
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm
Advertisement
Register to Remove

Unread postby srs » November 7th, 2006, 8:27 pm

Bob4,

I think I have sorted out the problem with HJT. I presume that I should have renamed it nofun.exe (ie with ".exe" at the end). I have now done so, and the log is attached below.

I see that the "O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe" is still present.

Thanks
srs

Logfile of HijackThis v1.99.1
Scan saved at 11:19:00 AM, on 8/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\u-storage tools2.65\ustorage.exe
C:\WINDOWS\System32\adirss.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Documents and Settings\Suresh Senathirajah\jao4p2q.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\uWDF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Suresh Senathirajah\My Documents\Down Loaded\High Jack\nofun.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 7th, 2006, 9:25 pm

_____________________________
Task Manager
I would like you to open the task manager by pressing simeltaniously
Ctrl+Shift+Esc or cntrl /alt/delete
then go to the processes tab and end the following if present:
by: right clicking on and choosing end process.


jao4p2q.exe
wservice.exe



____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\wservice.exe
C:\Documents and Settings\Suresh Senathirajah\jao4p2q.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.





______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked




O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe


Post a new HJT log .
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 7th, 2006, 9:48 pm

Bob4

No luck I am afraid. The files still keep appearing on my desktop.

Thanks
srs

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:43:16 PM, on 8/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\vrstephg.t
C:\WINDOWS\System32\adirss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\uWDF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Suresh Senathirajah\My Documents\Down Loaded\High Jack\nofun.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 7th, 2006, 9:54 pm

Log is getting a bit better.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Did Killbox give you any errors? I see this file is still there.

adirss.exe

Post the log from combo fix.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 7th, 2006, 10:04 pm

Bob4

Attached below is the combofix log.

In relation to you query: no Killbox did not report any errors when I ran it.

