Jump to content

Rootkit on System - a challenge to your skills


Recommended Posts

OK, it is March 14th and RootRepeal just crashed after running continuously since March 8th. :o

Here is the report, found after the crash on my desktop:

ROOTREPEAL CRASH REPORT

-------------------------

Windows Version: Windows XP SP3

Exception Code: 0xc0000005

Exception Address: 0x0041102f

Attempt to read from address: 0x051d0248

What should I do next? It ran almost 6 days last time... :blink:

Link to post
Share on other sites

  • Replies 111
  • Created
  • Last Reply

Top Posters In This Topic

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

maniac: i was able to run a copy i had of rootkitunhooker & it finished it's run but when i pasted the contents of the log and pressed "post", Firefox crashed & i got an error page indicating a problem with the malwarebytes server (which i regret having to say I did not write down). however,now my browser on the subject machine will not let me go to the site. i will get the contents of the log & post them from another PC later today. thanks for your help so far & your perseverence.

Link to post
Share on other sites

OK, here is the file. Please tell me what to do next. Thanks again. :)

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB5CBA000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10534912 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 257.21 )

0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6303744 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 257.21 )

0xABDCF000 C:\WINDOWS\system32\drivers\kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)

0xB58C1000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3645440 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xA6FCC000 C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2682880 bytes (Logitech Inc., Logitech Webcam Software Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2154496 bytes

0x804D7000 RAW 2154496 bytes

0x804D7000 WMIxWDM 2154496 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xA4A39000 C:\WINDOWS\system32\drivers\nixsrk.dll 1699840 bytes (National Instruments Corporation, NI M Series Runtime)

0xB56E6000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)

0xB57D7000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 958464 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xA47B1000 C:\WINDOWS\system32\drivers\nitiork.dll 913408 bytes (National Instruments Corporation, NI TIO Counter Runtime Library)

0xA5C25000 C:\WINDOWS\System32\Drivers\Nidaq32k.SYS 696320 bytes (National Instruments Corporation, NI-DAQ Windows NT Kernel Driver)

0xB7D01000 nipalk.sys 651264 bytes (National Instruments Corporation, NI-PAL Driver for Windows)

0xB7DCD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA791A000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB5630000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xAB9B2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA69AE000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xA4890000 C:\WINDOWS\system32\drivers\nisdigk.dll 352256 bytes (National Instruments Corporation, NI Static Digital Component)

0xAE1EE000 C:\WINDOWS\system32\DRIVERS\klif.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])

0xA60FD000 C:\WINDOWS\system32\drivers\nimru2k.dll 319488 bytes (National Instruments Corporation, NI Measurement Routing Utilities)

0xBD615000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xA6342000 C:\WINDOWS\system32\drivers\nimxdfk.dll 270336 bytes (National Instruments Corporation, NI mx Driver Framework)

0xA421F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xA6F8C000 C:\WINDOWS\system32\DRIVERS\lvrs.sys 262144 bytes (Logitech Inc., Logitech Kernel Audio Improvement Filter Driver)

0xA6859000 C:\WINDOWS\system32\DRIVERS\nicanpk.dll 249856 bytes (National Instruments Corporation, NI-CAN kernel driver)

0xB66C6000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 233472 bytes (Marvell, NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller)

0xA496C000 C:\WINDOWS\system32\drivers\nidmxfk.dll 225280 bytes (National Instruments Corporation, NI-DAQmx Framework)

0xA6384000 C:\WINDOWS\system32\drivers\nimdbgk.dll 225280 bytes (National Instruments Corporation, NI Measurements DeBuG Library)

0xA4939000 C:\WINDOWS\system32\drivers\nicdrk.dll 208896 bytes (National Instruments Corporation, NI Common Digital Runtime)

0xA61ED000 C:\WINDOWS\system32\drivers\nidimk.dll 204800 bytes (National Instruments Corporation, NI Device Interconnect Manager)

0xA48E6000 C:\WINDOWS\system32\drivers\nimsdrk.dll 200704 bytes (National Instruments Corporation, NI Measurements Streaming DMA Runtime Component)

0xB568E000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA6A56000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB7DA0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA3FD0000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA798A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xA6F64000 C:\WINDOWS\system32\DRIVERS\CA506AV.SYS 163840 bytes (X10, Universal Serial Bus Video Capture Driver)

0xAB98A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB7F0F000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xAB964000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xA6F11000 C:\WINDOWS\System32\Drivers\dump_nvgts.sys 151552 bytes

0xB7EBB000 nvgts.sys 151552 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Maniac: Any thing else I can do now? Should I rerun Rootkit unhooker and let it clean the suspected rootkit? LWS.exe and explorer.exe are two of the applications I have suspected of being compromised on my machine. Is there some way to clean or clear this problem?

Are you OK? :unsure:

Link to post
Share on other sites

Since you have not been in touch with me since March 14th I reran MBAM (no problems). Kaspersky Pure found Trojan-Downloader.Win32.CodecPack.sjt in c:\windows\system32\2BAA4577.exe on my machine and cleaned it.

I still need your help.

Obviously this machine is still infected because it is off all of the time except when I run a check or do what you suggest. If it got infected that means it has not been effectively cleaned and the source of the infection has not been located.

Can you or one of the others on this board give me some direction? :(

Link to post
Share on other sites

So I guess this means I do have a rootkit that no one know how to clean. Interesting. :blink:

In that case, it appears my only choice is to remove the drive, attach it as a second or third drive to another PC and run a complete scan on it. If the drive comes out clean I have a couple of options afterwards, including backing up the now "clean" c drive with clonezilla.

1. Format it and then "restore" the backup using clonezilla.

2. Replace it and restore to a new drive.

3. get new drive and reinstall everything (about 2 weeks work in my "spare time"). :o

In the meantime, I can use a boot disk and reflash my main board BIOS to clear out any rootkits before I attempt to get any hard drive working with the motherboard again.

Does this sound like a reasonable approach? :huh:

Link to post
Share on other sites

Just a follow up to my last posting - I pulled my hard drive from my system, booted from a usb drive and reflashed the board bios with a known good bios. Then I installed Windows XP SP3, Kaspersky Pure, and the activity has persisted!

One of the things I found out - some of the activity I was seeing was due to the rootkit and trojan using Microsoft's User Assist technology. I was able to turn that off using a tool by Didier Stevens UserAssist. :)

However, I am still seeing hard disk activity, specifically activity from explorer.exe, lsass.exe and csrss.exe that I can't find an explanation for - the main culprit now seems to be explorer.exe, which keeps looking at the registry entries for tcpip.

In any case, I will work on this as time allows - hopefully you or one of the other experts can come up with something to help me to stop this unnecessary and suspicious drive activity. :rolleyes:

Link to post
Share on other sites

Please don't attach the scans / logs for these tools, use "copy/paste".

Lets try a new RootKit scanner

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

aswmbrscan.gif

Click the "Scan" button to start scan

aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Link to post
Share on other sites

Thank you for stepping in on this issue. I followed the instructions and here are the log results:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-27 18:01:08

-----------------------------

18:01:08.500 OS Version: Windows 5.1.2600 Service Pack 3

18:01:08.500 Number of processors: 2 586 0x2B01

18:01:08.500 ComputerName: BILLZMAIN4 UserName:

18:01:17.015 Initialize success

18:01:35.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068

18:01:35.406 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476940MB BusType: 3

18:01:35.421 Disk 0 MBR read successfully

18:01:35.421 Disk 0 MBR scan

18:01:35.421 Disk 0 scanning sectors +976752000

18:01:35.453 Disk 0 scanning C:\WINDOWS\system32\drivers

18:01:41.000 Service scanning

18:01:41.843 Disk 0 trace - called modules:

18:01:41.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys

18:01:41.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a328ab8]

18:01:41.843 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a325ac0]

18:01:41.843 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\00000068[0x8a323030]

18:01:41.843 Scan finished successfully

Please let me know what to try next.

Link to post
Share on other sites

Since you asked...

To begin with, my fresh install of Windows XP SP3 on a brand new hard drive shows disk activity blinking the hard disk LED multiple times per second in a seemingly rhythmic manner. ProcessMonitor 2.94 shows activity from explorer.exe, lsass.exe. avp.exe, winlogon.exe, svchost.exe and others with results of "BUFFER OVERFLOW" & "NAME NOT FOUND" almost exclusively (except when I open a program or close one or when some known process is accessing the drives). Most of the Explorer.exe and avp.exe accesses are to HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind.

Also, prior to putting in the new drive I used a USB boot drive to boot and flashed the BIOS with a known good BIOS. After installing WIN XP SP#, when I run any of the ASUS update tools it give error indicating "no ASUS motherboard found" or just garbage characters returned and the update tool crashes. Also, prior to the restaging of the PC Kaspersky Pure would find Trojan.Downloader.Win32.codecpack.sjt on an occasional basis when other tools were run to find rootkits. For instance, if I ran RootKit Unhooker LE and told Kaspersky to ignore the startup of the tools (drivers) it uses, Kaspersky would detect services running that were infected with the trojan mentioned. From what I understand that particular trojan is the payload of a rootkit in many instances.

Again, I can't say for sure, but since I do not participate in illegal downloading and I have my system locked down pretty well, I can't see how I can keep getting infected or seeing signs of infection, especially since I am the only user of the machine. And then there is the "MS User Assist" loop that was occurring until I found out how to turn it off. How did that get started on a brand new clean install?

Link to post
Share on other sites

If you Google "BUFFER OVERFLOW" & "NAME NOT FOUND"you'll see a lot of different information.

As for the HD activity, mine and as far as I know, every pc does that.

You don't have to have the internet open for that to happen. Your anti-virus / anti-malware and any other program that will "look" for updates.

The anti-virus / anti-malware programs are always making checks for updates and anything new.

You don't have to do anything to get infected. Their are many "drive by" infections out there that infect legit sites and all you have to do is visit.

Link to post
Share on other sites

The RootKit tools you've run I feel would have shown a RootKit.

I would never tell anyone their pc is 100% clean.

I couldn't even say mine is.

Lets try to go at this with a fresh start.

Do you have DDS already? If so run a new scan and post the results using copy/paste.

If not,

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt

Link to post
Share on other sites

OK, here are the contents of dds.txt. I was not prompted for any optional scan. :o

DDS (Ver_09-06-26.01) - NTFSx86

Run by William Osipoff at 21:06:16.26 on Wed 03/30/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -4:00]

AV: Kaspersky PURE *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe

C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\William Osipoff\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky pure\ievkbd.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure\avp.exe"

mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\93xsdpge.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2011-3-25 88632]

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]

R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2011-3-25 39352]

R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-25 315408]

R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [2011-3-29 39824]

R2 AVP;Kaspersky PURE;c:\program files\kaspersky lab\kaspersky pure\avp.exe [2010-10-1 348760]

R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2009-12-21 743992]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]

R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [2011-3-29 162096]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 BS_DEF;BS_DEF;c:\windows\BS_DEF.sys [2011-3-26 12800]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-03-30 20:50 <DIR> --d----- c:\program files\common files\Sonic Shared

2011-03-30 20:50 <DIR> --d----- c:\program files\common files\HP

2011-03-30 20:48 <DIR> --d----- c:\windows\system32\URTTEMP

2011-03-30 20:47 <DIR> --d----- c:\program files\common files\Hewlett-Packard

2011-03-30 20:46 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys

2011-03-30 20:46 15,104 a------- c:\windows\system32\drivers\usbscan.sys

2011-03-30 20:44 <DIR> --d----- c:\program files\HP

2011-03-30 20:44 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys

2011-03-30 20:44 25,856 a------- c:\windows\system32\drivers\usbprint.sys

2011-03-30 20:44 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys

2011-03-30 20:44 32,128 a------- c:\windows\system32\drivers\usbccgp.sys

2011-03-30 20:33 112,384 a------- c:\windows\hpoins07.dat

2011-03-30 20:33 21,124 -------- c:\windows\hpomdl07.dat

2011-03-30 20:18 51,120 a------- c:\windows\system32\drivers\HPZid412.sys

2011-03-30 20:18 21,744 a------- c:\windows\system32\drivers\HPZius12.sys

2011-03-30 20:18 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys

2011-03-30 20:17 606,208 a------- c:\windows\system32\hpotscl.dll

2011-03-30 20:17 278,528 a------- c:\windows\system32\hpgwiamd.dll

2011-03-30 20:17 274,432 a------- c:\windows\system32\HPZc3212.dll

2011-03-30 20:17 258,122 a------- c:\windows\system32\hpovst08.dll

2011-03-30 20:17 98,304 a------- c:\windows\system32\hpzjsn01.dll

2011-03-30 20:16 393,216 a------- c:\windows\system32\hpzcon12.dll

2011-03-30 20:16 196,608 a------- c:\windows\system32\hpzcoi12.dll

2011-03-30 20:16 180,315 a------- c:\windows\system32\hpzsnt12.dll

2011-03-30 20:14 <DIR> --d----- c:\temp\HP_WebRelease

2011-03-29 20:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Active Home Professional

2011-03-29 20:31 69 a------- c:\windows\NeroDigital.ini

2011-03-29 20:29 <DIR> --d----- C:\TEMP

2011-03-29 20:13 154,496 ac------ c:\windows\system32\dllcache\icam4usb.sys

2011-03-29 20:02 162,096 a------- c:\windows\system32\drivers\CA506AV.SYS

2011-03-29 20:02 39,824 a------- c:\windows\system32\drivers\CA506AA.sys

2011-03-29 19:56 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\X10 Settings

2011-03-29 19:56 <DIR> --d----- C:\My Images

2011-03-29 19:45 17,792 a------- c:\windows\system32\drivers\x10ufx2.sys

2011-03-29 19:45 127,184 a------- c:\windows\Unwise.exe

2011-03-29 19:44 <DIR> --d----- c:\program files\common files\X10

2011-03-29 19:44 <DIR> --d----- c:\program files\ActiveHome Pro

2011-03-28 18:54 <DIR> --d----- c:\program files\MSXML 4.0

2011-03-27 19:47 <DIR> --d----- c:\windows\system32\NtmsData

2011-03-27 19:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\NVIDIA Corporation

2011-03-27 19:26 <DIR> --d----- c:\program files\NVIDIA Corporation

2011-03-27 19:26 <DIR> --d----- C:\NVIDIA

2011-03-27 19:08 940,794 a------- c:\windows\system32\LoopyMusic.wav

2011-03-27 19:08 146,650 a------- c:\windows\system32\BuzzingBee.wav

2011-03-27 19:08 60,416 a------- c:\windows\ALCFDRTM.VER

2011-03-27 19:08 60,416 a------- c:\windows\ALCFDRTM.EXE

2011-03-27 19:08 <DIR> --d----- c:\windows\system32\Lang

2011-03-27 18:56 54,156 a---h--- c:\windows\QTFont.qfn

2011-03-27 18:56 1,409 a------- c:\windows\QTFont.for

2011-03-27 17:52 <DIR> --d----- c:\program files\InterVideo

2011-03-27 17:48 2,297,552 a------- c:\windows\system32\d3dx9_26.dll

2011-03-27 17:43 24,064 -------- c:\windows\system32\msxml3a.dll

2011-03-27 17:43 364,544 -------- c:\windows\system32\TwnLib4.dll

2011-03-27 17:41 125,184 -------- c:\windows\system32\drivers\imagesrv.sys

2011-03-27 17:41 1,568,768 -------- c:\windows\system32\ImagX7.dll

2011-03-27 17:41 476,320 -------- c:\windows\system32\ImagXpr7.dll

2011-03-27 17:41 471,040 -------- c:\windows\system32\ImagXRA7.dll

2011-03-27 17:41 262,144 -------- c:\windows\system32\ImagXR7.dll

2011-03-27 17:41 106,496 -------- c:\windows\system32\TwnLib20.dll

2011-03-27 17:31 <DIR> --d----- c:\docume~1\willia~1\applic~1\NeroVision

2011-03-27 17:30 145,608 -------- c:\windows\UNNeroVision.cfg

2011-03-27 17:30 2,973,696 -------- c:\windows\UNNeroVision.exe

2011-03-27 17:25 57,344 a----r-- c:\windows\system32\ImageDrive.cpl

2011-03-27 17:25 5,504 -------- c:\windows\system32\drivers\imagedrv.sys

2011-03-27 17:24 38,912 -------- c:\windows\system32\picn20.dll

2011-03-27 17:24 544,768 a----r-- c:\windows\system32\imagx5.dll

2011-03-27 17:24 569,344 a----r-- c:\windows\system32\imagr5.dll

2011-03-27 17:24 283,920 a----r-- c:\windows\system32\ImagXpr5.dll

2011-03-27 17:24 155,648 a------- c:\windows\system32\NeroCheck.exe

2011-03-27 10:57 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2011-03-26 22:14 <DIR> --d----- c:\windows\system32\XPSViewer

2011-03-26 22:13 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2011-03-26 22:13 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-03-26 22:13 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2011-03-26 22:13 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-03-26 22:13 <DIR> --d----- C:\2ff26beee0a37e7abce04b8faa8c86ac

2011-03-26 22:13 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2011-03-26 22:13 575,488 -------- c:\windows\system32\xpsshhdr.dll

