Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning up after Skynet


  • This topic is locked This topic is locked
11 replies to this topic

#1 Slythe

Slythe

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 07 July 2009 - 06:41 PM

Referred from: http://www.bleepingcomputer.com/forums/t/238639/cleaning-up-after-skynet/ ~ OB

My system works great and seems clean. All "skynet" files have been deleted. No program I run detects anything odd except for GMER and Kernel Detective, which is why this thread goes on. As per boopme's request, I'm posting my dds, hijackthis, and gmer logs here. It should also be noted that I've also sent an email to the gmer author to ask him about my log results and hopefully he'll respond.

Let me also try to delicately say something here. The last piece of advice I got made me uncomfortable. It sounded like I was directed to delete files that I know are critical to the operation of Windows. I was thrown back a bit. I would only request that if I am given such advice again that I am also given a detailed technical explanation of why I should do what's requested. I think I have enough of a background in computers to follow along.

Anyway, here are the three logs requested along with my comments at the end -

DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Greg S at 13:55:19.96 on Mon 07/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1745 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVGLS\avgtray.exe
svchost.exe
C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVGLS\avgnsx.exe
C:\Documents and Settings\Greg S\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avgls\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgls\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avgls\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avgls\toolbar\IEToolbar.dll
uRun: [OnShare]
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avgls\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgls\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregs~1\applic~1\mozilla\firefox\profiles\72xiekpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avgls\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avgls\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avgls\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avgls\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avgls\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG LinkScanner® AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-29 253832]
R1 AvgTdiX;AVG LinkScanner® Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-29 108296]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2006-1-11 13696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 avg8wd;AVG LinkScanner® WatchDog;c:\progra~1\avg\avgls\avgwdsvc.exe [2009-6-29 298776]
S3 devkxrmsghookdrv;kX-Ray Msg Hook Enum Drv;c:\windows\system32\drivers\kxrmsghookdrv.sys [2009-6-26 2112]
S3 gel90xne;gel90xne;\??\c:\docume~1\gregs~1\locals~1\temp\gel90xne.sys --> c:\docume~1\gregs~1\locals~1\temp\gel90xne.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-07-04 13:24 --d----- c:\documents and settings\greg s\DoctorWeb
2009-07-04 09:23 14,799,208 a------- c:\program files\l3pd9je2.exe
2009-06-29 20:08 253,832 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 20:08 108,296 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-29 20:08 --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-29 20:08 --d----- c:\program files\AVG
2009-06-29 20:08 --d----- c:\docume~1\alluse~1\applic~1\avg8ls
2009-06-28 13:33 185,344 a------- c:\windows\system32\drivers\KeDetective130.sys
2009-06-28 12:30 --d----- c:\program files\RootRepeal
2009-06-28 12:30 --d----- c:\program files\ATF-Cleaner
2009-06-28 12:24 --d----- c:\program files\Everything
2009-06-26 19:28 2,112 a------- c:\windows\system32\drivers\kxrmsghookdrv.sys
2009-06-24 17:48 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-21 15:39 --d----- c:\program files\Trend Micro
2009-06-21 15:36 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-21 15:36 --d----- c:\program files\SUPERAntiSpyware
2009-06-21 15:36 --d----- c:\docume~1\gregs~1\applic~1\SUPERAntiSpyware.com
2009-06-21 15:36 --d----- c:\program files\common files\Wise Installation Wizard
2009-06-21 15:33 --d----- c:\program files\CCleaner
2009-06-21 13:46 --d----- c:\windows\pss
2009-06-21 13:29 --d----- c:\docume~1\gregs~1\applic~1\Malwarebytes
2009-06-21 13:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-21 13:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-21 13:01 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 13:01 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 23:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 23:52 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 13:55:40.00 ===============

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:49 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVGLS\avgtray.exe
C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVGLS\avgnsx.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVGLS\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVGLS\avgtray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVGLS\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG LinkScanner® WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5390 bytes

---------------

GMER

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 15:59:37
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
Service C:\WINDOWS\system32\cisvc.exe? (*** hidden *** ) [MANUAL] CiSvc <-- ROOTKIT !!!
Service C:\WINDOWS\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINDOWS\system32\imapi.exe? (*** hidden *** ) [MANUAL] ImapiService <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] PolicyAgent <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] ProtectedStorage <-- ROOTKIT !!!
Service C:\WINDOWS\system32\spoolsv.exe? (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!!
Service C:\WINDOWS\System32\ups.exe? (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs@imagepath \systemroot\system32\drivers\SKYNETrputepab.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main@aid 10156
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETrputepab.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules@SKYNETcmd.dll \systemroot\system32\SKYNETbwyroyxr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules@SKYNETlog.dat \systemroot\system32\SKYNETtivmpixm.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules@SKYNETwsp.dll \systemroot\system32\SKYNETpjoymetj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToblhhlrs\modules@SKYNET.dat \systemroot\system32\SKYNETkoodsfuk.dat

---- EOF - GMER 1.0.15 ----

-----------------------------

First off, I ask that you don't be biased by the final registry entries in the gmer log which reference SKYNET. That was a rootkit I had on my system and I've since deleted all the hidden files relating to it. Those registry entries are leftover ghosts and are not dangerous in and of themselves, yes?

Also, the 8 hidden services detected by GMER seem odd to me. We all know that multiple instances of services of the same name can be spawned by windows processes. If someone hits ctrl-alt-del and looks at their active windows processes, at least in XP, you'll usually see multiple entries for "svchost.exe". The same can apply for a couple other processes. Well...the gmer log shows 2 lsass services. If I run process explorer from SysinternalsSuite I see one process listed named lsass. If I hover my mouse pointer over it it pops up a tooltip that lists three services running under said process. I'm assuming that's the two hidden and the one that's visible when I hit ctrl-alt-del. And with alg.exe, there's one process visible with ctrl-alt-del, and one service visible in the gmer log and also when I run a program like kernel detective. Other services that GMER detects, like cisvc.exe and clipsrv.exe, don't even show up in process explorer or ctrl-alt-del. In fact, clipsrv.exe is listed as DISABLED, it's not active, so why would it even show up under GMER?

I guess my point here is that I'm leery of the results GMER produced. I don't want to just assume that they've revealed rootkit activity. I wish I had more in-depth knowledge to understand why I get these different results from different anti-rootkit programs. I mean, I can't just delete files like lsass.exe. alg.exe, and others, as they are Windows critical are they not?. Could it be possible that gmer is giving some false analysis? That's why I sent an email to the author of gmer in hopes that he'll respond.

By the way, I would request that with each step where someone on your staff gives me advice on some action I should take, I'm also given a detailed technical explanation as to why I should take such a step.

Thank you for your time, and I apologize for being a bit cynical, but I've been burned a bit too often.

Attached Files


Edited by Orange Blossom, 08 July 2009 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 Slythe

Slythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 14 July 2009 - 09:31 AM

I realize I shouldn't be bumping my own post, but it's now been a full week and I've gotten no reply yet. Are you all that backed up with posts? Or was mine lost in the shuffle here? And sorry if I was a bit short in my original post.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 16 July 2009 - 11:53 AM

Hello Slythe,

Posted Image

Sorry about the delay.:) If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. Please also fill me in a bit more about your concerns so I can explain them to you, to your satisfaction. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Slythe

Slythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 July 2009 - 01:32 PM

Just to reiterate, a few weeks ago I had a malware infection which also installed the "SKYNET" rootkit. I did some research, since I have some background in computers, and followed a few tutorials and managed to eliminate the malware and I think I've eliminated the rootkit but I still get odd results from a couple tools I run.

If I run mbam, sas, and anti-virus software (avira), they detect nothing ununsual. If I run a few different anti-rootkit tools like rootrepeal, radix, kxray, and mbr, they also detect nothing unusual. But when I run gmer, it reports several hidden services (but they're all windows services like lsass, alg, etc.), and if I run Kernel Detective, it reports that I've had some kernel modifications. Basically, I'm trying to figure out if I still have an active rootkit infection, maybe hidden within a windows file, or remnants of the rootkit, or if the results I'm getting are somehow false positives from changes the rootkit made when I did have it.

Anyway, here is my latest HijackThis scan.

-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:21 PM, on 7/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVGLS\avgtray.exe
C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVGLS\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVGLS\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVGLS\avgtray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVGLS\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG LinkScanner® WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5391 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 16 July 2009 - 01:44 PM

Hi there,

Nothing in that log that suggests rootkit. Let's see what might remain if we look deeper :

If you've run ComboFix before, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Slythe

Slythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 July 2009 - 03:18 PM

ComboFix log

ComboFix 09-07-14.08 - Greg S 07/16/2009 15:00.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1747 [GMT -5:00]
Running from: C:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver
c:\windows\Fonts\acrsec.fon
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security 2009 Support.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security 2009.lnk
c:\windows\system32\P2P Networking
c:\windows\system32\P2P Networking\P2P Networking.eng

.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 19:33 . 2009-07-16 19:33 3137363 ----a-r- C:\ComboFix.exe
2009-07-15 15:06 . 2009-07-15 15:06 71680 ----a-w- C:\mbr.exe
2009-07-07 21:40 . 2009-07-07 21:40 -------- d-----w- c:\documents and settings\Greg S\Local Settings\Application Data\Help
2009-07-06 20:24 . 2009-07-06 20:24 -------- d-----w- c:\program files\KERNEL_DETECTIVE_V1.3.0
2009-07-06 20:12 . 2009-07-06 20:12 -------- d-----w- c:\program files\kX-Ray
2009-07-06 19:40 . 2009-07-16 18:16 -------- d-----w- C:\HJT
2009-07-04 18:24 . 2009-07-04 18:24 -------- d-----w- c:\documents and settings\Greg S\DoctorWeb
2009-07-04 14:23 . 2009-07-04 14:23 14799208 ----a-w- c:\program files\l3pd9je2.exe
2009-07-01 19:07 . 2009-07-01 19:07 253832 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgldx86.sys
2009-07-01 19:07 . 2009-06-30 01:08 2968856 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\setup.exe
2009-07-01 19:07 . 2009-06-30 01:08 3432216 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgui.exe
2009-07-01 19:07 . 2009-07-01 19:06 1160472 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgssie.dll
2009-07-01 19:07 . 2009-06-30 01:08 827160 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgcfgx.dll
2009-07-01 19:07 . 2009-06-30 01:08 531224 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgsched.dll
2009-07-01 19:07 . 2009-06-30 01:08 272664 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avglscan.exe
2009-07-01 19:06 . 2009-06-30 01:08 1444120 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgupd.dll
2009-07-01 19:06 . 2009-06-30 01:08 1083672 ----a-w- c:\documents and settings\All Users\Application Data\avg8ls\update\backup\avgupd.exe
2009-06-30 01:11 . 2009-06-30 01:11 -------- d-----w- c:\documents and settings\Greg S\Local Settings\Application Data\AVG Security Toolbar
2009-06-30 01:08 . 2009-07-15 14:56 253576 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-30 01:08 . 2009-06-30 01:08 108296 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-30 01:08 . 2009-06-30 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-30 01:08 . 2009-06-30 01:08 -------- d-----w- c:\program files\AVG
2009-06-30 01:08 . 2009-06-30 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8ls
2009-06-28 18:33 . 2009-07-09 20:46 185344 ----a-w- c:\windows\system32\drivers\KeDetective130.sys
2009-06-28 17:30 . 2009-07-01 00:42 -------- d-----w- c:\program files\RootRepeal
2009-06-28 17:30 . 2009-06-28 17:31 -------- d-----w- c:\program files\ATF-Cleaner
2009-06-28 17:24 . 2009-07-16 19:31 -------- d-----w- c:\program files\Everything
2009-06-27 00:28 . 2009-06-27 00:28 2112 ----a-w- c:\windows\system32\drivers\kxrmsghookdrv.sys
2009-06-24 22:48 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-21 20:37 . 2009-07-13 14:32 117760 ----a-w- c:\documents and settings\Greg S\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-21 20:36 . 2009-06-21 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-21 20:36 . 2009-06-25 19:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-21 20:36 . 2009-06-21 20:36 -------- d-----w- c:\documents and settings\Greg S\Application Data\SUPERAntiSpyware.com
2009-06-21 20:36 . 2009-06-21 20:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-21 20:33 . 2009-06-21 20:33 -------- d-----w- c:\program files\CCleaner
2009-06-21 19:12 . 2009-06-27 22:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-21 18:29 . 2009-06-21 18:29 -------- d-----w- c:\documents and settings\Greg S\Application Data\Malwarebytes
2009-06-21 18:01 . 2009-06-21 18:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-21 18:01 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-21 18:01 . 2009-06-21 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 18:01 . 2009-06-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-21 18:01 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-21 17:31 . 2009-06-21 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-21 17:29 . 2009-06-21 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-06-21 17:29 . 2009-06-21 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-06-21 17:28 . 2009-06-21 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-06-21 17:28 . 2009-06-21 17:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2009-06-21 17:28 . 2009-06-21 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 18:06 . 2006-01-13 04:08 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-28 17:33 . 2006-10-27 17:39 -------- d-----w- c:\documents and settings\Greg S\Application Data\uTorrent
2009-06-24 19:10 . 2006-01-11 21:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:29 . 2006-06-23 20:02 -------- d-----w- c:\program files\Steam
2009-06-10 11:31 . 2006-03-20 11:42 -------- d-----w- c:\program files\Java
2009-06-10 11:31 . 2009-06-10 11:31 152576 ----a-w- c:\documents and settings\Greg S\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-21 16:33 . 2009-01-11 14:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 12:03 . 2008-08-27 00:09 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:08 1004800 ----a-w- c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-01-28 1228800]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-25 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"iPodService"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Downloads\\utorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\AVG\\AVGLS\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVGLS\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG LinkScanner® AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/29/2009 8:08 PM 253576]
R1 AvgTdiX;AVG LinkScanner® Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/29/2009 8:08 PM 108296]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/11/2006 3:55 PM 13696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
S3 devkxrmsghookdrv;kX-Ray Msg Hook Enum Drv;c:\windows\system32\drivers\kxrmsghookdrv.sys [6/26/2009 7:28 PM 2112]
S3 gel90xne;gel90xne;\??\c:\docume~1\GREGS~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\GREGS~1\LOCALS~1\Temp\gel90xne.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 avg8wd;AVG LinkScanner® WatchDog;c:\progra~1\AVG\AVGLS\avgwdsvc.exe [6/29/2009 8:08 PM 298776]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Greg S\Application Data\Mozilla\Firefox\Profiles\72xiekpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVGLS\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVGLS\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVGLS\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVGLS\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVGLS\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 15:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1788223648-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,90,9c,a7,04,79,3b,2d,53,fe,59,b7,be,6b,d2,6c,cd,ac,78,90,23,e4,ff,
50,4c,bd,2a,dd,67,f1,be,66,50,ba,20,6c,91,f2,bf,a1,47,73,89,16,98,71,53,42,\
"??"=hex:7b,4b,cc,27,6e,c0,c7,72,20,37,03,1d,41,ab,5e,20

[HKEY_USERS\S-1-5-21-839522115-1788223648-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:52,01,28,46,06,66,ea,eb,a1,13,df,f6,cf,3e,14,e3,03,60,02,f1,5e,
ed,c5,43,8a,8b,7a,0a,2b,1d,26,70,2c,2a,4c,8a,1e,f9,19,67,17,38,f9,41,fb,fd,\
"rkeysecu"=hex:39,11,e2,92,8a,40,32,4b,a0,72,79,1f,72,58,f6,5b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-16 15:04
ComboFix-quarantined-files.txt 2009-07-16 20:03

Pre-Run: 216,022,937,600 bytes free
Post-Run: 216,073,711,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

192 --- E O F --- 2009-06-11 00:12

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:35 PM, on 7/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVGLS\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVGLS\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4502 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 16 July 2009 - 03:26 PM

Hello,

Looks like you had remnant rogues lurking around.....how is it running?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Slythe

Slythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 July 2009 - 04:12 PM

Everything runs fine. Interestingly, I decided to run gmer again and it no longer shows any windows services as being hidden. I'm curious what specifically could've caused that change.

Well anyway, it seems my system is clean.

I'm not sure if this forum is the place to get this information, but when I run a program called Kernel Detective, it has a tab called "kernel modifications" that lists several lines within the file ntkrnlpa.exe as having been modified. I'm wondering if that's left over from the rootkit, or if it's something else.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 16 July 2009 - 04:37 PM

Hello,

Glad all is well. :thumbup2:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I'm not familiar with the program you mentioned, so anything would be supposition on my part. Having had a look at the Sysinternals forums, it looks to be a fairly new tool and the maker seems to be still working out bugs and adding options. My point is, while it looks to be a good tool, it is still young and being worked on. :) I'm sure he would be glad to answer any questions you might have on it. :)

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Slythe

Slythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 July 2009 - 04:50 PM

Thank you for your help teacup. I guess all is finished now.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 16 July 2009 - 04:56 PM

You're most welcome. :thumbup2:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:25 AM

Posted 22 July 2009 - 10:13 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users