Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Believe I have Win32:rootkit-gen virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Believe I have Win32:rootkit-gen virus

Unread postby chilema » March 30th, 2009, 11:36 pm

I believe I have the above virus as per my Avast anti virus. Plus, after looking it up it is displaying all the symptoms. Here is my HiJackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:08 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
f:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {b5c225f2-b367-4786-896a-5dcb38fa3549} - C:\WINDOWS\system32\hujenufo.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CPM6b4724b5] Rundll32.exe "c:\windows\system32\fokazifi.dll",a
O4 - HKLM\..\Run: [68741729] rundll32.exe "C:\WINDOWS\system32\tijawani.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [buruzeleto] Rundll32.exe "C:\WINDOWS\system32\kakeyuwu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [buruzeleto] Rundll32.exe "C:\WINDOWS\system32\kakeyuwu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Desktop Manager.lnk = F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0489948531
O20 - AppInit_DLLs: c:\windows\system32\fokazifi.dll c:\windows\system32\yikujode.dll,C:\WINDOWS\system32\vokoluwo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fokazifi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fokazifi.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6841 bytes
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm
Advertisement
Register to Remove

Re: Believe I have Win32:rootkit-gen virus

Unread postby Odd dude » April 3rd, 2009, 10:05 am

Hi :)

So far I am not seeing anything as bad as a rootkit. There is one infection we need to take care of, but I do not see a rootkit so far.

Please explain the symptoms in detail. I know you're getting popups, anything else?

Temporarily disable Avast
We need to temporarily disable Avast, so it won't interfere with what we need to do.

  • Right click the Avast tray icon and choose Stop on-access protection
  • Right click the tray icon again and click Program settings
  • On the left, click Troubleshooting
  • Check the box next to Disable avast! self-defense module
  • Click OK

Do not forget to reverse this process before going back on-line!


Disable the Avast self-defence module
The Avast self-defence module can cause blue screen errors when certain tools attempt to terminate Avast.

  • Launch Avast by double-clicking the tray icon
  • Click Menu > Settings > Troubleshooting
  • Put a check next to Disable Avast self-defence module and click OK
  • Close the program

Do not forget to reverse this process before going back on-line!


ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:

(If I should give more detailed instructions regarding how to do this, please inform me and do not proceed)


  • Download ComboFix from here and save it to your desktop.
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running! (Unless ComboFix needs you to do something ;))
  • When finished, the report will open. Reenable your protection software and post the log in your next reply.

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 3rd, 2009, 10:48 pm

The reason I thought it was a rootkit is because that is what avast told me it was when it went to chest. Here is the Combofix log and also a Kaspersky log I got before I ran the Combofix.

