Jump to content

SPLIT - Rootkit infection


Lindsey
 Share

Recommended Posts

I know I'm not the original poster, but this described my problem perfectly so I ran through the steps hoping you could help me as well.

Here's the log from the GMER program:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2009-12-24 04:09:33

Windows 5.1.2600 Service Pack 2

Running: 74uqss4j.exe; Driver: C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\kwloapob.sys

---- System - GMER 1.0.15 ----

Code 82B2CE18 ZwEnumerateKey

Code 82CE5898 ZwFlushInstructionCache

Code 82DC65B6 IofCallDriver

Code 82C64E06 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82DC65BB

.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82C64E0B

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EE68 5 Bytes JMP 82B2CE1C

PAGE ntoskrnl.exe!ZwFlushInstructionCache 8057797A 5 Bytes JMP 82CE589C

.text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xF86D72A0, 0x7B40, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat EEDCBC8A

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTlrgshappkr.sys (*** hidden *** ) EFD0A000-EFD27000 (118784 bytes)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [260] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTlrgshappkr.sys (*** hidden *** ) [sYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTlrgshappkr.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTlrgshappkr.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTdoexylkmdd.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrvjahmnqoe.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTlrgshappkr.sys

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTlrgshappkr.sys

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTdoexylkmdd.dll

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrvjahmnqoe.dat

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\Q1WDYN6N\httpErrorPagesScripts[1] 0 bytes

File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\UZQZIXQ3\errorPageStrings[1] 0 bytes

File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\UZQZIXQ3\favcenter[1] 0 bytes

File C:\Documents and Settings\Paul\Local Settings\Temp\H8SRT18b7.tmp 343040 bytes executable

File C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTlrgshappkr.sys 40960 bytes executable <-- ROOTKIT !!!

File C:\WINDOWS\SYSTEM32\H8SRTdoexylkmdd.dll 23040 bytes executable

File C:\WINDOWS\SYSTEM32\H8SRTgyrnntvfnd.dll 36864 bytes executable

File C:\WINDOWS\SYSTEM32\H8SRTrvjahmnqoe.dat 202 bytes

---- EOF - GMER 1.0.15 ----

Here's the log from DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Lindsey Cheek at 11:23:31.04 on Thu 12/24/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.146 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Lindsey Cheek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://utdallas.facebook.com/home.php

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {691104fa-a407-8518-1596-08cf78d2776e} - c:\windows\upd\riuujhdxrd.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll

TB: {5AA06644-BC46-4220-A460-47A6EB47C96D} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [WinMem] c:\program files\wincleaner memory optimizer\WinMemOpt.exe

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} - hxxp://xiah.gamescampus.com/luncher/GamesCampus.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://www.restoran.ru/clicks.phtml?id=490

Notify: igfxcui - igfxdev.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lindse~1\applic~1\mozilla\firefox\profiles\0pbu2eil.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-5-26 33920]

S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-8 1373480]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]

S3 XDva007;XDva007;\??\c:\windows\system32\xdva007.sys --> c:\windows\system32\XDva007.sys [?]

S4 Ahbotntwmne;Ahbotntwmne; [x]

S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2005-3-10 2560]

=============== Created Last 30 ================

2009-12-24 04:15:17 293376 ----a-w- C:\74uqss4j.exe

2009-12-24 01:22:16 0 d-----w- c:\program files\Malware Defense

2009-12-23 01:26:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 01:25:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-23 01:25:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-23 01:25:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-23 00:25:28 656 ----a-w- c:\windows\system32\krl32mainweq.dll

2009-12-23 00:24:24 206 ----a-w- c:\windows\system32\srcr.dat

2009-12-21 08:15:01 0 d-----w- c:\windows\system32\electricsheep-cache

2009-12-21 05:06:51 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-21 03:09:16 0 d-----w- c:\program files\uTorrent

2009-12-21 02:14:53 4426596 -c--a-w- C:\ituneslib.itl

2009-12-21 02:02:41 0 d-----w- c:\program files\iPod

2009-12-21 02:02:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-21 02:01:00 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2005-02-13 21:43:27 12208 -csha-w- c:\windows\system32\KGyGaAvL.sys

2007-01-17 23:44:41 1265 --sha-w- c:\windows\system32\mmf.sys

============= FINISH: 11:24:16.63 ===============

I also zipped and attached the Attach.txt file from the DDS program.

