Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit attack in registry services


  • This topic is locked This topic is locked
3 replies to this topic

#1 Hammerite

Hammerite

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 16 February 2010 - 03:21 PM

Running XP Home on a Compaq machine, I have somehow acquired an unwanted registry folder (Ykdwl) which has a series of malicious services that are written to and hidden in svchost.exe. Malewarebytes, avg free, Stopzilla all fail to find the culprit. Running Gemr crashes my PC beofre it completes as it causes a reboot after about 10=15 minutes; in the meantime I am able to ascertain that the ykdwl has 11 reg keys (HKLM\SYSTEM ... ) that are not visible through Regedit and one refers to a rogue C:\windows\system32\pasgbhv.dll to attach to svchost.exe, but I cannot fin this file anywhere on my system. I tried deleting the folder and renaming it, but neither was successful. All attempts to Systen restore to a point prior to the problem have been unsuccessful.

Browser searches work fine until you click on a listed site ... at this point I am redirected to various and sundry sites that I did NOT wish to access. If anyone can help me with this and help me get past the Gemr problem so I can give full details, i would very much appreciate it. I've spend all day going round in circles chasing my tail on this. I'm hoping that for someone who knows what they are doing, this might be a relatively simple fix??

dds file if it helps:

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 17/06/2008 22:36:25
System Uptime: 16/02/2010 12:15:38 (1 hours ago)

Motherboard: ASUSTek Computer INC. | | LITHIUM
Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 274 GiB total, 23.531 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.65 GiB free.
E: is CDROM ()
F: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Belkin F5D5005 v2000 Gigabit Desktop PCI Card
Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_50051799&REV_10\4&1AF1648C&0&18F0
Manufacturer: Belkin Corporation
Name: Belkin F5D5005 v2000 Gigabit Desktop PCI Card
PNP Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_50051799&REV_10\4&1AF1648C&0&18F0
Service: RTL8023xp

