Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit.Win32.Agent.bert

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 11th, 2010, 9:36 am

Hi,

I'm having my antivirus (Kaspersky) pop up with this rootkit. I can't seem to get rid of it at all. Any help would be much appreciated!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:00:17, on 16/07/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6367 bytes


4oD
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Assassin's Creed
ASUS Gamer OSD
Attansic Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Belkin Wireless USB Utility
Bonjour
Compatibility Pack for the 2007 Office system
Counter-Strike: Source
Day of Defeat: Source
DivX Web Player
DriverAgent by eSupport.com
EPSON Scan
FreeFixer
Freewire Television
GIMP 2.6.4
Handbrake 0.9.4
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 4
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
Left 4 Dead
Left 4 Dead 2
Left 4 Dead 2 Add-on Support
Logitech QuickCam
Logitech Updater
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.10)
MSVCRT
Navman F20 Service Pack
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Windows Vista Stereoscopic 3D Driver
OGA Notifier 2.0.0048.0
OpenOffice.org 2.4
Portal
PunkBuster Services
PVSonyDll
Quake Live Internet Explorer Plugin
Quake Live Mozilla Plugin
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Skype™ 3.8
Source SDK Base
Spybot - Search & Destroy
Station Launcher
Steam
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Viewpoint Media Player
VLC media player 0.9.2
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Xtranormal State - Voicepack-English-UK-Daniel
Xtranormal State - Voicepack-English-UK-Serena
Xtranormal State - Voicepack-English-US-Samantha
Xtranormal State - Voicepack-English-US-Tom
XviD MPEG-4 Video Codec
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm
Advertisement
Register to Remove

Re: Rootkit.Win32.Agent.bert

Unread postby MWR 3 day Mod » August 15th, 2010, 1:29 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 15th, 2010, 8:22 am

Hello and Welcome to Anti-Malware Forums.Image
Introduction and rules :
  • I'm xixo_12 and really glad to help you.
  • You're advised to refrain running any self fixes until I give the "All Clean Speech"
  • Instruction in this topic is special create for current problem and don't apply those on another system.
  • You're advised to ask for any uncertainty.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now, we will start the collaboration.
Do keep in mind, removing malware is one of hazardous undertaking. I'm ready to share what I have learn through years in removing malware but I'm also fallible.
You're advised to back up all the important data before we start.
Note : Due to limitation, Windows Vista require user to Right click > Run as Administrator to use the tools.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

First,
Advices.
===============================
Punkbuster.
  • Punkbuster can take control over various aspects of your computer, and some gaming tools not unlike Punkbuster also hinder their removals.
  • By the definition we handle here, Punkbuster is actual SPYWARE. Therefore, I now ask you to choose from the options below:
    1. Either we try to leave Punkbuster alone but there is NO guarantee a spyware component doesn't 'accidentally' get taken out; so Punkbuster might break.
      This will break your ability to play games using Punkbuster enabled servers.
    2. We can just remove Punkbuster. You can reinstall it afterwards if you wish, but please keep in mind that it is SPYWARE.
    3. Another option is to not clean this computer at all. This ensures Punkbuster will continue to function.

Please let me know what you would like to do after reading my advices.

Viewpoint.
  • Though not exactly classed as malware they do have some undersirible characteristics.
  • However there is no point to uninstalling any of them, through update of AIM/AOL will install viewpoint automatically.
  • Isn't that nice of AOL and their applications.
===============================

Next,
Remove programs.
Please Click Start > Control Panel > Programs and Features
Remove the listed program(s) by clicking Uninstall/Change.
Spybot - Search & Destroy

If some program(s) listed above are not in present, please do not panic and proceed to the next step.

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on Gmer.exe > Run as Administrator to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

What you need to post
Checklist.
  • Respond to an advices.
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 15th, 2010, 8:55 am

Hi,

I've removed both punkbuster and spybot.

GMER, however, seems to crash during the scan both in normal mode and in safe mode. Any suggestions?
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 15th, 2010, 10:15 am

Hi,
Let's proceed with these.
I saw MBAM entry in Hijackthis, but it is not appear in uninstall list.
Please proceed to update MBAM and do the full scan (if installed), otherwise follow the instructions.

First,
Uninstall Punkbuster
Please download this application.
  • Right click on pbsvc.exe > Run as an Administrator. > Click on Uninstall/Remove PunkBuster Service > Click on Next> > Click on I Agree > Click on Finish after the removal is done.
  • Once finished, click Start>Run and copy and paste this:
    Code: Select all
    cmd /c for %i in (A B K) do sc delete PnkBstr%i
  • Click OK. A black box will flash very briefly, this is normal.
  • Double click My Computer on your desktop and browse to c:\windows\system32\drivers
  • Delete this file if it's there: PnkBstrK.sys

Next,
Reboot into usual account.