I can't run Spybot, MBAM, or any other program used to remove spyware/malware. It constantly reopens iexplore.exe in the processes tree.

Any ideas? Thanks in advance.

Attach.zip

Link to post
Share on other sites

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

  • Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do Not run combofix more than once. If you have problems please post back for further instructions.

3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Link to post
Share on other sites

ComboFix 09-12-30.01 - Paul 12/31/2009 1:38.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.325 [GMT -6:00]

Running from: c:\documents and settings\Paul\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\desktop.ini

C:\LOG.TXT

c:\windows\93bfe3ca-1bf1-4ae8-b812-1f3bc95e7619.ocx

c:\windows\AUTOLNCH.REG

c:\windows\system32\2a700b3e-848e-485e-b458-90433d601fe5.dll

c:\windows\system32\comrepl.exe

c:\windows\system32\drivers\H8SRTlrgshappkr.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\H8SRTdoexylkmdd.dll

c:\windows\system32\H8SRTgyrnntvfnd.dll

c:\windows\system32\H8SRTrvjahmnqoe.dat

c:\windows\system32\krl32mainweq.dll

c:\windows\system32\launcher.exe

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\srcr.dat

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

-------\Legacy_NPF

-------\Legacy_OREANS32

-------\Service_NPF

-------\Service_oreans32

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))

.

2009-12-29 06:27 . 2009-12-29 06:27 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes

2009-12-27 18:29 . 2009-12-29 07:19 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\irdjmm

2009-12-26 05:04 . 2009-12-26 23:46 -------- d-----w- c:\documents and settings\Paul\Application Data\vlc

2009-12-26 05:03 . 2009-12-26 05:03 -------- d-----w- c:\documents and settings\Paul\Application Data\dvdcss

2009-12-25 15:12 . 2009-12-25 15:12 -------- dc----w- C:\WTablet

2009-12-24 04:15 . 2009-12-24 04:15 293376 ----a-w- C:\74uqss4j.exe

2009-12-24 01:44 . 2009-12-24 01:44 -------- d-----w- c:\documents and settings\Paul\Application Data\TextPad

2009-12-23 01:26 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 01:25 . 2009-12-23 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-23 01:25 . 2009-12-29 06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-23 01:25 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 08:15 . 2009-12-21 08:15 -------- d-----w- c:\windows\system32\electricsheep-cache

2009-12-21 05:06 . 2009-12-31 00:18 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-21 03:46 . 2009-12-21 03:46 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Adobe

2009-12-21 03:09 . 2009-12-21 03:09 -------- d-----w- c:\program files\uTorrent

2009-12-21 03:09 . 2009-12-24 01:22 -------- d-----w- c:\documents and settings\Paul\Application Data\uTorrent

2009-12-21 02:48 . 2009-12-21 02:48 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Mozilla

2009-12-21 02:39 . 2009-12-21 02:39 76248 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-21 02:39 . 2009-12-21 02:40 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer

2009-12-21 02:37 . 2009-12-21 02:40 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Apple Computer

2009-12-21 02:35 . 2009-12-21 02:35 -------- d-----w- c:\documents and settings\Paul\Application Data\WTablet

2009-12-21 02:02 . 2009-12-21 02:02 -------- d-----w- c:\program files\iPod

2009-12-21 02:02 . 2009-12-21 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-21 02:01 . 2009-12-21 02:01 -------- d-----w- c:\program files\Bonjour

2009-12-21 01:59 . 2009-12-21 02:00 -------- d-----w- c:\program files\QuickTime

2009-12-21 01:57 . 2009-12-21 01:57 -------- d-----w- c:\documents and settings\Lindsey Cheek\Local Settings\Application Data\Apple

2009-12-21 01:56 . 2009-12-21 02:04 -------- dc----w- c:\windows\system32\DRVSTORE

2009-12-21 01:53 . 2009-12-21 02:02 -------- d-----w- c:\program files\Common Files\Apple

2009-12-21 01:53 . 2009-12-21 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-29 06:14 . 2008-01-13 23:07 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\DNA

2009-12-29 06:08 . 2007-07-04 01:47 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\WTablet

2009-12-29 06:07 . 2008-01-13 23:07 -------- d-----w- c:\program files\DNA

2009-12-21 02:06 . 2004-10-01 00:21 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\Apple Computer

2009-12-21 02:04 . 2004-11-16 17:40 -------- d-----w- c:\program files\iTunes

2009-12-21 01:57 . 2007-01-08 06:32 -------- d-----w- c:\program files\Apple Software Update

2009-12-21 01:36 . 2009-12-21 01:33 1924744 ----a-w- c:\documents and settings\Lindsey Cheek\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-01-23 13:30 . 2005-12-11 20:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-01-23 13:30 . 2005-12-11 20:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-01-23 13:30 . 2007-06-12 00:33 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-01-23 13:30 . 2007-06-12 00:33 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-01-23 13:30 . 2005-12-11 20:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2005-02-13 21:43 . 2005-02-13 21:43 12208 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys

2007-01-17 23:44 . 2005-03-11 03:10 1265 --sha-w- c:\windows\SYSTEM32\mmf.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lindsey Cheek^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Lindsey Cheek\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lindsey Cheek^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Lindsey Cheek\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]

2003-08-29 10:59 122880 -c--a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]

2003-03-07 17:36 209800 ----a-w- c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]

2003-06-25 15:29 294998 ------w- c:\program files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2003-12-18 18:17 487424 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

2003-08-13 15:27 28672 -c--a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2005-09-20 14:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-09-20 14:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-09-20 14:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2005-09-20 14:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-06-16 12:03 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-06-16 12:03 81920 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

2004-08-04 07:56 177152 ----a-w- c:\windows\SYSTEM32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2003-02-13 06:01 155648 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-11-10 19:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2003-08-15 17:37 618496 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2003-08-15 17:38 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 22:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2009-12-21 03:09 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"seclogon"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Wmaacdvrdita"=3 (0x3)

"TabletService"=2 (0x2)

"SPTISRV"=3 (0x3)

"rpcapd"=3 (0x3)

"MDM"=2 (0x2)

"Macromedia Licensing Service"=3 (0x3)

"LxrJD31s"=2 (0x2)

"LicCtrlService"=2 (0x2)

"LexBceS"=2 (0x2)

"IDriverT"=3 (0x3)

"Creative Service for CDROM Access"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"wuauserv"=2 (0x2)

"wscsvc"=2 (0x2)

"MSIServer"=3 (0x3)

"Ahbotntwmne"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=

"c:\\WINDOWS\\SYSTEM32\\mqsvc.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\myTunes Redux\\myTunesRedux.exe"=

"c:\\Program Files\\Microsoft AntiSpyware\\GIANTAntiSpywareMain.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\SYSTEM32\\java.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Soulseek-Test\\slsk.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3689:TCP"= 3689:TCP:Port

"3689:UDP"= 3689:UDP:iTunes

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\SYSTEM32\Wacom_Tablet.exe [11/8/2007 10:30 AM 1373480]

S3 XDva007;XDva007;\??\c:\windows\system32\XDva007.sys --> c:\windows\system32\XDva007.sys [?]

S4 Ahbotntwmne;Ahbotntwmne; [x]

S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/10/2005 9:10 PM 2560]

.

Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-12-31 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-23 23:38]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dell.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.webexternal.cn/ac.php?aid=216&sid=new

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab

FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\tiqefj2c.default\

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{691104FA-A407-8518-1596-08CF78D2776E} - c:\windows\UPD\riuujhdxrd.dll

MSConfigStartUp-AIM - c:\program files\AIM\aim.exe

MSConfigStartUp-ares - c:\program files\Ares Lite Edition\Ares.exe

MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

MSConfigStartUp-filecroc - c:\program files\FileCroc\FileCroc.exe

MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe

MSConfigStartUp-PlayNC Launcher - c:\program files\NCSoft\Launcher\NCLauncher.exe

MSConfigStartUp-richtx64 - c:\docume~1\Paul\LOCALS~1\Temp\richtx64.exe

MSConfigStartUp-VetTray - c:\progra~1\CA\ETRUST~1\ETRUST~1\VetTray.exe

MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe

MSConfigStartUp-Zone Labs Client - c:\progra~1\CA\ETRUST~1\ETRUST~2\ca.exe

AddRemove-Quartz Studio Free - c:\program files\DigitalSoundPlanet\Quartz Studio Free 370E\DeIsL1.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-31 01:52

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]

"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df

"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,

65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96

"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,

71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]

"1"=hex:1a,dd,98,10,b1,7c,5d,e1

"2"=hex:c5,ff,57,75,f6,0a,be,c2

"3"=hex:80,09,17,2e,c7,b3,e6,40,9d,6c,ee,7c,04,90,bf,63,a7,4b,81,02,85,ff,4a,

51,6c,ac,9d,94,32,97,50,57,f3,12,53,ac,a6,ae,de,d1,dc,d3,f6,14,f0,98,56,83,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:f4,52,2f,39,db,c7,6f,ab,5c,4e,5c,fd,c4,ff,5b,14,ef,f8,06,38,57,28,5a,

ea,ca,c2,ce,fa,6b,78,83,79,c5,52,a8,bc,d5,4e,fd,04,14,78,66,60,36,6b,18,5c,\

"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,

4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\

"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,

f9

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:d0,71,12,cb,08,b7,a7,d6

"10"=hex:d3,13,f2,04,94,f4,8b,36

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:84,f4,7c,0c,d2,97,53,72,97,eb,e9,5e,83,d7,43,73,de,1c,d6,fa,d0,38,e2,

d1,38,65,a3,e8,40,a0,28,bc,33,ee,ec,7c,e3,b2,36,69,60,19,5b,3e,2c,ca,0a,87,\

"13"=hex:e6,f1,4d,d6,b8,c6,b4,0e,1b,5b,4f,dc,d7,56,50,d1,a2,a4,23,e1,1f,5c,e0,

6c

"14"=hex:0d,a3,f0,13,5a,b2,4b,be,11,13,f0,3c,be,44,35,ac

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:8e,4b,42,3d,8a,b3,f0,52,3c,2b,52,e9,2d,85,93,54

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:a4,d1,4f,09,7e,c4,98,2e,94,3d,61,2b,95,df,19,a6,d1,3e,1c,96,0d,74,44,

c3,b2,08,21,f4,c1,e9,67,4a,19,ca,2d,ff,e7,4d,d6,62,03,09,ba,bb,ec,35,25,73,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\msdtc.exe

c:\windows\System32\snmp.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\mqsvc.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\System32\ELECTR~1.SCR

.

**************************************************************************

.

Completion time: 2009-12-31 02:02:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-31 08:02

Pre-Run: 12,634,824,704 bytes free

Post-Run: 13,237,284,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - 42F6280BF98D5ADAAB3EFA95AFB1125D

So - yesterday (before I saw this post) I actually got mbam to run, and it said it got rid of 10 infections, yada yada. It seemed like it was fine, then popped up with some more Antivirus Security something or other sometime this afternoon.

Now that I've done all this ComboFix stuff, is this the end? Finally?

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.