ComboFix 09-04-03.01 - Matt 2009-04-03 22:31:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -4:00]
Running from: f:\my docs\Downloads\Music\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090403-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matt\My Documents\My Documents.url
c:\documents and settings\Matt\My Documents\My Music\My Music.url
c:\documents and settings\Matt\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Matt\My Documents\My Videos\My Video.url
c:\windows\system32\AutoRun.inf
c:\windows\system32\biregeju.dll
c:\windows\system32\erukebek.ini
c:\windows\system32\fokazifi.dll
c:\windows\system32\gavoyihe.dll
c:\windows\system32\hilohabo.dll
c:\windows\system32\inawajit.ini
c:\windows\system32\kebekure.dll
c:\windows\system32\lowofato.dll
c:\windows\system32\miwejosi.dll
c:\windows\system32\otafowol.ini
c:\windows\system32\tijawani.dll
c:\windows\system32\yafulaha.dll
c:\windows\system32\yikujode.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-03-29 11:27 . 2009-03-29 11:27 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-03-28 23:27 . 2009-03-28 23:27 2,713 ---hs---- c:\windows\system32\dimusave.exe
2009-03-28 11:26 . 2009-03-28 11:26 2,713 ---hs---- c:\windows\system32\ludovoyi.exe
2009-03-27 23:26 . 2009-03-27 23:26 2,713 ---hs---- c:\windows\system32\tamihifu.exe
2009-03-24 17:48 . 2009-03-24 23:09 <DIR> d-------- c:\documents and settings\Matt\Application Data\vlc
2009-03-24 17:42 . 2009-03-24 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-14 12:08 . 2009-03-23 13:03 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-14 12:08 . 2009-03-14 12:08 1,409 --a------ c:\windows\QTFont.for
2009-03-04 22:19 . 2009-03-04 22:19 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 21:28 --------- d-----w c:\documents and settings\Matt\Application Data\uTorrent
2009-03-25 03:17 --------- d-----w c:\documents and settings\Matt\Application Data\Move Networks
2009-03-23 14:16 --------- d-----w c:\documents and settings\Matt\Application Data\MSN6
2009-02-17 13:11 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-02-06 04:26 --------- d-----w c:\program files\Kodak
2008-12-08 18:59 60,744 ----a-w c:\documents and settings\Matt\g2mdlhlpx.exe
2008-12-28 19:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122820081229\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="f:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="f:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - f:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-09-19 1545488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-11-30 10:35 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-09-19 16:06 615696 c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WDA-2320]
--a------ 2005-12-15 12:21 2490368 c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2004-06-14 11:54 200704 c:\program files\Gigabyte\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 f:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-10-11 18:25 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 f:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-18 23:45 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-22 17:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-09-22 13:36 14854144 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\update.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"f:\\Program Files\\World of Warcraft\\Repair.exe"=
"f:\program files\Microsoft ActiveSync\rapimgr.exe"= f:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"f:\program files\Microsoft ActiveSync\wcescomm.exe"= f:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"f:\program files\Microsoft ActiveSync\WCESMgr.exe"= f:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"f:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"f:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-12 20560]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{b5c225f2-b367-4786-896a-5dcb38fa3549} - c:\windows\system32\hujenufo.dll
HKLM-Run-Name of App - c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
MSConfigStartUp-68741729 - c:\windows\system32\lowofato.dll
MSConfigStartUp-CPM6b4724b5 - c:\windows\system32\yikujode.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 22:39:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name of App = c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe?D~??A~??????A~??A~pPk???????????A~???????????????????????????????|????]?A~????+?E??????!=???D???J?????apD???????=????? ???1?F?????b?@?????]?A~ ???+?E???????????????????A~??G~????????????????????????????(?G

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Alwil Software\Avast4\aswUpdSv.exe
f:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
f:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-03 22:41:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 02:41:39

Pre-Run: 34,601,185,280 bytes free
Post-Run: 35,591,946,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

217


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 05:13:07
Records in database: 1988855
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 62129
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 05:42:21


File name / Threat name / Threats count
C:\WINDOWS\system32\gapedayu.exe Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1

The selected area was scanned.
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby Odd dude » April 4th, 2009, 1:31 am

I would like you to read the following topic:
http://malwareremoval.com/forum/viewtop ... 11&t=33112

I want you to realize this: Person-to-Person file sharing programmes are the #1 cause of infection to people. The program might not be infected, but the files you download with it most certainly can - and in fact, most of them will - be infected.

It is our policy that P2P software must be removed before cleaning can start.. or in your case: continue.

Please uninstall the Person-to-Person file sharing programmes mentioned below through Add/Remove Programs in the Control Panel.

uTorrent

Also uninstall any other P2P programs I may have missed. Thanks :)

After performing those steps, post a new Uninstall list.

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all
file::
c:\windows\system32\dimusave.exe
c:\windows\system32\ludovoyi.exe
c:\windows\system32\tamihifu.exe
C:\WINDOWS\system32\gapedayu.exe
folder::
c:\documents and settings\Matt\Application Data\uTorrent
registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Program Files\\uTorrent\\utorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

Image

ComboFix will run again, please be patient and post the log like usual.