==== System Restore Points ===================

RP285: 18/11/2009 18:19:33 - System Checkpoint
RP286: 19/11/2009 18:53:25 - System Checkpoint
RP287: 20/11/2009 19:43:13 - System Checkpoint
RP288: 21/11/2009 21:26:16 - System Checkpoint
RP289: 22/11/2009 21:45:50 - System Checkpoint
RP290: 24/11/2009 00:06:56 - System Checkpoint
RP291: 25/11/2009 00:45:52 - System Checkpoint
RP292: 26/11/2009 01:45:57 - System Checkpoint
RP293: 26/11/2009 03:00:34 - Software Distribution Service 3.0
RP294: 26/11/2009 08:13:18 - Avg8 Update
RP295: 27/11/2009 08:25:18 - System Checkpoint
RP296: 27/12/2009 19:45:00 - System Checkpoint
RP297: 28/11/2009 06:28:35 - Installed AVG Free 9.0
RP298: 28/11/2009 08:45:48 - Avg8 Update
RP299: 28/11/2009 08:46:39 - Avg8 Update
RP300: 29/11/2009 09:40:46 - System Checkpoint
RP301: 30/11/2009 10:39:43 - System Checkpoint
RP302: 01/12/2009 11:39:42 - System Checkpoint
RP303: 02/12/2009 12:39:42 - System Checkpoint
RP304: 03/12/2009 13:39:42 - System Checkpoint
RP305: 04/12/2009 14:39:42 - System Checkpoint
RP306: 05/12/2009 15:38:10 - System Checkpoint
RP307: 06/12/2009 07:30:36 - Installed Microsoft Outlook Personal Folders Backup
RP308: 07/12/2009 07:40:46 - System Checkpoint
RP309: 08/12/2009 18:19:26 - System Checkpoint
RP310: 09/12/2009 20:30:54 - System Checkpoint
RP311: 10/12/2009 03:01:14 - Software Distribution Service 3.0
RP312: 11/12/2009 05:52:13 - System Checkpoint
RP313: 12/12/2009 06:32:30 - System Checkpoint
RP314: 12/12/2009 09:27:21 - Avg8 Update
RP315: 12/12/2009 09:27:53 - Avg8 Update
RP316: 12/12/2009 12:31:18 - Installed Adobe Photoshop
RP317: 13/12/2009 14:44:57 - System Checkpoint
RP318: 14/12/2009 15:42:18 - System Checkpoint
RP319: 15/12/2009 16:31:00 - System Checkpoint
RP320: 16/12/2009 18:55:07 - System Checkpoint
RP321: 17/12/2009 19:49:52 - System Checkpoint
RP322: 18/12/2009 20:39:38 - System Checkpoint
RP323: 19/12/2009 03:00:50 - Software Distribution Service 3.0
RP324: 19/12/2009 09:34:32 - Avg8 Update
RP325: 20/12/2009 14:19:13 - System Checkpoint
RP326: 21/12/2009 15:30:06 - System Checkpoint
RP327: 22/12/2009 16:44:52 - System Checkpoint
RP328: 23/12/2009 08:55:18 - Avg8 Update
RP329: 24/12/2009 09:21:06 - System Checkpoint
RP330: 25/12/2009 13:22:11 - System Checkpoint
RP331: 26/12/2009 14:07:26 - System Checkpoint
RP332: 27/12/2009 14:08:32 - System Checkpoint
RP333: 28/12/2009 15:08:31 - System Checkpoint
RP334: 29/12/2009 16:56:22 - System Checkpoint
RP335: 30/12/2009 21:17:01 - System Checkpoint
RP336: 31/12/2009 22:07:29 - System Checkpoint
RP337: 01/01/2010 09:17:33 - Avg8 Update
RP338: 02/01/2010 10:58:58 - System Checkpoint
RP339: 03/01/2010 11:07:22 - System Checkpoint
RP340: 04/01/2010 12:04:38 - System Checkpoint
RP341: 05/01/2010 12:07:22 - System Checkpoint
RP342: 06/01/2010 13:07:22 - System Checkpoint
RP343: 07/01/2010 14:07:22 - System Checkpoint
RP344: 08/01/2010 15:07:22 - System Checkpoint
RP345: 09/01/2010 18:58:09 - System Checkpoint
RP346: 10/01/2010 19:16:26 - System Checkpoint
RP347: 11/01/2010 19:17:41 - System Checkpoint
RP348: 12/01/2010 20:04:44 - System Checkpoint
RP349: 13/01/2010 03:00:36 - Software Distribution Service 3.0
RP350: 14/01/2010 03:33:19 - System Checkpoint
RP351: 15/01/2010 16:42:26 - System Checkpoint
RP352: 16/01/2010 16:48:43 - System Checkpoint
RP353: 17/01/2010 19:22:38 - System Checkpoint
RP354: 18/01/2010 22:10:57 - System Checkpoint
RP355: 19/01/2010 09:23:28 - Avg8 Update
RP356: 20/01/2010 03:00:34 - Software Distribution Service 3.0
RP357: 21/01/2010 03:41:07 - System Checkpoint
RP358: 22/01/2010 17:20:59 - System Checkpoint
RP359: 23/01/2010 03:00:39 - Software Distribution Service 3.0
RP360: 24/01/2010 03:54:46 - System Checkpoint
RP361: 24/01/2010 13:46:48 - Removed CyberLink InstantBurn
RP362: 25/01/2010 13:50:32 - System Checkpoint
RP363: 26/01/2010 14:53:44 - System Checkpoint
RP364: 27/01/2010 09:18:03 - Avg8 Update
RP365: 28/01/2010 09:45:46 - System Checkpoint
RP366: 29/01/2010 10:26:07 - System Checkpoint
RP367: 30/01/2010 11:40:55 - System Checkpoint
RP368: 31/01/2010 11:58:42 - System Checkpoint
RP369: 01/02/2010 13:00:22 - System Checkpoint
RP370: 02/02/2010 13:58:42 - System Checkpoint
RP371: 03/02/2010 17:20:31 - System Checkpoint
RP372: 04/02/2010 18:01:21 - System Checkpoint
RP373: 05/02/2010 18:03:22 - System Checkpoint
RP374: 06/02/2010 20:35:18 - System Checkpoint
RP375: 07/02/2010 20:50:04 - System Checkpoint
RP376: 08/02/2010 22:01:50 - System Checkpoint
RP377: 09/02/2010 23:58:27 - System Checkpoint
RP378: 11/02/2010 00:40:37 - System Checkpoint
RP379: 11/02/2010 03:00:38 - Software Distribution Service 3.0
RP380: 12/02/2010 03:46:11 - System Checkpoint
RP381: 13/02/2010 04:44:50 - System Checkpoint
RP382: 14/02/2010 07:49:14 - Restore Operation
RP383: 14/02/2010 15:54:20 - Valentine
RP384: 14/02/2010 19:56:12 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP385: 15/02/2010 10:18:12 - Spyware Terminator - restore point
RP386: 15/02/2010 11:06:52 - Removed Stopzilla Toolbar
RP387: 15/02/2010 11:14:47 - Spyware Terminator - restore point
RP388: 15/02/2010 13:30:55 - Removed Adobe Flash Player 10 Plugin.
RP389: 15/02/2010 13:54:59 - Installed Windows NLSDownlevelMapping.
RP390: 15/02/2010 13:55:34 - Installed Windows IDNMitigationAPIs.
RP391: 15/02/2010 13:56:05 - Installed Windows Internet Explorer 7.
RP392: 15/02/2010 14:19:32 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP393: 15/02/2010 14:22:57 - Software Distribution Service 3.0
RP394: 15/02/2010 14:30:26 - Installed Windows NLSDownlevelMapping.
RP395: 15/02/2010 14:30:59 - Installed Windows IDNMitigationAPIs.
RP396: 15/02/2010 14:31:26 - Installed Windows Internet Explorer 7.
RP397: 15/02/2010 15:23:49 - Software Distribution Service 3.0
RP398: 15/02/2010 16:44:57 - Made by Registry Mechanic
RP399: 15/02/2010 20:54:54 - Configured AVG Free 9.0
RP400: 16/02/2010 02:09:10 - phew
RP401: 16/02/2010 09:49:54 - Avg8 Update
RP402: 16/02/2010 10:09:15 - Installed HiJackThis

