Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Stuck with rootkit.

  • This topic is locked This topic is locked
2 replies to this topic

#1 BallistaSlim


  • Members
  • 1 posts
  • Local time:02:26 PM

Posted 27 October 2010 - 05:22 AM

Hi there,

I am a semi-advanced user that for the first time feels stuck removing a possible rootkit. At least thats what ComboFix states when I run it. I was first notified by my Microsoft Security Essentials (Which seems to be a really bleepty program BTW) that I had a trojan. When I started digging I realized I had bigger problems than that. Fastforward to ComboFix finding rootkit activity but being unable to remove it. (PEV.cfxxe not responding upon 2nd stage of cleaning upon reboot). I then tried Sophos which seemed to find and clean some of my problems. After this I tried ComboFix again, and this time it managed to finish. The problem is that every time I try it again I get the "rootkit activity" message from ComboFix. I am now trying this as a final resort before reinstalling etc. (This will be a real hassle so I am hoping you guys will be able to help me)

Thanks in advance!

P.S. Apart from the usual logfiles I include the latest ComboFix file as well D.S.

Pasted from DDS.txt:

DDS (Ver_10-10-21.02) - NTFSx86
Run by Mr. X at 11:32:47.77 on Wed 10/27/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.46.1033.18.3572.2354 [GMT 2:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Panda Security\WAC\pavFnSvr.exe
C:\Program Files\Panda Security\WAC\psksvc.exe
C:\Program Files\Panda Security\WAC\pavsrvx86.exe
C:\Program Files\Panda Security\WAC\AVENGINE.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Panda Security\WAC\PsCtrlS.exe
C:\Program Files\Panda Security\WaAgent\Scheduler\PavSched.exe
C:\Program Files\Panda Security\WaAgent\WasLpMng\WASLPMNG.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Program Files\Panda Security\WAC\PSHost.exe
C:\Program Files\Panda Security\WAC\PSIMSVC.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Panda Security\WaAgent\WasAgent\WasAgent.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Panda Security\WaAgent\WasWD\WasWD.exe
C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Panda Security\WAC\WebProxy.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Users\Mr. X\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.se/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\Mr. X\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Panda Software Controller Client] "c:\program files\panda security\wac\PSCtrlC.exe"
StartupFolder: c:\users\Mr. X\appdata\roaming\micros~1\windows\startm~1\programs\startup\skrmur~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xportera till Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\panda security\wac\pavlsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6085/mcfscan.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-10-27 18816]
R2 alssvc;Ambient Light Sensor;c:\program files\dell\ambient light sensor\AlsSvc.exe [2008-6-3 382232]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8660.sys [2010-10-26 54344]
R2 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2010-10-26 76296]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-10-6 20072]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-6 20328]
R2 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2010-10-26 53256]
R2 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2010-10-26 22024]
R2 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2010-10-26 193800]
R2 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2010-10-26 159112]
R2 nsfim;Network Shared Files Information Manager Plugin;c:\windows\system32\drivers\nsfim.sys [2010-10-26 55368]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\wac\PsCtrlS.exe [2010-6-10 331072]
R2 PavAt3Scheduler;Panda Endpoint Scheduler;c:\program files\panda security\waagent\scheduler\PavSched.exe [2009-9-17 140544]
R2 PavFnSvr;Panda Function Service;c:\program files\panda security\wac\pavFnSvr.exe [2010-3-9 169216]
R2 PavSrv;Panda Antivirus Service;c:\program files\panda security\wac\pavsrvx86.exe [2010-5-28 314176]
R2 PavWASLpMng;Panda Endpoint Local Process Manager;c:\program files\panda security\waagent\waslpmng\WASLPMNG.exe [2009-9-17 295680]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-3-13 65536]
R2 PskSvc;Panda Kernel Service;c:\program files\panda security\wac\psksvc.exe [2010-3-31 27904]
R2 WASAgent;Panda Endpoint Communications Agent;c:\program files\panda security\waagent\wasagent\WasAgent.exe [2009-12-31 320768]
R2 WASWD;Panda Endpoint Watchdog;c:\program files\panda security\waagent\waswd\WasWD.exe [2009-9-17 206080]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [2010-2-18 199688]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-11-5 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-11-5 280096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-26 136176]
S3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2010-5-18 42368]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-15 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]

=============== Created Last 30 ================

2010-10-27 08:46:50 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-27 08:46:48 -------- d-----w- c:\users\Mr. X\appdata\local\temp
2010-10-27 08:31:46 256512 ----a-w- c:\windows\PEV.exe
2010-10-27 08:07:46 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-10-26 21:19:07 -------- d-----w- c:\program files\Sophos
2010-10-26 20:59:10 -------- d-----w- c:\progra~2\Sentinel
2010-10-26 20:59:01 161664 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-10-26 20:58:50 55368 ----a-w- c:\windows\system32\drivers\nsfim.sys
2010-10-26 20:58:50 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys
2010-10-26 20:58:50 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys
2010-10-26 20:58:47 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS
2010-10-26 20:58:47 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys
2010-10-26 20:58:47 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS
2010-10-26 20:58:46 54344 ----a-w- c:\windows\system32\drivers\amm8660.sys
2010-10-26 20:57:25 -------- d-sh--r- c:\windows\PSICache
2010-10-26 20:57:13 -------- d-----w- c:\program files\Panda Security
2010-10-26 19:11:14 -------- d-----w- c:\users\Mr. X\appdata\roaming\SUPERAntiSpyware.com
2010-10-26 19:11:14 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-10-26 19:11:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-26 18:46:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 13:45:34 0 ----a-w- c:\windows\system32\dlo4C22.tmp
2010-10-22 12:54:19 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-10-22 12:40:28 -------- d-----w- c:\program files\Elaborate Bytes
2010-10-06 14:11:01 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-10-06 14:07:39 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
2010-10-06 14:07:38 -------- d-----w- c:\program files\CPUID
2010-10-04 09:56:40 -------- d-----w- C:\almega
2010-09-29 14:10:40 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-29 14:10:40 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 08:09:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-29 08:09:37 13312 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-10-25 20:16:10 79872 ----a-w- c:\windows\MBR.exe
2010-10-19 20:51:33 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe

============= FINISH: 11:32:59.99 ===============

Attached Files

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 05 November 2010 - 08:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 15 November 2010 - 06:28 AM

Since it has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users