Now let's check whether there is indeed a rootkit.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 4th, 2009, 11:02 pm

Ok. I uninstalled Utorrent and ran the other two programs. I am not sure how to show an uninstall list as you asked. Here are the logs.

ComboFix 09-04-03.01 - Matt 2009-04-04 22:13:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1541 [GMT -4:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090404-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\dimusave.exe
c:\windows\system32\gapedayu.exe
c:\windows\system32\ludovoyi.exe
c:\windows\system32\tamihifu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt\Application Data\uTorrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_102_v2_[F11B80A3].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_203_[F97B9991].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_204_[631FD37D].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_205_[DBDD0939].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_206_[4AFFD916].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_207_[2A3BA5FC].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_208_[191E1D38].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_209_[0868010E].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_210_[657E4E74].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_211_[A988CA54].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Bleach_Movie_1_HD_1440x768_[2C434BF0].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Naruto_Movie_[D367824A].avi.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Naruto_Movie_[D367824A].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Naruto_Movie_2_[1E8A1B97].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[DB]_Naruto_Movie_3_[C688AE50].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[TvT] Avatar The Last Airbender Book 3 'Fire' 06 'The Avatar and the Firelord' [NICK-usotsuki] [65C752CE].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[TvT] Avatar The Last Airbender Book 3 'Fire' 07 'The Runaway' [NICK-usotsuki] [22008905].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[TvT] Avatar The Last Airbender Book 3 'Fire' 08 'The Puppetmaster' [NICK-usotsuki] [1B869810].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[TvT] Avatar The Last Airbender Book 3 'Fire' 09 'Nightmares and Daydreams' [NICK-usotsuki] [15AC5AC1].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\[TvT] Avatar The Last Airbender Book 3 'Fire' 10 'The Day of Black Sun - The Invasion-The Eclipse' [NICK-usotsuki] [6A716B9F].avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\02-timbaland_feat_nelly_furtado_and_justin_timberlake-give_it_to_me_(dirty)-Part 2.wma.torrent
c:\documents and settings\Matt\Application Data\uTorrent\50 CENT feat JUSTIN TIMBERLAKE & TIMBALAND - Ayo Technology.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\AA281FullInstaller_BitTorrent.exe.torrent
c:\documents and settings\Matt\Application Data\uTorrent\akon-i_wanna_love_you_(feat._sean_paul)_(remix).mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Akon-In_My_Ghetto_Vol_2-2008-ONe.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Akon-Sorry_Blame_It_On_Me.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Amel Larrieux - Bravebird.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Amel Larrieux - Morning [2006] [R&B] [www.file24ever.com].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Andrea Bocelli - Il Trovatore - Giuseppe Verdi - NLT-Release.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Andrea Bocelli - Amore 2006.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Andrea Bocelli.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Andrea.Bocelli.-.Incanto.(2008).WwW.Mixermusic.net.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Andrea.Bocelli.-.Vivere.The.Best.Of.2008.Mp3.[www.MixerMusic.net].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Beyonce-B-Day.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Beyonce -I Am Sasha Fierce-DeLuxe Edition[www.FanCluBT.com].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 202.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 82 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 83 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 84 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 85 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 86 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 87 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 88 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 89 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 90 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 91 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 92 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 93 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 94 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 95 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 96 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach 97 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Movie 2.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Season 1 Ep 001-025 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Season 2 Ep 026-051 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Season 3 Ep 052-074 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Season 4 Ep 075-081 English Dubbed-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bleach Season 6.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bon Jovi-Slippery When Wet(Darkside_RG).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bon Jovi - Lost Highway.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bon Jovi - New Jersey [1998 Remaster].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bone Thugs -N- Harmony feat Akon - I Tried Promo Cd.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Bone Thugs -N- Harmony feat Akon - I Tried Promo Cd.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Brandon Heath -What If We [2008].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Camp Rock.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Carrie Underwood - Carnival Ride.