Thanks
srs

Suresh Senathirajah - 06-11-08 13:00:34.47 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Suresh Senathirajah\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-08 12:40 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe
2006-11-08 11:48 5,705 --a------ C:\WINDOWS\SYSTEM32\ApI4Lj7.exe
2006-11-08 08:48 16,457 ---h----- C:\WINDOWS\SYSTEM32\wservice.exe
2006-11-08 08:39 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\x7e42bK.exe
2006-11-08 01:29 5,705 --a------ C:\WINDOWS\SYSTEM32\cANncA3.exe
2006-11-07 23:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\j4UAtiv.exe
2006-11-07 23:53 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\xE5Rd5V.exe
2006-11-07 23:53 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\wVBaF1V.exe
2006-11-07 23:53 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\p821SnA.exe
2006-11-07 23:52 5,705 --a------ C:\WINDOWS\SYSTEM32\l10Ji50.exe
2006-11-07 23:52 5,705 --a------ C:\WINDOWS\SYSTEM32\enTe075.exe
2006-11-07 23:51 5,705 --a------ C:\WINDOWS\SYSTEM32\x0Ebuh7.exe
2006-11-07 23:51 5,705 --a------ C:\WINDOWS\SYSTEM32\tuo2jxP.exe
2006-11-07 23:51 5,705 --a------ C:\WINDOWS\SYSTEM32\s0p3bJ2.exe
2006-11-07 23:44 5,705 C:\Documents and Settings\Suresh Senathirajah\o2fT.exe
2006-11-07 23:44 5,705 --a------ C:\WINDOWS\SYSTEM32\mI63sFj.exe
2006-11-07 23:15 5,705 --a------ C:\WINDOWS\SYSTEM32\pk@4e68.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\wlxM8g5.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\MJ2ux0a.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\FNKGgr8.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\DOFo356.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\dHQ5ud3.exe
2006-11-07 23:15 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\AO6657j.exe
2006-11-07 23:11 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\v460Pb6.exe
2006-11-07 22:21 5,705 --a------ C:\WINDOWS\SYSTEM32\RfK3666.exe
2006-11-07 21:32 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\eI07684.exe
2006-11-07 21:21 5,705 C:\Documents and Settings\Suresh Senathirajah\kCehMIy.exe
2006-11-07 21:21 5,705 --a------ C:\WINDOWS\SYSTEM32\WtPSfW4.exe
2006-11-07 21:21 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\X1c4JV0.exe
2006-11-07 21:21 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\u5X06rm.exe
2006-11-07 21:21 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\r6Tix88.exe
2006-11-07 21:21 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\aUDevp7.exe
2006-11-07 19:14 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\bR2tPrp.exe
2006-11-07 19:11 5,705 --a------ C:\WINDOWS\SYSTEM32\OtPt3F0.exe
2006-11-07 18:58 5,705 --a------ C:\WINDOWS\SYSTEM32\DvppDbw.exe
2006-11-07 18:58 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\nKuH8a2.exe
2006-11-07 18:22 5,705 --a------ C:\WINDOWS\SYSTEM32\qSki12i.exe
2006-11-07 15:55 2,456 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2006-11-07 15:43 5,705 --a------ C:\WINDOWS\SYSTEM32\nAk41wF.exe
2006-11-07 15:43 5,705 --a------ C:\WINDOWS\SYSTEM32\Jif567n.exe
2006-11-07 15:41 5,705 --a------ C:\WINDOWS\SYSTEM32\u2EEBii.exe
2006-11-07 15:18 5,705 --a------ C:\WINDOWS\SYSTEM32\Lr2uX67.exe
2006-11-07 15:12 10,741 --a------ C:\WINDOWS\soso333.exe
2006-11-07 15:11 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\KAUm4f7.exe
2006-11-07 14:56 10,741 -r-h----- C:\WINDOWS\SYSTEM32\win_3.exe
2006-11-07 14:55 5,705 C:\Documents and Settings\Suresh Senathirajah\oodfoDe.exe
2006-11-07 14:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\u4tMtvp.exe
2006-11-07 14:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\RkFoEF6.exe
2006-11-07 14:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\mbgEr52.exe
2006-11-07 14:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\HgE8Wa8.exe
2006-11-07 14:55 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\fD5QPru.exe
2006-11-07 14:54 5,705 --a------ C:\WINDOWS\SYSTEM32\jN3JR3C.exe
2006-11-07 13:28 10,741 -r-h----- C:\WINDOWS\SYSTEM32\win_4el.exe
2006-11-07 13:27 5,705 --a------ C:\Documents and Settings\Suresh Senathirajah\rl7a6G7.exe
2006-11-07 13:17 5,705 --a------ C:\WINDOWS\SYSTEM32\xuw122U.exe
2006-11-06 17:24 10,000 --a------ C:\WINDOWS\SYSTEM32\suchost.exe
2006-11-06 17:23 94,720 --a------ C:\WINDOWS\SYSTEM32\pneuxdn.dll
2006-11-06 17:23 73,216 --a------ C:\WINDOWS\SYSTEM32\qizmquf.dll
2006-11-06 17:21 38,400 --a------ C:\WINDOWS\SYSTEM32\aspi6611.exe
2006-11-06 17:20 57,417 --a------ C:\WINDOWS\SYSTEM32\adirss.exe
2006-11-06 17:20 5,705 --a------ C:\WINDOWS\SYSTEM32\se.exe.exe
2006-11-06 17:20 5,705 --a------ C:\WINDOWS\SYSTEM32\emO81d5.exe
2006-11-06 17:20 16,457 --a------ C:\WINDOWS\SYSTEM32\w.exe.exe
2006-11-06 17:20 10,741 -r-h----- C:\WINDOWS\SYSTEM32\tmp_tg.exe
2006-11-06 15:15 0 --a------ C:\tmmjcov.exe
2006-11-06 15:13 0 --a------ C:\knrw.exe
2006-11-06 15:11 0 --a------ C:\usddru.exe
2006-11-06 15:10 0 --a------ C:\gseudw.exe
2006-11-06 15:08 0 --a------ C:\hdeybmen.exe
2006-11-06 15:06 0 --a------ C:\oxta.exe
2006-11-06 15:04 0 --a------ C:\jtwcyl.exe
2006-11-06 15:03 0 --a------ C:\bleobw.exe
2006-11-06 14:55 62,680 --a------ C:\WINDOWS\SYSTEM32\ipv6monl.dll
2006-11-06 14:53 10,741 -r-h----- C:\WINDOWS\SYSTEM32\syst7s8.exe
2006-11-06 14:52 5,120 --a------ C:\explorer1.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-08 12:44 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-08 12:44 -------- d-------- C:\Program Files\Modem Helper
2006-11-08 12:43 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-08 12:43 -------- d-------- C:\Program Files\Messenger
2006-11-08 12:43 -------- d-------- C:\Program Files\iTunes
2006-11-08 12:43 -------- d-------- C:\Program Files\HijackThis
2006-11-08 12:43 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-11-08 12:43 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-08 12:43 -------- d-------- C:\Program Files\CCleaner
2006-11-08 12:43 -------- d-------- C:\Program Files\BigPond
2006-11-08 12:43 -------- d-------- C:\Program Files\Apoint
2006-11-08 08:39 -------- d-------- C:\Program Files\SymNetDrv
2006-11-08 08:39 -------- d-------- C:\Program Files\Symantec
2006-11-07 23:58 -------- d-------- C:\Program Files\Common Files
2006-11-07 23:20 -------- d-------- C:\Program Files\Windows NT
2006-11-07 23:20 -------- d-------- C:\Program Files\Windows Media Player
2006-11-07 23:20 -------- d-------- C:\Program Files\U-Storage Tools2.65
2006-11-07 23:20 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-11-07 23:20 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-07 15:15 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-11-07 13:43 -------- d-------- C:\Program Files\ewido anti-malware
2006-10-17 12:39 -------- d-------- C:\Documents and Settings\Suresh Senathirajah\Application Data\Google
2006-10-17 12:35 -------- d-------- C:\Program Files\Google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"UStorag"="c:\\program files\\u-storage tools2.65\\ustorage.exe sys_auto_run C:\\Program Files\\U-Storage Tools2.65"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"nwiz"="nwiz.exe /installquiet"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"HP SchedIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppschedindexer.exe"
"HP AutoIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppautoindexer.exe"
"Pofovery Service"="C:\\WINDOWS\\System32\\suchost.exe"
"UpdateService"="C:\\WINDOWS\\System32\\wservice.exe"
"adir"="C:\\WINDOWS\\System32\\adirss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000006

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"taskdir"="C:\\WINDOWS\\System32\\taskdir.exe"
"UpdateService"="C:\\WINDOWS\\System32\\wservice.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"taskdir"="C:\\WINDOWS\\System32\\taskdir.exe"
"UpdateService"="C:\\WINDOWS\\System32\\wservice.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{825875B5-93F3-429D-FF34-660B206D897C}"="Scan Driver32"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-08 13:00:48.01
C:\ComboFix.txt ... 06-11-08 13:00
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 7th, 2006, 10:15 pm

While I go through that please get this log to me.

Download GMER's application from here

Save it to your desktop.

Create a new folder in c: drive called Gmer

Click on Start then My Computer then double click Local Disk C:

Now right click anywhere on the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Now Navigate to that folder (Gmer)
and double click the GMER.exe file

Click the Rootkit tab and click the Scan button.

IMPORTANT: Do NOT use the computer while the scan is in progress.

Please, do not select the "Show all" checkbox during the scan.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 7th, 2006, 10:35 pm

Bob4

I ran Gmer, and it reported a warning that that rootkit actvity was detected.

The log is below.

Thanks
srs

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-08 13:30:37
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

SYSENTER ? F562EED5

Code F562D940 pIofCallDriver

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!Kei386EoiHelper + 151A 804DCA64 3 Bytes
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033A2A
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72033BB5
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72033A99
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033A48
.text ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1328] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1992] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\wdfmgr.exe[2088] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE[2156] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[2196] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\uwdf.exe[2796] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\GMER\gmer.exe[3288] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\GMER\gmer.exe[3288] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F36BF79B] tfsnifs.sys

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) F562A000

---- Threads - GMER 1.0.12 ----

Thread 4:1324 F562CF6C

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

---- Files - GMER 1.0.12 ----

ADS C:\WINDOWS\SYSTEM32:lzx32.sys
File C:\WINDOWS\SYSTEM32\lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 7th, 2006, 11:28 pm

Yes you have a rootkit.
This will take a bit of research. I will be back with you as soon as I can.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 7th, 2006, 11:33 pm

Bob4

I don't know what a rootkit, but I am glad that you are preservering with me. Your help is really appreciated.

Thanks
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 7th, 2006, 11:36 pm

I have great help here and we're both going to need it. Just hang in there and if you can take this machine off the internet. No telling what else it will download without you knowing it.
This machine has been seriously compromised. :(
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » November 8th, 2006, 7:36 am

Download Rustock.b removal tool...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (c:/avenger.txt & c:/rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 8th, 2006, 7:52 am

Bob4

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:08 PM, on 8/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\WINDOWS\System32\adirss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Suresh Senathirajah\aL5D.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\uWDF.exe
C:\Documents and Settings\Suresh Senathirajah\My Documents\Down Loaded\High Jack\nofun.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 8th, 2006, 7:53 am

Bob4,

Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uikbeikk

*******************

Script file located at: \??\C:\xbkllsxh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 8th, 2006, 7:55 am

Bob4

pelog:

************************* Rustock.b-fix -- By ejvindh *************************
Wed 08/11/2006 22:41:08.99


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 65568
Total size: 65568 bytes.
Attempting to remove ADS...
system32: deleted 65568 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware