Jump to content

Annoying rootkit

McConaughey
 Share

Recommended Posts

McConaughey

McConaughey

Posted
Posted

Was notified by my isp that I had a virus detected from my ip. Upon running malwarebytes I found a single rootkey that I cannot delete. I've done a days worth of research and reading threads on the forum, but nothing has worked. Deleting the file itself obviously does no good and I can't find the hidden culprit that is causing this headache. Here are my rootrepeal and mb logs. Any help will be greatly appreciated.

Thanks!

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/01/02 19:43

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xA9C70000 Size: 786432 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA77E6000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\pocvxl.sys

Status: Locked to the Windows API!

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_66.trc

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\y3p2vr47.default\bookmarkbackups\bookmarks-2009-12-30.json

Status: Visible to the Windows API, but not on disk.

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8a8e2b40 Size: 1216

Hidden Services

-------------------

Service Name: pocvxl

Image Path: C:\WINDOWS\system32\drivers\pocvxl.sys

==EOF==

Malwarebytes' Anti-Malware 1.43

Database version: 3484

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/2/2010 8:21:28 PM

mbam-log-2010-01-02 (20-21-28).txt

Scan type: Quick Scan

Objects scanned: 122893

Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\pocvxl.sys (Rootkit.Agent) -> Delete on reboot.

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hello McConaughey

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    /md5stop

    CREATERESTOREPOINT


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

Unfortunately GMER would crash after about 1.5 hours of scanning and I was unable to get a log. Here are the OTL reports. And a follow up combofix log. Thank you for responding and helping me with this issue.

OTL logfile created on: 1/3/2010 9:26:24 PM - Run 1

OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Chris\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 179.31 Gb Total Space | 120.31 Gb Free Space | 67.10% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FFE80C38742A44A

Current User Name: Chris

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Chris\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)

PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

PRC - C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe (Yahoo! Inc.)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)

PRC - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (Sony Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (Sony Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (Sony Corporation)

PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )

PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)

PRC - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe (Sony Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Chris\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (PEVSystemStart) -- File not found

SRV - (MKOQKVIKMMDGUQM) -- File not found

SRV - (MSSQL$WHATSUP) SQL Server (WHATSUP) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (Ipswitch Netflow Collector) -- C:\Program Files\Ipswitch\WhatsUp\BWCollector.Net.exe (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)

SRV - (Ipswitch WhatsUp Engine) -- C:\Program Files\Ipswitch\WhatsUp\NmService.exe (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)

SRV - (Ipswitch Web Server$WhatsUp) -- C:\Program Files\Ipswitch\WhatsUp\NMWebService.exe (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)

SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (aawservice) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)

SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

SRV - (VAIOMediaPlatform-IntegratedServer-AppServer) -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe (Sony Corporation)

SRV - (VAIOMediaPlatform-Mobile-Gateway) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe (Sony Corporation)

SRV - (STacSV) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)

SRV - (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (Sony Corporation)

SRV - (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe (Sony Corporation)

SRV - (SSScsiSV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)

SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)

SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (Sony Corporation)

SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)

SRV - (VAIO Event Service) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)

SRV - (Vcsw) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (Sony Corporation)

SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (VzFw) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (Sony Corporation)

SRV - (VzCdbSvc) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (Sony Corporation)

SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )

SRV - (EvtEng) Intel® -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)

SRV - (RegSrvc) Intel® -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)

SRV - (VAIO Entertainment TV Device Arbitration Service) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe (Sony Corporation)

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)

SRV - (Image Converter video recording monitor for VAIO Entertainment) -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe (Sony Corporation)

SRV - (SonicStageMonitoring) -- C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe (Sony Corporation)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (iaStor) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation)

DRV - (SAVRKBootTasks) -- C:\WINDOWS\system32\SAVRKBootTasks.sys (Sophos Plc)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (X4HSX32) -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys (Exent Technologies Ltd.)

DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)

DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)

DRV - (AegisP) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (5U870CAP_VID_1262&PID_25FD) -- C:\WINDOWS\system32\drivers\5U870CAP.sys (Ricoh)

DRV - (slim) -- C:\WINDOWS\system32\drivers\slim.sys (Sony Corporation)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (SonyImgF) -- C:\WINDOWS\system32\drivers\SonyImgF.sys (Sony Corporation)

DRV - (ti21sony) -- C:\WINDOWS\system32\drivers\ti21sony.sys (Texas Instruments)

DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\tosrfhid.sys (TOSHIBA Corporation.)

DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)

DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)

DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)

DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

combofix

ComboFix 10-01-02.01 - Chris 01/02/2010 21:57:48.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1485 [GMT -6:00]

Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))

.

2010-01-03 01:24 . 2009-06-18 18:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-01-03 00:37 . 2010-01-03 00:37 -------- d-----w- c:\program files\Sophos

2009-12-28 04:48 . 2009-12-28 04:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-12-26 21:11 . 2009-12-26 21:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-12-26 09:27 . 2010-01-03 04:04 767488 ----a-w- c:\windows\system32\drivers\pocvxl.sys

2009-12-26 09:25 . 2009-12-26 09:25 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSJNID_APDM

2009-12-26 09:25 . 2009-12-21 05:56 443352 ----a-w- c:\documents and settings\All Users\Application Data\4631d99\sqlite3.dll

2009-12-26 09:25 . 2009-12-21 05:56 710104 ----a-w- c:\documents and settings\All Users\Application Data\4631d99\mozcrt19.dll

2009-12-26 09:24 . 2009-12-26 09:25 -------- d-sh--w- c:\documents and settings\All Users\Application Data\4631d99

2009-12-26 09:22 . 2009-12-26 09:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-12-26 08:02 . 2010-01-03 03:54 -------- d-----w- c:\documents and settings\Chris\Application Data\Skype

2009-12-26 07:59 . 2009-12-26 07:59 -------- d-----w- c:\program files\Common Files\Skype

2009-12-26 07:59 . 2009-12-27 05:04 -------- d-----r- c:\program files\Skype

2009-12-26 07:59 . 2009-12-26 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-12-26 07:38 . 2009-12-26 07:38 -------- d-----w- c:\documents and settings\Chris\Application Data\oovootb

2009-12-26 07:29 . 2009-12-26 07:29 -------- d-----w- c:\documents and settings\Chris\Application Data\EmailNotifier

2009-12-26 07:28 . 2009-12-26 07:30 -------- d-----w- c:\documents and settings\Chris\Application Data\ooVoo Details

2009-12-26 07:28 . 2009-12-26 07:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier

2009-12-26 07:28 . 2009-12-26 07:28 -------- d-----w- c:\program files\ooVoo

2009-12-11 10:30 . 2009-12-11 10:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-08 21:58 . 2009-12-08 21:58 -------- d-----w- c:\program files\MSECache

2009-12-04 16:03 . 2009-12-04 16:03 251376 ----a-w- c:\documents and settings\Chris\Application Data\Mozilla\plugins\npgoogletalk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-02 23:56 . 2008-08-24 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-02 23:55 . 2008-08-24 00:26 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-30 20:55 . 2008-08-24 00:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2008-08-24 00:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 10:15 . 2006-08-11 23:01 250368 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-26 07:28 . 2006-08-11 23:53 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-17 22:53 . 2006-08-12 01:08 70400 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-30 00:12 . 2008-09-21 14:47 -------- d-----w- c:\program files\Warcraft III

2009-11-16 07:20 . 2009-08-28 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CraigsPal

2009-11-05 22:37 . 2009-11-05 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-11-05 17:30 . 2008-03-16 22:31 -------- d-----w- c:\program files\PokerRoom.com

2009-11-05 17:29 . 2009-01-14 00:24 -------- d-----w- c:\program files\PokerStars.NET

2009-11-05 02:50 . 2009-11-05 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-11-05 02:50 . 2009-11-05 02:50 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe

2009-11-05 02:50 . 2009-11-05 02:50 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2009-10-29 07:45 . 2006-08-11 23:00 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2006-08-11 23:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2006-08-11 23:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2006-08-11 23:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2006-08-11 23:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2006-08-11 23:00 79872 ----a-w- c:\windows\system32\raschap.dll

2007-08-06 17:07 . 2009-05-30 01:11 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll

2007-07-18 19:54 . 2009-05-30 01:11 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll

.

((((((((((((((((((((((((((((( SnapShot_2009-12-27_18.42.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-03 03:54 . 2010-01-03 03:54 16384 c:\windows\temp\Perflib_Perfdata_354.dat

+ 2010-01-03 03:54 . 2010-01-03 03:54 16384 c:\windows\temp\Perflib_Perfdata_100.dat

+ 2004-08-03 22:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys

+ 2006-08-11 23:14 . 2009-12-27 20:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-08-11 23:14 . 2009-12-27 18:30 32768

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

- 2006-08-11 23:14 . 2009-12-27 18:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-08-01 14:09 . 2009-12-27 18:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-08-01 14:09 . 2009-12-27 20:10 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-09-09 20:14 . 2009-12-27 20:10 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-09-09 20:14 . 2009-12-27 18:30 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-04 133104]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-06 7561216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PolicyKey.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PolicyKey.lnk

backup=c:\windows\pss\PolicyKey.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]

backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-11-18 03:47 118784 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]

2006-06-22 23:11 29696 ----a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]

2006-06-02 00:55 1077248 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-04-13 20:36 50792 ----a-w- c:\program files\Common Files\AOL\1187118198\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2006-02-21 23:59 143360 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2004-02-20 21:12 32768 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 15:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

2008-04-17 23:27 9117696 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

2006-06-29 21:17 319488 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NmDesktopActions]

2009-01-30 22:05 71168 ----a-w- c:\program files\Ipswitch\WhatsUp\NmDesktopActions.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMTaskTray]

2009-01-30 22:15 67856 ----a-w- c:\program files\Ipswitch\WhatsUp\NmTaskTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-06 18:36 7561216 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-07-06 18:36 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]

2003-04-20 04:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]

2006-08-05 21:13 217088 ----a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2006-05-03 09:56 36975 ----a-w- c:\program files\Java\jre1.5.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]

2006-02-14 19:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]

2003-04-20 04:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 04:36 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]

2005-12-27 20:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]

2005-06-13 22:42 258048 ----a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Symantec Core LC"=2 (0x2)

"SPBBCSvc"=2 (0x2)

"SNDSrvc"=2 (0x2)

"SAVScan"=3 (0x3)

"navapsvc"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccProxy"=2 (0x2)

"ccISPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

"NSCService"=3 (0x3)

"sp_rssrv"=2 (0x2)

"SPTISRV"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"ose"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"iPod Service"=3 (0x3)

"IDriverT"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"Ipswitch WhatsUp Engine"=2 (0x2)

"Ipswitch Web Server$WhatsUp"=2 (0x2)

"Ipswitch Netflow Collector"=2 (0x2)

"aawservice"=2 (0x2)

"6to4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Steam\\SteamApps\\mcconaughey14\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Games\\DotA Allstars\\DotA Allstars.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Documents and Settings\\Chris\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Chris\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [1/2/2010 7:24 PM 18816]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R2 MSSQL$WHATSUP;SQL Server (WHATSUP);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]

R3 5U870CAP_VID_1262&PID_25FD;Sony Visual Communication Camera VGP-VCC2 ;c:\windows\system32\drivers\5U870CAP.sys [8/11/2006 5:00 PM 75264]

R3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [8/11/2006 5:00 PM 698496]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [8/11/2006 5:01 PM 30080]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/11/2006 5:00 PM 226304]

S2 drfqbhyu;drfqbhyu;c:\windows\system32\drivers\vahq.sys --> c:\windows\system32\drivers\vahq.sys [?]

S2 jaefven;jaefven;c:\windows\system32\drivers\aaddju.sys --> c:\windows\system32\drivers\aaddju.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 MKOQKVIKMMDGUQM;MKOQKVIKMMDGUQM;c:\docume~1\Chris\LOCALS~1\Temp\MKOQKVIKMMDGUQM.exe --> c:\docume~1\Chris\LOCALS~1\Temp\MKOQKVIKMMDGUQM.exe [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Ipswitch Netflow Collector;Ipswitch Netflow Collector;c:\program files\Ipswitch\WhatsUp\BWCollector.Net.exe [7/25/2009 5:16 AM 131072]

S4 Ipswitch Web Server$WhatsUp;Ipswitch Web Server$WhatsUp;c:\program files\Ipswitch\WhatsUp\NmWebService.exe [7/25/2009 5:16 AM 115200]

S4 Ipswitch WhatsUp Engine;Ipswitch WhatsUp Engine;c:\program files\Ipswitch\WhatsUp\NmService.exe [7/25/2009 5:16 AM 125952]

--- Other Services/Drivers In Memory ---

*Deregistered* - pocvxl

.

Contents of the 'Scheduled Tasks' folder

2009-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1050492332-23708434-2183325835-1006Core.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 02:43]

2010-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1050492332-23708434-2183325835-1006UA.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 02:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.mystart.com?pr=oovoo2_0

uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople

uInternet Settings,ProxyOverride = *.local

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: trymedia.com

FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\y3p2vr47.default\

FF - prefs.js: browser.startup.homepage - lamotorcars.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll

FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll

FF - plugin: c:\program files\kSolo\npAVX.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pocvxl]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)

c:\windows\system32\VESWinlogon.dll

.

Completion time: 2010-01-02 22:06:13

ComboFix-quarantined-files.txt 2010-01-03 04:06

ComboFix2.txt 2010-01-03 03:43

ComboFix3.txt 2010-01-02 01:17

ComboFix4.txt 2009-12-28 06:23

ComboFix5.txt 2010-01-03 03:56

Pre-Run: 129,267,900,416 bytes free

Post-Run: 129,231,978,496 bytes free

- - End Of File - - EEF536BDB070EAF938C63D60374500B8

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

Finally completed a gmer scan.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-01-04 04:31:39

Windows 5.1.2600 Service Pack 3

Running: 10pm9wim.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\awldrpob.sys

---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\WINDOWS\system32\drivers\pocvxl.sys entry point in ".pak2" section [0xBA6B1509]

? C:\WINDOWS\system32\drivers\pocvxl.sys A device attached to the system is not functioning.

PAGE Ntfs.sys BA454E56 3 Bytes CALL 8A89779A

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8C7B360, 0x22117D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A842EE0

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [bOOT] pocvxl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\pocvxl@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\pocvxl@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\pocvxl@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\pocvxl@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet002\Services\pocvxl@Type 1

Reg HKLM\SYSTEM\ControlSet002\Services\pocvxl@Start 0

Reg HKLM\SYSTEM\ControlSet002\Services\pocvxl@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\pocvxl@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
drfqbhyu
jaefven
MKOQKVIKMMDGUQM
pocvxl

Files to delete:
C:\WINDOWS\system32\drivers\pocvxl.sys

Folders to delete:
c:\documents and settings\All Users\Application Data\4631d99

Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pocvxl
HKLM\SYSTEM\ControlSet002\Services\pocvxl

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "drfqbhyu" deleted successfully.

Driver "jaefven" deleted successfully.

Driver "MKOQKVIKMMDGUQM" deleted successfully.

Driver "pocvxl" deleted successfully.

File "C:\WINDOWS\system32\drivers\pocvxl.sys" deleted successfully.

Folder "c:\documents and settings\All Users\Application Data\4631d99" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pocvxl" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pocvxl" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet002\Services\pocvxl" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.43

Database version: 3494

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/4/2010 4:55:38 PM

mbam-log-2010-01-04 (16-55-38).txt

Scan type: Quick Scan

Objects scanned: 123059

Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I'm running the ESET scan now and will post the results. So far so good!

Link to post
Share on other sites
McConaughey

McConaughey

Posted
  • Author
Posted

C:\Qoobox\Quarantine\C\uwlwfa.exe.vir a variant of Win32/Refpron.DL trojan deleted - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\dydmspcn.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.RF virus deleted - quarantined

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus deleted - quarantined

Here's the results from the ESET scan. Anything else need to be done?

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

  • Download OTC to your desktop and run it
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.