Next,
Malwarebytes' Anti-Malware.
Download Malwarebytes' Anti-Malware here and save to the desktop.
  • Right click on mbam-setup.exe > Run as Administrator and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Users\Username\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
CKScanner.
Please download from HERE and save to the desktop.
  • Right click on CKScanner.exe > Run as Administrator to run it and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

What you need to post
Checklist.
  • Content of MBAM log
  • Content of CKFiles.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 15th, 2010, 1:02 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4432

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

15/08/2010 17:57:36
mbam-log-2010-08-15 (17-57-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 357299
Time elapsed: 2 hour(s), 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\lxrsh.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Pete\AppData\Local\Temp\0.9937872604912201.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\steam\steamapps\pchecketts\counter-strike source\cstrike\maps\cs_crackhouse.bsp
c:\program files\steam\steamapps\pchecketts\counter-strike source\cstrike\maps\de_crackhouse.bsp
c:\program files\steam\steamapps\pchecketts\counter-strike source\cstrike\maps\de_crackhouse.nav
c:\program files\steam\steamapps\pchecketts\counter-strike source\cstrike\maps\soundcache\cs_crackhouse.cache
c:\program files\steam\steamapps\pchecketts\counter-strike source\cstrike\maps\soundcache\de_crackhouse.cache
scanner sequence 3.BD.11
----- EOF -----
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 15th, 2010, 6:47 pm

Hi,
Let's proceed.

First,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on the file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right click on Combo-Fix.exe > Run as Administrator & follow the prompts
  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


What you need to post
Checklist.
  • Content of ComboFix.txt
  • Please let me know, how is your system.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 15th, 2010, 7:59 pm

ComboFix 10-08-15.01 - Pete 16/08/2010 0:40.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.2760 [GMT 1:00]
Running from: c:\users\Pete\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\driVERs\lxrsh.sys . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://lp2.patch.station.sony.com:7000
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lxrsh
-------\Service_lxrsh


