Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible rootkit - hijack this logs included

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible rootkit - hijack this logs included

Unread postby AngryPanda » May 23rd, 2010, 12:28 pm

Briefly, my problem is:

-I navigated in the wrong web page and whatever was there exploited a vulnerability of my system (Windows XP SP3 (WinNT 5.01.2600)) and installed EVERYTHING on my PC. It even removed "Folder Options" from the Control Panel and disabled regedit.
-I manually cleaned most of the stuff (I am a software developer and have decent knowledge of how Windows works). I ran a full scan of AVG and Spybot S&D, nothing else is found.
-I run the Winsock fix.
-bad services were removed. No unknown software is running on my PC.

CURRENT PROBLEMS
-Google Chrome doesn't run;
-I cannot search some keywords: if I try to search google for "windows update" I just receive a "problem loading page".
EDIT: I needed to remove a space between the words "windows" and "update" in order to post this message. If I wrote them as a single word, my browser would not even submit the data to this forum. Something is really, really wrong with my system.
-when I click on some links on Google, I am redirected to a spammy page rather than the link I clicked.

All of this screams rootkit to me. I tried to run GMER, but after a while I receive a Blue Screen Of Death and cannot continue.
Here are my logs.
Thank you very much.

---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:20:37, on 23/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\AVG\AVG9\avgchsvx.exe
d:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
d:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
D:\FRAPS\FRAPS.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\SetPointG\SetPointII.exe
d:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
d:\Program Files\AVG\AVG9\avgwdsvc.exe
d:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\AVG\AVG9\avgam.exe
d:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
d:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Emanuele.COMPUTERZERO\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
D:\utils\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG9\avgssie.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [AVG9_TRAY] d:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Emanuele.COMPUTERZERO\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - d:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - d:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - d:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (file missing)

--
End of file - 4965 bytes
-----------------------------------------

Uninstall.txt:

-----------------------------------------

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Advertisement Service
AutoHotkey 1.0.48.03
AVG 9.0
AVG Anti-Rootkit Free
Batman: Arkham Asylum
Battlefield 2142 Deluxe Edition
Cheat Engine 5.5
Cisco Systems VPN Client 5.0.04.0300
Combined Community Codec Pack 2008-09-21 16:18
ComicRack v0.9.120
Creative Audio Console
Crysis(R)
dBpoweramp Music Converter
Doom 3
EditPlus 3
eMule
ExamDiff 1.8 (Build 1.8.0.4)
ffdshow [rev 3026] [2009-07-05]
FileZilla Client 3.3.2.1
FLV Player 2.0 (build 25)
Foxit PDF IFilter
Foxit Reader
Fraps
GetDataBack for FAT and GetDataBack for NTFS
Google Talk Plugin
Hamachi 1.0.3.0
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB969084)
HP Customer Participation Program 13.0
HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HWiNFO32 Version 3.10
Icewind Dale II
isposure
Java(TM) 6 Update 15
Junk Mail filter update
Left 4 Dead
Left 4 Dead 2 Demo
Logitech G11 Keyboard Software 1.03
Logitech SetPoint 6.0
Logitech Webcam Software
Logitech Webcam Software Driver Package
Macromedia Dreamweaver 8
Macromedia Extension Manager
Matrix-ks
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Mozilla Firefox (3.6.3)
MSDN Library for Visual Studio 2005
MSDN Library for Visual Studio 2005
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Neverwinter Nights 2
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Pdf995
Planescape - Torment
PowerDVD
PunkBuster Services
Qtracker
Real Alternative 1.8.0
Realtek High Definition Audio Driver
Safari
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB978262)
Segoe UI
Skype™ 4.1
Smart Mod Manager
SourceGear Vault Client
Spybot - Search & Destroy
STALKER: Shadow of Chernobyl
Steam
STREET FIGHTER IV
Team Fortress 2
TheBat! Home v4.2.23
Thief2X version 1.1
Trillian
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VNC Free Edition 4.1.3
VP3 Codec for Video for Windows
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows PowerShell(TM) 1.0
Windows PowerShell(TM) 1.0 MUI pack
Windows XP Service Pack 3
WinRAR archiver
AngryPanda
Active Member
 
Posts: 2
Joined: May 23rd, 2010, 12:19 pm
Advertisement
Register to Remove

Re: Possible rootkit - hijack this logs included

Unread postby AngryPanda » May 24th, 2010, 11:59 am

The issue is now resolved, thank you.

I read this thread who displayed symptoms similar to mines, and the solution was similar as well - running Combofix, together with other malware removal tools, did the trick.

I am now monitoring my system with a Firewall do log every attempt to connect to an external entity.

A big "thank you" to the owners of this website - you saved me a painstakingly long system reinstallation.
AngryPanda
Active Member
 
Posts: 2
Joined: May 23rd, 2010, 12:19 pm

Re: Possible rootkit - hijack this logs included

Unread postby Dakeyras » May 24th, 2010, 4:17 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 10 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware