Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Open Mg Sony Rootkit Virus


  • Please log in to reply
11 replies to this topic

#1 navybudd

navybudd

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 November 2006 - 10:46 PM

I had a virus wich was sony rootkit and was able to get rid of it. I think. I have run about 9 different anti-viruses and they all run clean now. The sony rootkit has jacked up my computer now. here is my hijack file

Logfile of HijackThis v1.99.1
Scan saved at 7:32:32 PM, on 11/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wAGNER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\wAGNER\LOCALS~1\Temp\~DP7E5.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\wAGNER\LOCALS~1\Temp\{42799972-1B10-4930-B820-3372588AC766}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\RunOnce: [vmc] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\vmc.dll
O4 - HKLM\..\RunOnce: [Falcon] C:\WINDOWS\system32\Regsvr32.exe /s "C:\Program Files\Common Files\Sony Shared\AVLib\Falcon.dll"
O4 - HKLM\..\RunOnce: [mswm] C:\WINDOWS\system32\Regsvr32.exe /s "C:\Program Files\Common Files\Sony Shared\AVLib\mswm.dll"
O4 - HKLM\..\RunOnce: [NetMD] C:\WINDOWS\system32\Regsvr32.exe /s "C:\Program Files\Common Files\Sony Shared\AVLib\NetMD.dll"
O4 - HKLM\..\RunOnce: [SPTISRVps] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SPTISR~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134507892500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 24 November 2006 - 03:42 PM

Hi navybudd, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

I had a virus wich was sony rootkit and was able to get rid of it.


Why do you think you had it and what did you do to get rid of it?

Thanks for your patience. :flowers:

#3 navybudd

navybudd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 24 November 2006 - 09:08 PM

I used a forum and ran panda, avg, and about six other anti viruses in safe mode and they all found the virus. After running them a bunch they run clean now. So I am assuming that the virus is gone. Here is a recent hijack.

Logfile of HijackThis v1.99.1
Scan saved at 6:04:14 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wAGNER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\wAGNER\LOCALS~1\Temp\~DP7E5.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\wAGNER\LOCALS~1\Temp\{42799972-1B10-4930-B820-3372588AC766}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134507892500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 25 November 2006 - 07:41 AM

Hi navybudd, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Unfortunately I see no firewall in your runing processes which probably means that you have none. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. Run HijackThis, click Scan and checkmark the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\wAGNER\LOCALS~1\Temp\~DP7E5.dll (file missing)
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\wAGNER\LOCALS~1\Temp\{42799972-1B10-4930-B820-3372588AC766}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following files in bold if listed:

C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\ssqrp.dll

4. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

5. Download GMER from here!

Unzip it (right-click and choose Extract all) and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button; this will copy the results to clipboard.
Paste the results in your next reply.

Warning ! Do not select the "Show all" checkbox during the scan.

Please reboot and post the GMER report along with a fresh HijackThis log.

#5 navybudd

navybudd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 November 2006 - 02:42 PM

Here is the GMER

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-25 11:29:43
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT Vax347b.sys ZwClose
SSDT Vax347b.sys ZwCreateKey
SSDT Vax347b.sys ZwCreatePagingFile
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT Vax347b.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT Vax347b.sys ZwQueryKey
SSDT Vax347b.sys ZwQueryValueKey
SSDT Vax347b.sys ZwSetSystemPowerState
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 85B96868
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 855A9380
Device \FileSystem\meiudf \MeiUDF_Disk IRP_MJ_READ 8561DCF8
Device \FileSystem\meiudf \MeiUDF_CdRom IRP_MJ_READ 8561DCF8
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 855A9380
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 856108E0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 856108E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 855C7180
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 856108E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 856108E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 856115E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 856115E8
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 85A69E00
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 851D5E28
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 851D5E28
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 85621D00
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 855AA1D0
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_CREATE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_CREATE_NAMED_PIPE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_CLOSE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_READ 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_WRITE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_QUERY_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SET_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_QUERY_EA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SET_EA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_FLUSH_BUFFERS 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_QUERY_VOLUME_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SET_VOLUME_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_DIRECTORY_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_FILE_SYSTEM_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_DEVICE_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_INTERNAL_DEVICE_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SHUTDOWN 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_LOCK_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_CLEANUP 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_CREATE_MAILSLOT 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_QUERY_SECURITY 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SET_SECURITY 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_POWER 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SYSTEM_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_DEVICE_CHANGE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_QUERY_QUOTA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_SET_QUOTA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1 IRP_MJ_PNP 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_CREATE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_CLOSE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_READ 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_WRITE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SET_EA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_POWER 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 855DF008
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 IRP_MJ_PNP 855DF008
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 855A8B30
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 855A8B30
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 855A8B30
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 855A8B30
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 855A8B30
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 85677950

---- Modules - GMER 1.0.12 ----

Module _________ F7593000

---- EOF - GMER 1.0.12 ----


and her is the hijack

Logfile of HijackThis v1.99.1
Scan saved at 11:38:13 AM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\wAGNER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134507892500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



I really appreciate your help.

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 29 November 2006 - 05:44 AM

Hi navybudd, :thumbsup:

To begin with: sorry for the long wait.

Both logs look clean.

Let's run an online scan to be sure:

Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#7 navybudd

navybudd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 30 November 2006 - 01:11 AM

I ran Kaspesrsky and found 1 virus and three infected files. I did nothing from here but save log. I still have a program I am trying to delete from the controll panel, add or remove, called open mg secure module 4.2.00 that when I try to delete it, it says error no H drive found. Of course have no H drive and since I had sony rootkit and this is a sony program I figured they are connected. Here is the kaspersky file.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 29, 2006 10:01:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/11/2006
Kaspersky Anti-Virus database records: 246820
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43516
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:27:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\wAGNER\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\wAGNER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\wAGNER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\wAGNER\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wAGNER\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wAGNER\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\wAGNER\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-11-29.21-13-54.log Object is locked skipped
C:\Program Files\BitLord\Downloads\L07.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Program Files\BitLord\Downloads\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES.rar/L07.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Program Files\BitLord\Downloads\Panda Antivirus 2007 with USER + PASSWORD 4 UPDATES.rar RAR: infected - 1 skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0C1D1238-A1EF-43EA-9ACF-9240DDBA7386}\RP391\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I am very anxiouse to hear back from you. Thank you again so much.

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 01 December 2006 - 07:39 AM

Hi navybudd, :thumbsup:

1.

I still have a program I am trying to delete from the controll panel, add or remove, called open mg secure module 4.2.00 that when I try to delete it, it says error no H drive found. Of course have no H drive and since I had sony rootkit and this is a sony program I figured they are connected.


Allthough I cann't find information on what it does it's clear it's not a 'bad' program. Click Start > All programms > search for 'open mg secure module 4.2.00' and click Uninstall.

2. Using Windows Explorer, please delete the following file in bold if listed:

C:\Program Files\BitLord\Downloads\L07.exe

Please let me know how this went.

#9 navybudd

navybudd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 December 2006 - 01:13 AM

Everything is running great. I still have the problem of trying to delete open mg (sony). I use add or remove programs and when I hit uninstall it says Error in H drive. I don't have an H drive? I looked in the start menu at the all programs area but there is no listing for it. The only place I can find it is in the add or remove. Is there a DOS prompt I can use to get rid of this? Anything?

#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 08 December 2006 - 06:47 AM

Hi navybudd,

Everything is running great. I still have the problem of trying to delete open mg (sony). I use add or remove programs and when I hit uninstall it says Error in H drive. I don't have an H drive? I looked in the start menu at the all programs area but there is no listing for it. The only place I can find it is in the add or remove. Is there a DOS prompt I can use to get rid of this? Anything?


Let's do some research first.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
open mg secure module 4.2.00

[Exclude]

[Options]
Filter=KVDLUI


Next download Registry Search and extract it (right-click and choose Extract all). Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

#11 navybudd

navybudd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 12 December 2006 - 09:12 PM

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"="Symantec ALUNotify Module"
"C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"="LiveUpdate Wizard"

[HKEY_USERS\S-1-5-21-918279025-74192737-440239187-1007\Software\Symantec]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"="Symantec ALUNotify Module"
"C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"="LiveUpdate Wizard"

; End Of The Log...

#12 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:47 AM

Posted 15 December 2006 - 05:26 AM

Hi navybudd, :thumbsup:

Unfortunately something went wrong: I think you followed the instructions from the Options file after downloading Regsearch. Please follow the instructions hereafter.

Launch Notepad, and copy/paste the text between the two quotes into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
open mg secure module 4.2.00

[Exclude]

[Options]
Filter=KVDLUI


You already have downloaded Regsearch so doubleclick the icon to run it and click on "Import...". Select Options.txt, the file you created above and click "OK" and Registry Search will search the Registry and report what it finds. Post that here please.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users