((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 23:46 . 2010-08-15 23:50 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-08-15 14:47 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 14:47 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 14:44 . 2010-08-15 14:44 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-15 14:44 . 2010-08-15 14:45 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-08-15 14:44 . 2010-08-15 14:44 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-08-12 14:54 . 2010-08-12 14:54 -------- d-----w- c:\program files\Common Files\Pearson VUE Common
2010-08-11 12:53 . 2010-08-11 12:53 -------- d-----w- c:\programdata\SupportSoft
2010-08-11 12:52 . 2010-08-11 12:52 -------- d-----w- c:\program files\O2
2010-08-11 12:50 . 2010-08-11 12:50 -------- d-----w- c:\program files\O2_Installer
2010-08-11 12:31 . 2010-08-11 12:31 -------- d-----w- c:\users\Pete\AppData\Local\SupportSoft
2010-08-11 12:30 . 2010-08-11 12:30 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-08-06 18:03 . 2010-08-06 18:03 -------- d-----w- c:\program files\Lame for Audacity
2010-08-06 18:00 . 2010-08-08 16:07 -------- d-----w- c:\users\Pete\AppData\Roaming\Audacity
2010-08-06 17:59 . 2010-08-06 18:00 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-08-01 20:53 . 2010-08-01 20:53 -------- d-----w- c:\users\Pete\.thumbnails
2010-07-29 15:59 . 2010-07-29 15:59 -------- d-----w- c:\users\Pete\AppData\Local\skpijauqk
2010-07-27 15:44 . 2010-07-27 15:44 -------- d-----w- c:\users\Pete\AppData\Local\kqshxlwqv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 23:53 . 2008-09-24 14:28 -------- d-----w- c:\programdata\Kontiki
2010-08-15 23:51 . 2010-05-26 16:29 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-15 23:28 . 2010-05-14 18:23 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-15 20:39 . 2008-09-12 12:55 -------- d-----w- c:\program files\Steam
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 06:34 . 2008-09-14 11:20 -------- d-----w- c:\users\Pete\AppData\Roaming\OpenOffice.org2
2010-08-13 06:33 . 2008-09-14 11:21 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-08-12 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-11 16:27 . 2008-09-12 13:26 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-08-11 16:05 . 2008-09-12 18:45 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-08-06 15:42 . 2008-09-12 12:55 -------- d-----w- c:\program files\Common Files\Steam
2010-08-06 11:43 . 2010-05-05 21:22 -------- d-----w- c:\users\Pete\AppData\Roaming\QuickScan
2010-08-01 20:53 . 2009-01-26 17:38 -------- d-----w- c:\users\Pete\AppData\Roaming\gtk-2.0
2010-07-29 17:22 . 2010-05-14 18:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:22 . 2010-05-14 18:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-16 21:49 . 2009-06-30 19:34 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-07-16 21:48 . 2010-07-16 21:48 388096 ----a-r- c:\users\Pete\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-16 21:48 . 2010-07-16 21:48 -------- d-----w- c:\program files\Trend Micro
2010-07-15 16:41 . 2008-09-12 12:43 -------- d-----w- c:\programdata\Skype
2010-06-29 15:47 . 2010-08-11 16:58 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 16:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-11 16:58 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-20 19:58 . 2008-10-12 22:23 -------- d-----w- c:\users\Pete\AppData\Roaming\dvdcss
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Pete\AppData\Roaming\HandBrake
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\program files\Handbrake
2010-06-20 14:06 . 2008-10-25 14:41 -------- d-----w- c:\users\Pete\AppData\Roaming\Apple Computer
2010-06-20 14:05 . 2008-10-08 12:44 -------- d-----w- c:\programdata\Apple
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\program files\iTunes
2010-06-20 13:52 . 2010-06-20 13:52 -------- d-----w- c:\program files\iPod
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\programdata\Apple Computer
2010-06-20 13:51 . 2010-06-20 13:51 -------- d-----w- c:\program files\QuickTime
2010-06-20 13:49 . 2010-06-20 13:49 -------- d-----w- c:\program files\Apple Software Update
2010-06-20 13:48 . 2008-10-25 14:40 -------- d-----w- c:\program files\Bonjour
2010-06-18 17:31 . 2010-08-11 16:58 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 16:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 16:58 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-17 19:22 . 2010-06-17 19:21 -------- d-----w- c:\programdata\NovoSun Technology
2010-06-17 19:21 . 2010-06-17 19:21 -------- d-----w- c:\program files\NovoSun Technology
2010-06-17 19:08 . 2010-06-17 19:06 -------- d-----w- c:\programdata\vhp
2010-06-17 19:07 . 2010-06-17 19:07 -------- d-----w- c:\programdata\vh_arm
2010-06-17 19:06 . 2008-09-12 10:55 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-17 18:43 . 2010-06-17 18:43 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-17 18:43 . 2010-06-17 18:43 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 16:04 . 2010-08-11 16:58 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 16:16 . 2010-08-11 16:58 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 16:58 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-11 16:58 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 16:58 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-01 17:39 . 2010-05-14 20:14 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-05-27 20:08 . 2010-08-11 16:58 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-11 07:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 07:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-03 08:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 21:57 . 2010-05-05 21:57 2 --shatr- c:\windows\winstart.bat
2009-06-01 22:05 . 2009-06-01 22:05 8 --sh--r- c:\windows\System32\02F1B0C055.sys
2010-03-12 14:44 . 2009-06-01 21:46 2672 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-08-12 21741864]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-23 380928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Malwarebytes Anti-Malware (reboot)"="c:\users\Pete\Desktop\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"LoadWatcher"=Test
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Skytel"=Skytel.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"RtHDVCpl"=RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,24,3c,21,82,ad,ca,01

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R1 vsmcyyhf;vsmcyyhf;c:\windows\system32\drivers\vsmcyyhf.sys [x]
R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\7E30.tmp [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\DRIVERS\Navcar.sys [2006-09-18 30329]
R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-06-18 18816]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2009-03-04 202016]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-04-27 47104]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - LXRSH
*Deregistered* - lxrsh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{6F8F7FF8-D362-4AA2-8352-89EA4F09A64E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 00:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7E30.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\lxrsh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2194419042-3711577458-1307208439-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="a"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1392)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\libaprutil_tsvn.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-08-16 00:57:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 23:57

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 118,029,721,600 bytes free

- - End Of File - - 7C0E6E28F85B02CB1AB875C2407D4DC9
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 15th, 2010, 8:00 pm

ComboFix 10-08-15.01 - Pete 16/08/2010 0:40.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.2760 [GMT 1:00]
Running from: c:\users\Pete\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\driVERs\lxrsh.sys . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://lp2.patch.station.sony.com:7000
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lxrsh
-------\Service_lxrsh


((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 23:46 . 2010-08-15 23:50 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-08-15 14:47 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 14:47 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 14:44 . 2010-08-15 14:44 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-15 14:44 . 2010-08-15 14:45 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-08-15 14:44 . 2010-08-15 14:44 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-08-12 14:54 . 2010-08-12 14:54 -------- d-----w- c:\program files\Common Files\Pearson VUE Common
2010-08-11 12:53 . 2010-08-11 12:53 -------- d-----w- c:\programdata\SupportSoft
2010-08-11 12:52 . 2010-08-11 12:52 -------- d-----w- c:\program files\O2
2010-08-11 12:50 . 2010-08-11 12:50 -------- d-----w- c:\program files\O2_Installer
2010-08-11 12:31 . 2010-08-11 12:31 -------- d-----w- c:\users\Pete\AppData\Local\SupportSoft
2010-08-11 12:30 . 2010-08-11 12:30 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-08-06 18:03 . 2010-08-06 18:03 -------- d-----w- c:\program files\Lame for Audacity
2010-08-06 18:00 . 2010-08-08 16:07 -------- d-----w- c:\users\Pete\AppData\Roaming\Audacity
2010-08-06 17:59 . 2010-08-06 18:00 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-08-01 20:53 . 2010-08-01 20:53 -------- d-----w- c:\users\Pete\.thumbnails
2010-07-29 15:59 . 2010-07-29 15:59 -------- d-----w- c:\users\Pete\AppData\Local\skpijauqk
2010-07-27 15:44 . 2010-07-27 15:44 -------- d-----w- c:\users\Pete\AppData\Local\kqshxlwqv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 23:53 . 2008-09-24 14:28 -------- d-----w- c:\programdata\Kontiki
2010-08-15 23:51 . 2010-05-26 16:29 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-15 23:28 . 2010-05-14 18:23 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-15 20:39 . 2008-09-12 12:55 -------- d-----w- c:\program files\Steam
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 06:34 . 2008-09-14 11:20 -------- d-----w- c:\users\Pete\AppData\Roaming\OpenOffice.org2
2010-08-13 06:33 . 2008-09-14 11:21 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-08-12 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-11 16:27 . 2008-09-12 13:26 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-08-11 16:05 . 2008-09-12 18:45 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-08-06 15:42 . 2008-09-12 12:55 -------- d-----w- c:\program files\Common Files\Steam
2010-08-06 11:43 . 2010-05-05 21:22 -------- d-----w- c:\users\Pete\AppData\Roaming\QuickScan
2010-08-01 20:53 . 2009-01-26 17:38 -------- d-----w- c:\users\Pete\AppData\Roaming\gtk-2.0
2010-07-29 17:22 . 2010-05-14 18:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:22 . 2010-05-14 18:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-16 21:49 . 2009-06-30 19:34 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-07-16 21:48 . 2010-07-16 21:48 388096 ----a-r- c:\users\Pete\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-16 21:48 . 2010-07-16 21:48 -------- d-----w- c:\program files\Trend Micro
2010-07-15 16:41 . 2008-09-12 12:43 -------- d-----w- c:\programdata\Skype
2010-06-29 15:47 . 2010-08-11 16:58 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 16:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-11 16:58 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-20 19:58 . 2008-10-12 22:23 -------- d-----w- c:\users\Pete\AppData\Roaming\dvdcss
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Pete\AppData\Roaming\HandBrake
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\program files\Handbrake
2010-06-20 14:06 . 2008-10-25 14:41 -------- d-----w- c:\users\Pete\AppData\Roaming\Apple Computer
2010-06-20 14:05 . 2008-10-08 12:44 -------- d-----w- c:\programdata\Apple
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\program files\iTunes
2010-06-20 13:52 . 2010-06-20 13:52 -------- d-----w- c:\program files\iPod
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\programdata\Apple Computer
2010-06-20 13:51 . 2010-06-20 13:51 -------- d-----w- c:\program files\QuickTime
2010-06-20 13:49 . 2010-06-20 13:49 -------- d-----w- c:\program files\Apple Software Update
2010-06-20 13:48 . 2008-10-25 14:40 -------- d-----w- c:\program files\Bonjour
2010-06-18 17:31 . 2010-08-11 16:58 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 16:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 16:58 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-17 19:22 . 2010-06-17 19:21 -------- d-----w- c:\programdata\NovoSun Technology
2010-06-17 19:21 . 2010-06-17 19:21 -------- d-----w- c:\program files\NovoSun Technology
2010-06-17 19:08 . 2010-06-17 19:06 -------- d-----w- c:\programdata\vhp
2010-06-17 19:07 . 2010-06-17 19:07 -------- d-----w- c:\programdata\vh_arm
2010-06-17 19:06 . 2008-09-12 10:55 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-17 18:43 . 2010-06-17 18:43 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-17 18:43 . 2010-06-17 18:43 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 16:04 . 2010-08-11 16:58 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 16:16 . 2010-08-11 16:58 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 16:58 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-11 16:58 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 16:58 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-01 17:39 . 2010-05-14 20:14 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-05-27 20:08 . 2010-08-11 16:58 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-11 07:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 07:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-03 08:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 21:57 . 2010-05-05 21:57 2 --shatr- c:\windows\winstart.bat
2009-06-01 22:05 . 2009-06-01 22:05 8 --sh--r- c:\windows\System32\02F1B0C055.sys
2010-03-12 14:44 . 2009-06-01 21:46 2672 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-08-12 21741864]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-23 380928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Malwarebytes Anti-Malware (reboot)"="c:\users\Pete\Desktop\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"LoadWatcher"=Test
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Skytel"=Skytel.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"RtHDVCpl"=RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,24,3c,21,82,ad,ca,01

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R1 vsmcyyhf;vsmcyyhf;c:\windows\system32\drivers\vsmcyyhf.sys [x]
R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\7E30.tmp [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\DRIVERS\Navcar.sys [2006-09-18 30329]
R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-06-18 18816]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2009-03-04 202016]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-04-27 47104]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - LXRSH
*Deregistered* - lxrsh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{6F8F7FF8-D362-4AA2-8352-89EA4F09A64E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 00:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7E30.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\lxrsh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2194419042-3711577458-1307208439-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="a"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1392)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\libaprutil_tsvn.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-08-16 00:57:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 23:57

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 118,029,721,600 bytes free

- - End Of File - - 7C0E6E28F85B02CB1AB875C2407D4DC9
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 16th, 2010, 5:09 am

Hi,

Why you run the ComboFix in safe mode?
Any explanation?
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 16th, 2010, 5:38 am

Hi,

It wasn't working originally. I gave it a go and it suddenly decided to work, albeit very slowly. Here is the report:

ComboFix 10-08-15.01 - Pete 16/08/2010 11:12:05.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.2076 [GMT 1:00]
Running from: c:\users\Pete\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\lxrsh.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lxrsh
-------\Service_lxrsh


((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 10:35 . 2010-08-16 10:47 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-08-16 10:35 . 2010-08-16 10:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-16 10:35 . 2010-08-16 10:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 14:47 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 14:47 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 14:44 . 2010-08-15 14:44 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-15 14:44 . 2010-08-15 14:45 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-08-15 14:44 . 2010-08-15 14:44 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-08-12 14:54 . 2010-08-12 14:54 -------- d-----w- c:\program files\Common Files\Pearson VUE Common
2010-08-11 12:53 . 2010-08-11 12:53 -------- d-----w- c:\programdata\SupportSoft
2010-08-11 12:52 . 2010-08-11 12:52 -------- d-----w- c:\program files\O2
2010-08-11 12:50 . 2010-08-11 12:50 -------- d-----w- c:\program files\O2_Installer
2010-08-11 12:31 . 2010-08-11 12:31 -------- d-----w- c:\users\Pete\AppData\Local\SupportSoft
2010-08-11 12:30 . 2010-08-11 12:30 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-08-06 18:03 . 2010-08-06 18:03 -------- d-----w- c:\program files\Lame for Audacity
2010-08-06 18:00 . 2010-08-08 16:07 -------- d-----w- c:\users\Pete\AppData\Roaming\Audacity
2010-08-06 17:59 . 2010-08-06 18:00 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-08-01 20:53 . 2010-08-01 20:53 -------- d-----w- c:\users\Pete\.thumbnails
2010-07-29 15:59 . 2010-07-29 15:59 -------- d-----w- c:\users\Pete\AppData\Local\skpijauqk
2010-07-27 15:44 . 2010-07-27 15:44 -------- d-----w- c:\users\Pete\AppData\Local\kqshxlwqv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 10:50 . 2008-09-24 14:28 -------- d-----w- c:\programdata\Kontiki
2010-08-16 10:48 . 2010-05-26 16:29 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-16 09:55 . 2010-05-14 18:23 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-15 20:39 . 2008-09-12 12:55 -------- d-----w- c:\program files\Steam
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 14:45 . 2010-08-15 14:45 139152 ----a-w- c:\users\Pete\AppData\Roaming\PnkBstrK.sys
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 06:34 . 2008-09-14 11:20 -------- d-----w- c:\users\Pete\AppData\Roaming\OpenOffice.org2
2010-08-13 06:33 . 2008-09-14 11:21 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-08-12 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-11 16:27 . 2008-09-12 13:26 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-08-11 16:05 . 2008-09-12 18:45 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-08-06 15:42 . 2008-09-12 12:55 -------- d-----w- c:\program files\Common Files\Steam
2010-08-06 11:43 . 2010-05-05 21:22 -------- d-----w- c:\users\Pete\AppData\Roaming\QuickScan
2010-08-01 20:53 . 2009-01-26 17:38 -------- d-----w- c:\users\Pete\AppData\Roaming\gtk-2.0
2010-07-29 17:22 . 2010-05-14 18:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:22 . 2010-05-14 18:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-16 21:49 . 2009-06-30 19:34 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-07-16 21:48 . 2010-07-16 21:48 388096 ----a-r- c:\users\Pete\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-16 21:48 . 2010-07-16 21:48 -------- d-----w- c:\program files\Trend Micro
2010-07-15 16:41 . 2008-09-12 12:43 -------- d-----w- c:\programdata\Skype
2010-06-29 15:47 . 2010-08-11 16:58 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 16:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-11 16:58 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-20 19:58 . 2008-10-12 22:23 -------- d-----w- c:\users\Pete\AppData\Roaming\dvdcss
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Pete\AppData\Roaming\HandBrake
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\program files\Handbrake
2010-06-20 14:06 . 2008-10-25 14:41 -------- d-----w- c:\users\Pete\AppData\Roaming\Apple Computer
2010-06-20 14:05 . 2008-10-08 12:44 -------- d-----w- c:\programdata\Apple
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\program files\iTunes
2010-06-20 13:52 . 2010-06-20 13:52 -------- d-----w- c:\program files\iPod
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\programdata\Apple Computer
2010-06-20 13:51 . 2010-06-20 13:51 -------- d-----w- c:\program files\QuickTime
2010-06-20 13:49 . 2010-06-20 13:49 -------- d-----w- c:\program files\Apple Software Update
2010-06-20 13:48 . 2008-10-25 14:40 -------- d-----w- c:\program files\Bonjour
2010-06-18 17:31 . 2010-08-11 16:58 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 16:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 16:58 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-17 19:22 . 2010-06-17 19:21 -------- d-----w- c:\programdata\NovoSun Technology
2010-06-17 19:21 . 2010-06-17 19:21 -------- d-----w- c:\program files\NovoSun Technology
2010-06-17 19:08 . 2010-06-17 19:06 -------- d-----w- c:\programdata\vhp
2010-06-17 19:07 . 2010-06-17 19:07 -------- d-----w- c:\programdata\vh_arm
2010-06-17 19:06 . 2008-09-12 10:55 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-17 18:43 . 2010-06-17 18:43 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-17 18:43 . 2010-06-17 18:43 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 16:04 . 2010-08-11 16:58 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 16:16 . 2010-08-11 16:58 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 16:58 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-11 16:58 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 16:58 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-01 17:39 . 2010-05-14 20:14 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-05-27 20:08 . 2010-08-11 16:58 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-11 07:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 07:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-03 08:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 21:57 . 2010-05-05 21:57 2 --shatr- c:\windows\winstart.bat
2009-06-01 22:05 . 2009-06-01 22:05 8 --sh--r- c:\windows\System32\02F1B0C055.sys
2010-03-12 14:44 . 2009-06-01 21:46 2672 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-08-12 21741864]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-23 380928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Malwarebytes Anti-Malware (reboot)"="c:\users\Pete\Desktop\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"LoadWatcher"=Test
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Skytel"=Skytel.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"RtHDVCpl"=RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,24,3c,21,82,ad,ca,01

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-04-27 47104]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{6F8F7FF8-D362-4AA2-8352-89EA4F09A64E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 11:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7E30.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2194419042-3711577458-1307208439-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="a"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3668)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\System32\msshsq.dll
c:\windows\system32\wpdshserviceobj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\O2\bin\sprtsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-08-16 11:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-16 10:53
ComboFix2.txt 2010-08-15 23:57

Pre-Run: 118,092,705,792 bytes free
Post-Run: 116,566,532,096 bytes free

- - End Of File - - 69C6F644053FB4BADBCEC370F4A802B5
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 16th, 2010, 8:14 am

Hi,
Let's try this.

