Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need some help removing rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 bowlingfiretree

bowlingfiretree

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 24 July 2009 - 11:16 AM

First off, I apologize for not listing the name of the infection in my topic title. This infection happened last night, and I don't recall the infection name, but I do remember it was a rootkit. Now my computer is essentially unusable, so I can't run the AV scan to identify it.

I will tell you the symptoms though. My taskbar size decreased to just above the bottom of the screen, effectively hiding it (and also unresizable, and unusable). I can't paste after copying. And almost all of my services are turned off.

Here's the DDS / HiJackThis log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by TheNursery at 11:06:46.65 on Fri 07/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\thenursery\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://d:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241165878984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thenur~1\applic~1\mozilla\firefox\profiles\ycjbjcyv.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-24 10:27 161,792 a------- c:\windows\SWREG.exe
2009-07-24 10:27 98,816 a------- c:\windows\sed.exe
2009-07-23 22:47 <DIR> --d----- c:\docume~1\thenur~1\applic~1\REALbasic
2009-07-23 19:01 108,144 a------- c:\windows\system32\CmdLineExt.dll
2009-06-28 18:51 819,200 a------- c:\windows\system32\xvidcore.dll
2009-06-28 18:51 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-06-28 18:51 77,824 a------- c:\windows\system32\xvid.ax
2009-06-28 18:51 <DIR> --d----- c:\program files\Xvid

==================== Find3M ====================

2009-07-07 22:48 179,792 a------- c:\windows\system32\guard32.dll
2009-07-07 22:48 132,040 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-07 22:48 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-14 13:04 52,224 a------- c:\windows\ipuninst.exe
2009-06-10 00:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-30 22:14 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 19:04 164,352 a------- c:\windows\system32\SpoonUninstall.exe
2009-05-07 19:04 20,898 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 12:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-05-01 03:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-30 20:16 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 11:07:24.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 bowlingfiretree

bowlingfiretree
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 24 July 2009 - 05:30 PM

Forget it. I ran mbr.exe, says it's clean, so I reformatted. Yay!

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:34 AM

Posted 24 July 2009 - 05:52 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users