==== Installed Programs ======================


2003 GCSE Specimen
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.3
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Amazon MP3 Downloader 1.0.8
Animo AQA GCE Spanish
Animo Grammar Workbook
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
AVG Free 9.0
AviSynth 2.5
BitTorrent 4.0.0
Bonjour
BufferChm
Byki
Byki Express for Compaq_Owner
CCleaner
Command & Conquer Tiberian Sun
Compaq Multimedia Keyboard Software
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Creative ZEN Mozaic EZ Series Documentation
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX Player
DivX Pro
Driving Test Success 2006/7
DVD Solution
Easy Internet Sign-up
Edexcel GCSE French e-Spec
Edexcel GCSE German e-Spec
Edexcel GCSE Spanish e-Spec
Elan AQA GCE French
Elan Grammar Workbook
FlashKeeper 3.0
FLV Player 2.0 (build 25)
Free FLV Converter V 6.4.1
FullDPAppQFolder
GoGear Spark Device Manager
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Handmark MONOPOLY for Pocket PC
Heroes of Might and Magic II
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HotPotatoes v 6.2.5.5
HP Boot Optimizer
HP DVD Play 1.0
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Software Update
HpSdpAppCoreApp
InstantShareDevices
Intel® PRO Network Connections Drivers
Internet Services
iTunes
J2SE Runtime Environment 5.0 Update 5
Jalbum 8.0
Japanese Fonts Support For Adobe Reader 9
Jasc Animation Shop 3
Jasc Animation Shop 3 20041030_07 Help file Patch
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9.01 - (9.0.1.1)
Jasc Paint Shop Pro 9.01 Patch
Java™ 6 Update 17
Java™ 6 Update 5
Java™ 6 Update 7
LabelPrint 1.0
LDS Handheld Scriptures 2007 - Mobipocket Edition
Lexmark 3600-4600 Series
Lexmark Fax Solutions
Lexmark Toolbar
LG PC Suite II
LimeWire 5.4.6
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Malwarebytes' Anti-Malware
Media
MediaFACE 4.01
MediaFACE 4.01 Image Library
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 SDK - ENU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Outlook Personal Folders Backup
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mobipocket Reader 6.2
Move Media Player
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Notebook Interactive Viewer
Numbers 1 to 10
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
OptionalContentQFolder
Paris for Alis
PC-Doctor 5 for Windows
PC Pitstop Exterminate2 2.0
PhotoGallery
PhotoNow! 1.0
Player
Power2Go 4.0
PowerBackup 1.0
PowerCinema
PowerDirector
PowerDVD
PowerDVD Copy 1.0
PowerProducer
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickSnooker
QuickTime
RAD Studio
RandMap
RealPlayer
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sibelius Scorch (ActiveX Only)
SkinsHP1
SMART Board Software
SMART Essentials for Educators
SMART Product Update
SmartSound Quicktracks Plugin
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
SonicStage 4.3
Spybot - Search & Destroy
Spyware Terminator
Unity Web Player
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VLC media player 1.0.0
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile® Device Handbook
Windows XP Service Pack 3
WinPcap 4.0
WinZip 11.2
Yahoo! Toolbar
YanCEyWare Reader 2.07 Legacy Edition

