- Code: Select all
TR/Spy.Agent.xeg C:\Windows\Sysytem32\MSIVXiucfrptsqchkqrfwixvejuqvycyljqig.dll SPR/Tool.Obfuscator.ER.42 C:\Windows\Sysytem32\MSIVXxwbeckoorfpgpqtdsijpeenojsvnpmi.dll TR/Agent.79872 C:\Windows\Sysytem32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys
I ran a GMER scan, and the results were the same...
- Code: Select all
---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\MSIVXxwbeckoorfpgpqtdgisjpeenojsvnpmi.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [884] 0x10000000 ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys (*** hidden *** ) <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXxwbeckoorfpgpqtdgisjpeenojsvnpmi.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXiucfrptsqchkqrfwixvejuqvycyljqig.dll Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXuapetvmvofitedsmpxjcdnpyprwbtxdr.sys Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXxwbeckoorfpgpqtdgisjpeenojsvnpmi.dll Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXiucfrptsqchkqrfwixvejuqvycyljqig.dll
Below is my HijackThis log...
- Code: Select all
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:22:00, on 23/06/2009 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\System32\mobsync.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Lexmark X5400 Series\lxdvmon.exe C:\Program Files\Lexmark X5400 Series\lxdvamon.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\System32\rundll32.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\francis\Desktop\ef2zge39.exe <-----Renamed GMER.exe!!! C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [lxdvmon.exe] "C:\Program Files\Lexmark X5400 Series\lxdvmon.exe" O4 - HKLM\..\Run: [lxdvamon] "C:\Program Files\Lexmark X5400 Series\lxdvamon.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe O23 - Service: lxdv_device - - C:\Windows\system32\lxdvcoms.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:\Windows\System32\StkASv2K.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe -- End of file - 8054 bytes
I have tried many Virus programs, also i have used Kaspersky online scan, and also Malwarebytes. But both have failed to 'flag' the above 'rootkit'.
If anyone would be so kind as to aid me in getting rid of the above 'rootkit', i would very much appreciate it.
Thank you.