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Cascada - What Hurts The Most - Promo CDM - 2007.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Casting Crowns - The Altar And The Door.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Casting Crowns.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Chris Brown-Chris Brown(with Covers) a DHZ.Inc Release.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Chris Brown - C.B. [2007] [R&B] [www.file24ever.com].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Chris_Brown-Wall_To_Wall_(Prod_By_Swizz_Beatz).mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Chris_Brown_Ft_Jadakiss-Wall_To_Wall_(Remix).mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Colby Odonis ft. Akon - What You Got.mp3.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Colby Odonis ft. Akon - What You Got.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\David Archuleta - Crush (New Single) (williswho.com).torrent
c:\documents and settings\Matt\Application Data\uTorrent\David Archuleta 2008 Full Album- 5 Extra Tracks.torrent
c:\documents and settings\Matt\Application Data\uTorrent\David Cook - David Cook [2008][CD+SkidVid_XviD+Cov].torrent
c:\documents and settings\Matt\Application Data\uTorrent\dht.dat
c:\documents and settings\Matt\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Matt\Application Data\uTorrent\Dollhouse.S01E01.HDTV.XviD-LOL.avi.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Dollhouse.S01E04.720p.HDTV.x264-CTU.mkv.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Exclusive [Special Edition] (2007).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Feels Like Today [2004].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Fergie-The_Dutchess-2006-RNS.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Girls Gone Wild (6 episodes).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Hannah Montana - Songs From And Inspired By The Hit TV Series.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Hannah_Montana_2_-_Meet_Miley_Cyrus-2CD-2007-BTL.torrent
c:\documents and settings\Matt\Application Data\uTorrent\High School Musical 2.torrent
c:\documents and settings\Matt\Application Data\uTorrent\High School Musical Soundtrack.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Hinder-Extreme_Behaviour-(UK_Retail)-2007-uF.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Jars_Of_Clay-Good_Monsters-2006-RNS.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Jason Mraz - We Sing We Dance We Steal Things (MP3) 2Lions.torrent
c:\documents and settings\Matt\Application Data\uTorrent\JoJo - The High Road (2006).1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\JoJo - The High Road (2006).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Jonas Brothers - A Little Bit Longer (2008) - Rock.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Jonas Brothers - Jonas Brothers (Special Edition 2007) - Rock [www.torrentazos.com].rar.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Jordan Sparks feat. Chris Brown - No Air.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Josh_Groban-Noel-2007-JOSHGROBAN.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Justin Timberlake - What goes around...comes around.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Justin Timberlake Futuresex Lovesounds(Deluxe Edition)2007 (KRG) princess.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Kanye West - Graduation (320Kbps).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Kat Williams Pimp Chronicles.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Katt Williams Let a Playa Play.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Katt.Williams.American.Hustle.2007.DVDRip.XviD-SiNK.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Katt.Williams.Live.2006.REPACK.DVDRip.XviD-FiCO.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Kelly Clarkson - All I Ever Wanted [2009] [320 kbps] [UK Deluxe Edition].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Kelly_Clarkson-Never_Again-(CDS)-2007-SMO.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Legend.Of.Earthsea.2004.Mini.Series.NORDIC.PAL.DVDR-DFG.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Leona Lewis - Spirit (256Kbps).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Lil_Wayne-Lollipop__Ft._Static_Major___DIRTY_-_www.dj-emi.blogspot.com_.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Linkin Park-Minutes to Midnight (2007).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Linkin Park - What I've Done 320kbps.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Linkin_Park-Minutes_To_Midnight-2007-GEE.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Madonna - Hard Candy (2008).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Mariah Carey E=MC2 [FULL ALBUM 2008].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Miley_Cyrus-Breakout-2008-VAG.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Missy Higgins - On A Clear Night [2007][CD+SkidVid_XviD+Cov].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Missy Higgins - The Sound of White.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Naruto English Dubbed 1-201.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Naruto the Movie - Ninja Clash in the Land of Snow-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Naruto the Movie 2 - Legend of the Stone of Gelel-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Naruto the Movie 3 - Guardians of the Crescent Moon Kingdom-soagg.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Ne Yo - Because Of You [2007][CD+SkidVid+Cov].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Nickelback-All The Right Reasons.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Pink - Funhouse [2008][CD+SkidVid_XviD+Cov]320Kbps.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Rascal Flatts - Me And My Gang [2006].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Rascal Flatts - Still Feels Good (2007) - Country [www.torrentazos.com].rar.torrent
c:\documents and settings\Matt\Application Data\uTorrent\resume.dat
c:\documents and settings\Matt\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Matt\Application Data\uTorrent\rihanna feat jay-z umbrella.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Rihanna_Ft_Chris_Brown_Jay-Z-Umbrella_(Remix).mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\rss.dat
c:\documents and settings\Matt\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Matt\Application Data\uTorrent\Season 4.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Season 5.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Season 7.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Season 8.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Season 9.torrent
c:\documents and settings\Matt\Application Data\uTorrent\settings.dat
c:\documents and settings\Matt\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Matt\Application Data\uTorrent\Snoop Dogg - Sensual Seduction (Promo CDS).torrent
c:\documents and settings\Matt\Application Data\uTorrent\South Park - s10e08.torrent
c:\documents and settings\Matt\Application Data\uTorrent\South Park - World Of WarCraft.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Stomp The Yard [2007] [Soundtrack] [www.file24ever.com].torrent
c:\documents and settings\Matt\Application Data\uTorrent\Switchfoot-Oh_Gravity-2006-RNS.torrent
c:\documents and settings\Matt\Application Data\uTorrent\T-Pain_Ft_Akon-Bartender.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\T.I. - Paper Trail (Advance) - Parry Gill - xclusivez.net - mobstaz.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.S01E47.The.Mumm.Ra.Berbil.(Fixed).torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.Season.1.Complete.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.Season.1.Complete.2.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.Season.1.Complete.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.Season.2.Complete.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.Season.2.Complete.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Thundercats.torrent
c:\documents and settings\Matt\Application Data\uTorrent\timbaland-the way i are.zip.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Timbaland - Shock Value-2007.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Timbaland Feat. Nelly Furtado & Justin Timberlake - Give It To Me Aetoms Remix ( best than original 2007 Strasbourg France French Hot Hit Rap Crunk Pop Sex Fergie Lil Jon).mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\timbaland ft. nelly furtado justin timberlake- give it to me.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\timbaland_ft_jay-z__justin_timberlake-_give_it_to_me_remix-Larceny9.mp3.1.torrent
c:\documents and settings\Matt\Application Data\uTorrent\timbaland_ft_jay-z__justin_timberlake-_give_it_to_me_remix-Larceny9.mp3.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Twilght Soundtrack.torrent
c:\documents and settings\Matt\Application Data\uTorrent\Usher Feat. Young Jeezy - Love In This Club.torrent
c:\documents and settings\Matt\Application Data\uTorrent\utorrent.lng
c:\windows\system32\dimusave.exe
c:\windows\system32\gapedayu.exe
c:\windows\system32\ludovoyi.exe
c:\windows\system32\tamihifu.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-03-29 11:27 . 2009-03-29 11:27 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-03-24 17:48 . 2009-03-24 23:09 <DIR> d-------- c:\documents and settings\Matt\Application Data\vlc
2009-03-24 17:42 . 2009-03-24 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-14 12:08 . 2009-03-23 13:03 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-14 12:08 . 2009-03-14 12:08 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 03:17 --------- d-----w c:\documents and settings\Matt\Application Data\Move Networks
2009-03-23 14:16 --------- d-----w c:\documents and settings\Matt\Application Data\MSN6
2009-03-05 02:19 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-17 13:11 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-02-06 04:26 --------- d-----w c:\program files\Kodak
2008-12-08 18:59 60,744 ----a-w c:\documents and settings\Matt\g2mdlhlpx.exe
2008-12-28 19:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122820081229\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-03_22.40.48.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-05 02:15:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-04-05 02:15:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="f:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="f:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - f:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-09-19 1545488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-11-30 10:35 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-09-19 16:06 615696 c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WDA-2320]
--a------ 2005-12-15 12:21 2490368 c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2004-06-14 11:54 200704 c:\program files\Gigabyte\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 f:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-10-11 18:25 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 f:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-18 23:45 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-22 17:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-09-22 13:36 14854144 c:\windows\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\update.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"f:\\Program Files\\World of Warcraft\\Repair.exe"=
"f:\program files\Microsoft ActiveSync\rapimgr.exe"= f:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"f:\program files\Microsoft ActiveSync\wcescomm.exe"= f:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"f:\program files\Microsoft ActiveSync\WCESMgr.exe"= f:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"f:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-12 20560]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 22:16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Alwil Software\Avast4\aswUpdSv.exe
f:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
f:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-04 22:18:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 02:18:20
ComboFix2.txt 2009-04-04 02:41:42

