Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix.exe And Smitfraudfix Doesn't Load


  • Please log in to reply
3 replies to this topic

#1 saronno

saronno

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 11 December 2006 - 11:53 AM

... the rootkit recognize these software ?

My problem is related to msguard ..... maybe I'v been infected with a variant of msguard rootkit.

with gmer I can see the hooks on the kernel function, so I'm sure that a rootkit is present.

It has created also a user zXeGCDT that I deleted ..... and with erd commander I deleted also his hidden directory but it is not enough.

how could I avoid that this rootkit forbid me to execute combofix?

I would be a bit more clear. When I try to lauch combofix a console opens, some file appears on desktop but immediatly the console is closed and the files disappereas. If I try to execute combofix directly from a console you see program to start for 1 sec ... after that OS says "file not found" ...as rootkit recognizes the application and return file not found filtering the system calls.

Any idea????

BC AdBot (Login to Remove)

 


#2 saronno

saronno
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 11 December 2006 - 03:28 PM

I was able to launch rustbfix this is the log:

************************* Rustock.b-fix -- By ejvindh *************************
Mon 11/12/2006 20:47:32.87


******************* Pre-run Status of system *******************

Rootkit driver msguard is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: msguard :thumbsup:
YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cihhthda

*******************

Script file located at: \??\C:\WINNT\rnqnfkud.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\msguard not found!
Unload of driver msguard failed!

Could not process line:
msguard
Status: 0xc0000034

Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

-------------------------------------------------------------------------------------------


As you can see msguard was found but not unloaded.

#3 saronno

saronno
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 11 December 2006 - 03:43 PM

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-11 21:37:40
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 82AE5E40 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 82AE6208 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 82AE5EB8 ZwQueueApcThread
SSDT 82AE5D50 ZwReadVirtualMemory
SSDT 82A9C148 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 82AE5FA8 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 82AB6148 ZwSetInformationKey
SSDT 82AE62F8 ZwSetInformationProcess
SSDT 82AE5020 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT 82AE6280 ZwSuspendProcess
SSDT 82AE5F30 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 82AE6190 ZwTerminateThread
SSDT 82AE5DC8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ 60, 0C, 32, F5, E0, 6E, 32, ... ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 8223D1C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 82247210
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 82255560
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 8211C6D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 8221BC28
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 81FCC850
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 81FCDAE0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 8201B578
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 8201CCC0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 82009900
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 82020CC0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 82017E58
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 82467CF8
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 82395290
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 8224F218
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 82011858
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8200DE60
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8204CE60
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 824B29C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 82205190
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8204C500
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 8200C1A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 81FAA410
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 8223D1C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 82247210
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 82255560
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 8211C6D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 8221BC28
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 81FCC850
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 81FCDAE0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 8201B578
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 8201CCC0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 82009900
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 82020CC0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 82017E58
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 82467CF8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 82395290
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 8224F218
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 82011858
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8200DE60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8204CE60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 824B29C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 82205190
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8204C500
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 8200C1A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 81FAA410
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 8223D1C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 82247210
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 82255560
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 8211C6D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 8221BC28
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 81FCC850
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 81FCDAE0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 8201B578
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 8201CCC0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 82009900
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 82020CC0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 82017E58
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 82467CF8
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 82395290
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 8224F218
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 82011858
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8200DE60
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8204CE60
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 824B29C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 82205190
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8204C500
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 8200C1A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 81FAA410
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 8223D1C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 82247210
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 82255560
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 8211C6D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 8221BC28
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 81FCC850
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 81FCDAE0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 8201B578
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 8201CCC0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 82009900
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 82020CC0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 82017E58
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 82467CF8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 82395290
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 8224F218
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 82011858
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8200DE60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8204CE60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 824B29C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 82205190
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8204C500
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 8200C1A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 81FAA410
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 8223D1C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 82247210
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 82255560
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 8211C6D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 8221BC28
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 81FCC850
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 81FCDAE0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 8201B578
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 8201CCC0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 82009900
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 82020CC0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 82017E58
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 82467CF8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 82395290
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F53322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 8224F218
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 82011858
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8200DE60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8204CE60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 824B29C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 82205190
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8204C500
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 8200C1A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 81FAA410

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SCM:{6c736d4F-CBD1-11D0-B3A2-00A0C91E29FE}@ 0

---- EOF - GMER 1.0.12 ----

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 12 December 2006 - 08:13 AM

I have split your HJT log away from this thread and moved it into the HJT forum.

You can find it here: http://www.bleepingcomputer.com/forums/t/75016/msguard-rootkit/

Now that your log is posted there, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and complicate the malware removal process.

Please be patient and wait for a response from an HJT Team member. It may take a while to get a response because team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. While waiting, please DO NOT make another reply to your log until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users