First,
CFScript
  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Code: Select all
    File::
    c:\windows\system32\PnkBstrB.exe
    c:\windows\system32\pbsvc.exe
    c:\windows\system32\PnkBstrA.exe
    c:\users\Pete\AppData\Roaming\PnkBstrK.sys
    c:\users\Pete\AppData\Roaming\PnkBstrK.sys
    c:\windows\winstart.bat
    Folder::
    c:\users\Pete\AppData\Roaming\uTorrent
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:
c:\users\Pete\AppData\Local\d3d9caps.dat
c:\windows\System32\02F1B0C055.sys

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Next,
SystemLook by jpshortstuff.
Please download from one of the links below and save it to the Desktop.
Download Mirror #1
Download Mirror #2

  • Right click on SystemLook.exe > Run as Administrator to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    c:\users\Pete\AppData\Local\skpijauqk
    c:\users\Pete\AppData\Local\kqshxlwqv
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

What you need to post
Checklist.
  • Content of ComboFix.txt
  • Web links - 2
  • Content of SystemLook.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 16th, 2010, 9:42 am

ComboFix 10-08-15.01 - Pete 16/08/2010 13:58:59.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.1908 [GMT 1:00]
Running from: c:\users\Pete\Desktop\ComboFix.exe
Command switches used :: c:\users\Pete\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Pete\AppData\Roaming\PnkBstrK.sys"
"c:\windows\system32\pbsvc.exe"
"c:\windows\system32\PnkBstrA.exe"
"c:\windows\system32\PnkBstrB.exe"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Pete\AppData\Roaming\PnkBstrK.sys
c:\users\Pete\AppData\Roaming\uTorrent
c:\users\Pete\AppData\Roaming\uTorrent\dht.dat
c:\users\Pete\AppData\Roaming\uTorrent\resume.dat
c:\users\Pete\AppData\Roaming\uTorrent\rss.dat
c:\users\Pete\AppData\Roaming\uTorrent\settings.dat
c:\users\Pete\AppData\Roaming\uTorrent\settings.dat.old
c:\windows\system32\pbsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 13:21 . 2010-08-16 13:22 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-08-16 13:21 . 2010-08-16 13:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-16 13:21 . 2010-08-16 13:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 14:47 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 14:47 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 14:54 . 2010-08-12 14:54 -------- d-----w- c:\program files\Common Files\Pearson VUE Common
2010-08-11 12:53 . 2010-08-11 12:53 -------- d-----w- c:\programdata\SupportSoft
2010-08-11 12:52 . 2010-08-11 12:52 -------- d-----w- c:\program files\O2
2010-08-11 12:50 . 2010-08-11 12:50 -------- d-----w- c:\program files\O2_Installer
2010-08-11 12:31 . 2010-08-11 12:31 -------- d-----w- c:\users\Pete\AppData\Local\SupportSoft
2010-08-11 12:30 . 2010-08-11 12:30 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-08-06 18:03 . 2010-08-06 18:03 -------- d-----w- c:\program files\Lame for Audacity
2010-08-06 18:00 . 2010-08-08 16:07 -------- d-----w- c:\users\Pete\AppData\Roaming\Audacity
2010-08-06 17:59 . 2010-08-06 18:00 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-08-01 20:53 . 2010-08-01 20:53 -------- d-----w- c:\users\Pete\.thumbnails
2010-07-29 15:59 . 2010-07-29 15:59 -------- d-----w- c:\users\Pete\AppData\Local\skpijauqk
2010-07-27 15:44 . 2010-07-27 15:44 -------- d-----w- c:\users\Pete\AppData\Local\kqshxlwqv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 13:22 . 2008-09-24 14:28 -------- d-----w- c:\programdata\Kontiki
2010-08-16 10:55 . 2010-05-14 18:23 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-16 10:48 . 2010-05-26 16:29 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-15 20:39 . 2008-09-12 12:55 -------- d-----w- c:\program files\Steam
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-15 12:34 . 2009-02-08 22:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 06:34 . 2008-09-14 11:20 -------- d-----w- c:\users\Pete\AppData\Roaming\OpenOffice.org2
2010-08-13 06:33 . 2008-09-14 11:21 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-08-12 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-11 16:27 . 2008-09-12 13:26 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-08-11 16:05 . 2008-09-12 18:45 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-08-06 15:42 . 2008-09-12 12:55 -------- d-----w- c:\program files\Common Files\Steam
2010-08-06 11:43 . 2010-05-05 21:22 -------- d-----w- c:\users\Pete\AppData\Roaming\QuickScan
2010-08-01 20:53 . 2009-01-26 17:38 -------- d-----w- c:\users\Pete\AppData\Roaming\gtk-2.0
2010-07-29 17:22 . 2010-05-14 18:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:22 . 2010-05-14 18:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-16 21:48 . 2010-07-16 21:48 388096 ----a-r- c:\users\Pete\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-16 21:48 . 2010-07-16 21:48 -------- d-----w- c:\program files\Trend Micro
2010-07-15 16:41 . 2008-09-12 12:43 -------- d-----w- c:\programdata\Skype
2010-06-29 15:47 . 2010-08-11 16:58 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 16:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-11 16:58 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-20 19:58 . 2008-10-12 22:23 -------- d-----w- c:\users\Pete\AppData\Roaming\dvdcss
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Pete\AppData\Roaming\HandBrake
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-20 14:44 . 2010-06-20 14:44 -------- d-----w- c:\program files\Handbrake
2010-06-20 14:06 . 2008-10-25 14:41 -------- d-----w- c:\users\Pete\AppData\Roaming\Apple Computer
2010-06-20 14:05 . 2008-10-08 12:44 -------- d-----w- c:\programdata\Apple
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-20 13:53 . 2010-06-20 13:52 -------- d-----w- c:\program files\iTunes
2010-06-20 13:52 . 2010-06-20 13:52 -------- d-----w- c:\program files\iPod
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 13:52 . 2008-10-08 12:45 -------- d-----w- c:\programdata\Apple Computer
2010-06-20 13:51 . 2010-06-20 13:51 -------- d-----w- c:\program files\QuickTime
2010-06-20 13:49 . 2010-06-20 13:49 -------- d-----w- c:\program files\Apple Software Update
2010-06-20 13:48 . 2008-10-25 14:40 -------- d-----w- c:\program files\Bonjour
2010-06-18 17:31 . 2010-08-11 16:58 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 16:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 16:58 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-17 19:22 . 2010-06-17 19:21 -------- d-----w- c:\programdata\NovoSun Technology
2010-06-17 19:21 . 2010-06-17 19:21 -------- d-----w- c:\program files\NovoSun Technology
2010-06-17 19:08 . 2010-06-17 19:06 -------- d-----w- c:\programdata\vhp
2010-06-17 19:07 . 2010-06-17 19:07 -------- d-----w- c:\programdata\vh_arm
2010-06-17 19:06 . 2008-09-12 10:55 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-17 18:43 . 2010-06-17 18:43 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-17 18:43 . 2010-06-17 18:43 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 16:04 . 2010-08-11 16:58 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 16:16 . 2010-08-11 16:58 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 16:58 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-11 16:58 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 16:58 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-01 17:39 . 2010-05-14 20:14 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-05-27 20:08 . 2010-08-11 16:58 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-11 07:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 07:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-03 08:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-01 22:05 . 2009-06-01 22:05 8 --sh--r- c:\windows\System32\02F1B0C055.sys
2010-03-12 14:44 . 2009-06-01 21:46 2672 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-08-12 21741864]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-23 380928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Malwarebytes Anti-Malware (reboot)"="c:\users\Pete\Desktop\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"LoadWatcher"=Test
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Skytel"=Skytel.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"RtHDVCpl"=RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,24,3c,21,82,ad,ca,01