Pre-Run: 35,577,335,808 bytes free
Post-Run: 35,563,778,048 bytes free

352


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-04 22:56:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB65666B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6566574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6566A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB656614C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB656664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB656608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB65660F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB656676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB656672E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB65668AE]

Code \??\C:\DOCUME~1\Matt\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Matt\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby Odd dude » April 5th, 2009, 2:34 am

Whoops, sorry about that. I usually request an uninstall list from users, in which I then notice software like utorrent, however that does not apply for your case, but I forgot to remove that part of my instructions. Sorry :oops:

ComboFix log looks good, do you have any more issues?

I recommend that you update Avast and run a full scan with it. If it still finds infections, let it quarantine them. If you know of any way to get a log out of the program, please post a log. (I myself don't use avast so I don't know whether it's possible to get a log; if you can't find such an option don't worry).

Let's also see a new hijackthis log.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 5th, 2009, 9:33 pm

I did a full system scan with Avast and it found a lot of viruses. Here is the log and a Hijack this log as well.

4/5/2009 3:12:27 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP680\A0041709.exe" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041593.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041592.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041591.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041589.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041588.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041582.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041587.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041586.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041585.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041584.dll" file.
4/5/2009 3:11:47 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041361.dll" file.
4/5/2009 3:11:33 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041359.dll" file.
4/5/2009 2:58:30 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yikujode.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yafulaha.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\tijawani.dll.vir" file.
4/5/2009 2:58:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\miwejosi.dll.vir" file.
4/5/2009 2:58:17 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\lowofato.dll.vir" file.
4/5/2009 2:58:16 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\kebekure.dll.vir" file.
4/5/2009 2:58:15 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\hilohabo.dll.vir" file.
4/5/2009 2:58:06 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gavoyihe.dll.vir" file.
4/5/2009 2:58:04 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gapedayu.exe.vir" file.
4/5/2009 2:57:55 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\fokazifi.dll.vir" file.
4/5/2009 10:47:51 AM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\biregeju.dll.vir" file.
3/30/2009 7:44:31 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\vokoluwo.dll" file.
3/30/2009 7:44:25 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\kakeyuwu.dll" file.
3/30/2009 7:44:12 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\hujenufo.dll" file.
3/30/2009 7:30:45 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 3:30:42 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:30:38 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:23:04 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/28/2009 9:42:01 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP670\A0041271.exe" file.
3/28/2009 4:08:49 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\My Docs\Downloads\Vent\ventrilo-2.2.0-Windows-i386.exe" file.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:42 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Desktop Manager.lnk = F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0489948531
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6013 bytes
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 5th, 2009, 9:34 pm

I did a full system scan with Avast and it found a lot of viruses. Here is the log and a Hijack this log as well.

4/5/2009 3:12:27 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP680\A0041709.exe" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041593.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041592.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041591.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041589.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041588.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041582.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041587.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041586.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041585.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041584.dll" file.
4/5/2009 3:11:47 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041361.dll" file.
4/5/2009 3:11:33 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041359.dll" file.
4/5/2009 2:58:30 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yikujode.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yafulaha.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\tijawani.dll.vir" file.
4/5/2009 2:58:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\miwejosi.dll.vir" file.
4/5/2009 2:58:17 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\lowofato.dll.vir" file.
4/5/2009 2:58:16 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\kebekure.dll.vir" file.
4/5/2009 2:58:15 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\hilohabo.dll.vir" file.
4/5/2009 2:58:06 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gavoyihe.dll.vir" file.
4/5/2009 2:58:04 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gapedayu.exe.vir" file.
4/5/2009 2:57:55 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\fokazifi.dll.vir" file.
4/5/2009 10:47:51 AM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\biregeju.dll.vir" file.
3/30/2009 7:44:31 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\vokoluwo.dll" file.
3/30/2009 7:44:25 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\kakeyuwu.dll" file.
3/30/2009 7:44:12 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\hujenufo.dll" file.
3/30/2009 7:30:45 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 3:30:42 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:30:38 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:23:04 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/28/2009 9:42:01 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP670\A0041271.exe" file.
3/28/2009 4:08:49 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\My Docs\Downloads\Vent\ventrilo-2.2.0-Windows-i386.exe" file.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:42 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Desktop Manager.lnk = F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0489948531
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6013 bytes
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 5th, 2009, 9:36 pm

I did a full system scan with Avast and it found a lot of viruses. Here is the log and a Hijack this log as well.

4/5/2009 3:12:27 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP680\A0041709.exe" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041593.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041592.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041591.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041589.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041588.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041582.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041587.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041586.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041585.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041584.dll" file.
4/5/2009 3:11:47 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041361.dll" file.
4/5/2009 3:11:33 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041359.dll" file.
4/5/2009 2:58:30 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yikujode.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yafulaha.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\tijawani.dll.vir" file.
4/5/2009 2:58:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\miwejosi.dll.vir" file.
4/5/2009 2:58:17 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\lowofato.dll.vir" file.
4/5/2009 2:58:16 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\kebekure.dll.vir" file.
4/5/2009 2:58:15 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\hilohabo.dll.vir" file.
4/5/2009 2:58:06 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gavoyihe.dll.vir" file.
4/5/2009 2:58:04 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gapedayu.exe.vir" file.
4/5/2009 2:57:55 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\fokazifi.dll.vir" file.
4/5/2009 10:47:51 AM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\biregeju.dll.vir" file.
3/30/2009 7:44:31 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\vokoluwo.dll" file.
3/30/2009 7:44:25 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\kakeyuwu.dll" file.
3/30/2009 7:44:12 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\hujenufo.dll" file.
3/30/2009 7:30:45 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 3:30:42 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:30:38 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:23:04 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/28/2009 9:42:01 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP670\A0041271.exe" file.
3/28/2009 4:08:49 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\My Docs\Downloads\Vent\ventrilo-2.2.0-Windows-i386.exe" file.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:42 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Desktop Manager.lnk = F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0489948531
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6013 bytes
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby chilema » April 5th, 2009, 9:37 pm

I did a full system scan with Avast and it found a lot of viruses. Here is the log and a Hijack this log as well.

4/5/2009 3:12:27 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP680\A0041709.exe" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041593.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041592.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041591.dll" file.
4/5/2009 3:12:19 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041589.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041588.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041582.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041587.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041586.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041585.dll" file.
4/5/2009 3:12:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP679\A0041584.dll" file.
4/5/2009 3:11:47 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041361.dll" file.
4/5/2009 3:11:33 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP671\A0041359.dll" file.
4/5/2009 2:58:30 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yikujode.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\yafulaha.dll.vir" file.
4/5/2009 2:58:29 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\tijawani.dll.vir" file.
4/5/2009 2:58:18 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\miwejosi.dll.vir" file.
4/5/2009 2:58:17 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\lowofato.dll.vir" file.
4/5/2009 2:58:16 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\kebekure.dll.vir" file.
4/5/2009 2:58:15 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\hilohabo.dll.vir" file.
4/5/2009 2:58:06 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gavoyihe.dll.vir" file.
4/5/2009 2:58:04 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\gapedayu.exe.vir" file.
4/5/2009 2:57:55 PM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\fokazifi.dll.vir" file.
4/5/2009 10:47:51 AM Matt 3256 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\biregeju.dll.vir" file.
3/30/2009 7:44:31 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\vokoluwo.dll" file.
3/30/2009 7:44:25 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\kakeyuwu.dll" file.
3/30/2009 7:44:12 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\hujenufo.dll" file.
3/30/2009 7:30:45 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 3:30:42 PM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:30:38 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/30/2009 11:23:04 AM SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/28/2009 9:42:01 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\System Volume Information\_restore{04351F4F-4616-4329-B310-91AAA4D3E198}\RP670\A0041271.exe" file.
3/28/2009 4:08:49 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\My Docs\Downloads\Vent\ventrilo-2.2.0-Windows-i386.exe" file.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:42 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Desktop Manager.lnk = F:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0489948531
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6013 bytes
chilema
Regular Member
 
Posts: 23
Joined: March 30th, 2009, 11:29 pm

Re: Believe I have Win32:rootkit-gen virus

Unread postby Odd dude » April 6th, 2009, 1:09 am

I've got some good news :)

- Files located in C:\System Volume Information are part of your system restore points, a quick flush of those will resolve that.
- Files in C:\Qoobox have already been quarantined by ComboFix
- 3/28/2009 4:08:49 AM Matt 2820 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\My Docs\Downloads\Vent\ventrilo-2.2.0-Windows-i386.exe" file. is most likely a false positive; it says -gen after the detection which means it's a generic detection because 'the program looks like it could be dangerous'. Most likely avast sees that the program can connect to the internet and that arises suspicion.
- These three:
3/30/2009 7:44:31 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\vokoluwo.dll" file.
3/30/2009 7:44:25 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\kakeyuwu.dll" file.
3/30/2009 7:44:12 PM Matt 2324 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\hujenufo.dll" file.

Are all genuine detections (though they are not Win32:rootkit-gen but rather something not that bad). You can have the program quarantine these if you haven't done so already.

Uninstall ComboFix
  • Disable all your antimalware programs like you did previously
  • Click Start > Run and enter:
    Code: Select all
    ComboFix /u
  • Click OK
  • ComboFix will now uninstall itself

You can delete GMER from your desktop. :)

Install a firewall
There is no firewall installed on your computer!
Either that, or you're using Windows Firewall, which is not a good idea.

Firewalls are programs that monitor incoming and outcoming connections to your computer. Did you know that, just by connecting to the internet, you are being exposed to hundreds of treats immediately? The way to solve this, is to use a firewall, and up-to-date antivirus software.

Windows Firewall only monitors incoming connections. This means that, once you are infected, the malware is free to ask for new instructions, send private data to its creator, or invite its malware buddies to come over. In other words: it's almost as good as no firewall at all.

Download a free for personal use firewall NOW. If you can't find a good one, try one of these:
Online Armor Free
Agnitum Outpost Free



If you don't have any other issues, then I think all the malware is gone!


Congratulations!

Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. They will increase your security, but are not really "needed". That said, I recommend following at least one of these tips.

  • Install WinPatrol from here. Instructions for use are here.

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    • Click Start, then Run
    • Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    • Click OK
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

Please reply to this thread once more so we know it can be archived

Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Believe I have Win32:rootkit-gen virus

Unread postby NonSuch » April 8th, 2009, 8:02 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware