Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Rootkit installed Cant remove


  • This topic is locked This topic is locked
2 replies to this topic

#1 mims1979

mims1979

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 April 2009 - 10:19 AM

I'm normally pretty good at removing malware but this one's giving me a run for my money so I need a little help.

What I'm seeing in netstat -a is:

TCP mims:1074 78.26.144.206:http SYN_SENT

And a lot of references to:
ovfsthxtymnmiuh.sys

Microsoft onecare live freescan keeps detecting the above file and says it deletes it yet its still there, yet invisible to my eyes.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 11:06:44.56 on Wed 04/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2599 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\program files\nusphere\phped\NuSphereIEBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [StrokeIt] c:\program files\strokeit\strokeit.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\beyond~1.lnk - c:\program files\snapstream media\beyond tv\BTVAgent2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getrig~1.lnk - c:\program files\getright\getright.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\program files\nusphere\phped\NuSphereIEBar.dll/1000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232762556421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239072875778&h=9041250f6fa84dda79868d6120e8b85e/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
TCP: {9F4620E5-9C13-480E-893B-5EBD54CD78C8} = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-29 54960]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-1-26 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-12-15 34639]
R3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2009-1-24 1464672]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090421.006\naveng.sys [2009-4-22 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090421.006\navex15.sys [2009-4-22 876144]
S0 MFX;MFX; [x]
S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [2009-2-22 30272]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-4-22 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]

============== File Associations ===============

inffile=c:\windows\system32\PAD.EXE %1
inifile=c:\windows\system32\PAD.EXE %1
txtfile=c:\windows\PAD.EXE %1

=============== Created Last 30 ================

2009-04-22 10:27 161,792 a------- c:\windows\SWREG.exe
2009-04-22 10:27 98,816 a------- c:\windows\sed.exe
2009-04-22 00:56 18,944 a------- c:\windows\ALI.EXE
2009-04-22 00:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-22 00:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-22 00:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-04-22 00:50 <DIR> --d----- c:\windows\pss
2009-04-22 00:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-22 00:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 00:03 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-04-21 21:29 118 a------- c:\windows\system32\MRT.INI
2009-04-21 20:52 2,711 a------- C:\78875.sym
2009-04-21 01:11 187 a------- c:\windows\z56k2.ini
2009-04-21 00:42 63,744 a------- c:\windows\system32\drivers\mf.sys
2009-04-21 00:42 63,744 a------- c:\windows\system32\dllcache\mf.sys
2009-04-21 00:19 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-21 00:15 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-20 23:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\Folder Guard
2009-04-20 23:07 58 a------- c:\windows\hcs.dat
2009-04-20 21:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-20 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-14 18:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 18:21 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:21 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-14 18:15 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:15 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:15 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-14 18:15 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:15 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:15 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:15 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:15 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:15 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:15 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-10 15:43 <DIR> --d----- c:\program files\P2PFilter
2009-04-10 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Readon
2009-04-10 15:26 <DIR> --d----- c:\program files\Readon Technology
2009-04-06 22:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 22:54 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-04-22 10:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-21 12:08 218,624 a------- c:\windows\system32\uxtheme.dll
2009-04-21 12:08 70,083 a------- c:\windows\BricoPackUninst.cmd
2009-04-21 12:08 5,682 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-14 00:19 262,144 a------- c:\windows\system32\default_user_class.dat
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-02 20:18 817,152 a------- c:\windows\system32\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-25 21:27 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-25 21:27 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-02-25 21:27 361,600 a------- c:\windows\system32\dllcache\TCPIP.SYS
2009-02-22 13:47 30,272 a------- c:\windows\system32\drivers\pssdk31.drv
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-01-31 01:38 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-01-24 15:17 3,982 a------- c:\windows\kj01d.sys
2009-01-23 21:35 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-23 21:03 16,608 a------- c:\windows\gdrv.sys
2009-01-23 02:18 319,488 a------- c:\windows\HideWin.exe
2009-01-23 02:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-04-14 04:42 60,416 a--sh--- c:\windows\bricopacks\sysfiles\80_msimn.exe

============= FINISH: 11:06:58.15 ===============

BC AdBot (Login to Remove)

 


#2 mims1979

mims1979
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 23 April 2009 - 11:36 PM

You Guy can go ahead and ignore this post. Didn't want to wait and got sick of trying to fix it. Just slicked the PC and good to go now!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:45 AM

Posted 03 May 2009 - 11:41 PM

Thanks for informing us.
Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users