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-04-27 47104]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{6F8F7FF8-D362-4AA2-8352-89EA4F09A64E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\o0oepl13.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 14:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7E30.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2194419042-3711577458-1307208439-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="a"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-16 14:25:52
ComboFix-quarantined-files.txt 2010-08-16 13:25
ComboFix2.txt 2010-08-16 10:54
ComboFix3.txt 2010-08-15 23:57

Pre-Run: 116,514,574,336 bytes free
Post-Run: 115,933,356,032 bytes free

- - End Of File - - 9BB48C0B5687FCE651D44CA47F3DA32F



http://virusscan.jotti.org/en-gb/scanre ... 2ba03bd524

http://virusscan.jotti.org/en-gb/scanre ... d7df24080d


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:41 on 16/08/2010 by Pete (Administrator - Elevation successful)

========== dir ==========

c:\users\Pete\AppData\Local\skpijauqk - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\users\Pete\AppData\Local\kqshxlwqv - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

-=End Of File=-
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm

Re: Rootkit.Win32.Agent.bert

Unread postby xixo_12 » August 16th, 2010, 9:54 am

Hi,

Looking good. Do give feedback about your system.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Rootkit.Win32.Agent.bert

Unread postby cerebellum9 » August 16th, 2010, 10:58 am

Fantastic, thank you so much for your help! I really appreciate it. Hopefully that has finally got rid of it!
cerebellum9
Active Member
 
Posts: 12
Joined: July 16th, 2010, 5:52 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware