Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


win32 rootkit gen

  • This topic is locked This topic is locked
2 replies to this topic

#1 jf95000


  • Members
  • 1 posts
  • Local time:06:09 PM

Posted 21 December 2009 - 02:12 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by jose fadla at 19:46:00,75 on 21/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.3071.2282 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 091221-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\D-Link\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\D-Link\Bluetooth Software\BTTray.exe
C:\Documents and Settings\jose fadla\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\jose fadla\Local Settings\Temporary Internet Files\Content.IE5\LU0AWILK\HiJackThis[1].exe
C:\Program Files\Notepad++\notepad++.exe
C:\Documents and Settings\jose fadla\Local Settings\Temporary Internet Files\Content.IE5\SKF12DHY\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.fr/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Torrent2Exe[5e7438c134fb1ecb92651bf2dc565dd2a8b90dc3]] c:\documents and settings\jose fadla\local settings\temporary internet files\content.ie5\97b5r02a\t]_Red_Giant_Trapcode_Plugins_for_AE_CS4[2].exe
uRun: [Torrent2Exe[fb0cd4ea34b6203b2d369f22d2d7af242793a0d4]] c:\documents and settings\jose fadla\local settings\temporary internet files\content.ie5\tsu14c5c\nt_Trapcode_Particular_v2_0_Incl_KeygenViRiLiTY_rar[2].exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Torrent2Exe[f5eb38ec6b3996a60e86dca5d1320602f324e9ac]] c:\documents and settings\jose fadla\local settings\temporary internet files\content.ie5\97b5r02a\t]_download[2].exe
uRun: [Torrent2Exe[b119bc3c58aaa071dbbed186eaba03ddc53eaee0]] c:\documents and settings\jose fadla\local settings\temporary internet files\content.ie5\skf12dhy\nt[2].exe
uRun: [Multi File Downloader] c:\program files\multi file downloader\MultiFileDownloader.exe
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NWEReboot]
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LogitechCommunicationsManager] "c:\program files\fichiers communs\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\josefa~1\menudm~1\progra~1\dmarra~1\notifi~1.lnk - c:\documents and settings\jose fadla\application data\microsoft\notification de cadeaux msn\lsnfier.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\bttray.lnk - c:\program files\d-link\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Envoyer au périphérique &Bluetooth... - c:\program files\d-link\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\d-link\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: filbanque.com\www
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
Trusted Zone: orange.fr\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.zebulon.fr/scan8/oscan8.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-2 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-11-22 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-24 55152]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-11-22 352920]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-11-22 254040]
S3 fsssvc;Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 Amboe50newo;Amboe50newo; [x]

=============== Created Last 30 ================

2009-12-21 17:58:22 0 d-----w- c:\program files\Trend Micro
2009-12-18 00:28:30 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2009-12-18 00:27:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2009-12-18 00:27:11 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-12-18 00:27:06 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2009-12-18 00:27:06 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2009-12-18 00:27:05 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2009-12-18 00:27:05 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2009-12-18 00:27:05 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2009-12-18 00:27:04 61952 -c--a-w- c:\windows\system32\dllcache\acerscad.dll
2009-12-18 00:26:58 96256 -c--a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-12-18 00:26:58 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-12-18 00:26:51 23552 -c--a-w- c:\windows\system32\dllcache\abp480n5.sys
2009-12-18 00:26:50 98304 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2009-12-18 00:26:50 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-12-18 00:26:50 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2009-12-18 00:26:34 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-12-18 00:26:34 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-12-18 00:26:34 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-12-18 00:26:33 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-12-18 00:26:12 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-17 23:50:09 0 d-----w- c:\windows\system32\CatRoot_bak
2009-12-17 20:21:24 0 d-----w- c:\docume~1\josefa~1\applic~1\Uniblue
2009-12-17 12:14:54 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-17 11:26:21 697856 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-17 11:04:04 4 ----a-w- c:\docume~1\josefa~1\applic~1\avdrn.dat
2009-12-08 15:06:09 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-11-23 00:46:14 0 d-----w- c:\windows\pss
2009-11-21 20:52:31 3296 ----a-w- C:\Keymaker.exe

==================== Find3M ====================

2009-12-21 09:56:33 85304 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-21 09:56:33 510204 ----a-w- c:\windows\system32\perfh00C.dat
2009-12-11 10:51:21 694964 ----a-w- c:\windows\fonts\Capture it.ttf
2009-12-11 10:51:21 168312 ----a-w- c:\windows\fonts\Capture it 2.ttf
2009-10-29 07:44:19 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:44:15 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:44:14 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:39:43 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:39:43 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 16:36:32 39968 ----a-w- c:\windows\fonts\arial-rounded-mt-bold.ttf
2009-10-13 10:33:37 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:39:22 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:39:22 150528 ----a-w- c:\windows\system32\rastls.dll
2009-09-28 18:20:43 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2009-09-04 10:55:23 61 --sh--w- c:\windows\cnerolf.bin
2008-08-25 07:11:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008082520080826\index.dat
2009-05-14 22:01:17 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-14 22:01:17 32768 --sha-w- c:\windows\temp\fichiers internet temporaires\content.ie5\index.dat
2009-05-14 22:01:17 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 19:46:26,89 ===============

Attached Files

BC AdBot (Login to Remove)


#2 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:09 PM

Posted 03 January 2010 - 03:12 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:09 PM

Posted 14 January 2010 - 08:02 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users