==== Event Viewer Messages From Past Week ========

15/02/2010 23:42:44, error: Service Control Manager [7034] - The CSIScanner service terminated unexpectedly. It has done this 1 time(s).
15/02/2010 14:19:13, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
15/02/2010 13:31:16, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
15/02/2010 11:54:18, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86936440, parameter3 869365b4, parameter4 805d297e.
15/02/2010 11:38:24, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86aa6d38, parameter3 86aa6eac, parameter4 805d297e.
15/02/2010 11:34:39, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
15/02/2010 11:34:36, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
15/02/2010 11:34:36, error: Service Control Manager [7023] - The Installer Image service terminated with the following error: The specified module could not be found.
15/02/2010 11:34:36, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxdxCATSCustConnectService service to connect.
15/02/2010 11:34:36, error: Service Control Manager [7000] - The lxdxCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
13/02/2010 14:56:14, error: Print [6161] - The document Microsoft Word - Document1 owned by Compaq_Owner failed to print on printer Lexmark 3600-4600 Series. Data type: LEMF. Size of the spool file in bytes: 968391. Number of bytes printed: 0. Total number of pages in the document: 10. Number of pages printed: 1. Client machine: \\STEVE. Win32 error code returned by the print processor: 0 (0x0).
13/02/2010 14:55:47, error: Print [6161] - The document Microsoft Word - Document1 owned by Compaq_Owner failed to print on printer Lexmark 3600-4600 Series. Data type: LEMF. Size of the spool file in bytes: 968710. Number of bytes printed: 0. Total number of pages in the document: 10. Number of pages printed: 5. Client machine: \\STEVE. Win32 error code returned by the print processor: 0 (0x0).
09/02/2010 14:32:43, error: Print [19] - Sharing printer failed + 1722, Printer SMART Notebook Print Capture share name Printer.

==== End Of File ===========================


Thanks in advance,

Steve

BC AdBot (Login to Remove)

 


#2 Hammerite

Hammerite
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 16 February 2010 - 03:54 PM

I have an unwanted folder in my registry (ykdwl) that hides registry keys that run C:\windows\system32\pasgbhv.dll attacking svchost.exe, but I can't seem to fix it. AVG free, Stopzilla and Malewarebytes all failed, less surprisingly deleting it and renaming it failed and a system resotoer to before the event of the problem is unsuccessful. Here is the hijackthis read out (I tried this once, but the beta v.2.0.3 was refused!)

Any help would be gratefully received,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:54, on 16/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Philips\GoGear Spark Device Manager\main.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\CPVOFRI0\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Philips GoGear Spark Device Manager.lnk = C:\Program Files\Philips\GoGear Spark Device Manager\main.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213924718500
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {82CF9738-0BDA-4AAF-AB08-5AC5875FF3BB} (YMultiRecord Class) - http://www.heinemann.co.uk/demos/Expo1PAP_.../yrecording.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://css.cemcentre.org/ALIS/Site/download/arview2.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tescophotodi...opcuploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13531 bytes

Edited by Orange Blossom, 16 February 2010 - 07:57 PM.
Merged topics. ~ OB


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:31 AM

Posted 20 February 2010 - 07:26 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:31 AM

Posted 24 February 2010 - 07:52 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users