2011-03-26 22:13 117,760 -------- c:\windows\system32\prntvpt.dll

2011-03-26 20:08 13,312 a------- c:\windows\system32\lsass.exe

2011-03-26 20:07 6,144 a------- c:\windows\system32\csrss.exe

2011-03-26 16:50 <DIR> --d----- c:\program files\Paint.NET

2011-03-26 16:47 <DIR> --d-hr-- C:\AHCache

2011-03-26 16:40 <DIR> --d----- c:\docume~1\willia~1\applic~1\Malwarebytes

2011-03-26 16:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-26 16:39 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2011-03-26 16:39 20,952 a------- c:\windows\system32\drivers\mbam.sys

2011-03-26 16:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2011-03-26 16:25 169 a------- c:\windows\RtlRack.ini

2011-03-26 14:01 26,052 a------- c:\windows\Ascd_tmp.ini

2011-03-26 13:34 40,960 -c------ c:\windows\system32\dllcache\ndproxy.sys

2011-03-26 13:34 45,568 -c------ c:\windows\system32\dllcache\wab.exe

2011-03-26 13:34 974,848 -c------ c:\windows\system32\dllcache\mfc42.dll

2011-03-26 13:34 953,856 -c------ c:\windows\system32\dllcache\mfc40u.dll

2011-03-26 13:34 617,472 -c------ c:\windows\system32\dllcache\comctl32.dll

2011-03-26 12:45 115,830 a------- c:\windows\system32\nvapps.xml

2011-03-26 12:45 <DIR> --d----- c:\windows\nview

2011-03-26 12:45 356,352 a------- c:\windows\system32\nvudisp.exe

2011-03-26 12:45 17,177 a------- c:\windows\system32\nvdisp.nvu

2011-03-26 12:45 <DIR> --d----- c:\windows\NV2820684.TMP

2011-03-26 12:28 552 a------- c:\windows\system32\d3d8caps.dat

2011-03-26 12:28 <DIR> --d----- c:\program files\SystemRequirementsLab

2011-03-26 12:17 <DIR> --dsh--- c:\documents and settings\william osipoff\PrivacIE

2011-03-26 12:16 376 a------- c:\windows\ODBC.INI

2011-03-26 12:16 17,920 a------- c:\windows\system32\mdimon.dll

2011-03-26 12:15 <DIR> --d----- c:\program files\Microsoft ActiveSync

2011-03-26 12:14 <DIR> --d----- c:\windows\SHELLNEW

2011-03-26 11:36 <DIR> --d----- c:\windows\system32\bits

2011-03-26 11:26 <DIR> --dsh--- c:\documents and settings\william osipoff\IETldCache

2011-03-26 11:12 <DIR> --d----- c:\windows\ie8updates

2011-03-26 11:12 11,080,704 -c------ c:\windows\system32\dllcache\ieframe.dll

2011-03-26 11:12 1,991,680 -c------ c:\windows\system32\dllcache\iertutil.dll

2011-03-26 11:12 743,424 -c------ c:\windows\system32\dllcache\iedvtool.dll

2011-03-26 11:12 602,112 -c------ c:\windows\system32\dllcache\msfeeds.dll

2011-03-26 11:12 247,808 -c------ c:\windows\system32\dllcache\ieproxy.dll

2011-03-26 11:12 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

2011-03-26 11:12 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll

2011-03-26 11:11 <DIR> -cd-h--- c:\windows\ie8

2011-03-26 10:56 <DIR> --d----- c:\windows\ServicePackFiles

2011-03-26 10:41 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys

2011-03-26 10:34 <DIR> --d----- c:\windows\system32\PreInstall

2011-03-26 10:34 26,144 a------- c:\windows\system32\spupdsvc.exe

2011-03-26 10:34 <DIR> --d-h--- c:\windows\$hf_mig$

2011-03-26 09:59 664 a------- c:\windows\system32\d3d9caps.dat

2011-03-26 09:58 <DIR> --d----- c:\windows\system32\SoftwareDistribution

2011-03-26 09:56 <DIR> --d----- c:\windows\system32\LogFiles

2011-03-26 09:56 <DIR> --d----- c:\program files\Marvell

2011-03-26 09:55 <DIR> --d----- c:\program files\Realtek Sound Manager

2011-03-26 09:55 <DIR> --d----- c:\program files\AvRack

2011-03-26 09:55 164 -----r-- c:\windows\avrack.ini

2011-03-26 09:55 <DIR> --d----- c:\program files\Realtek AC97

2011-03-26 09:55 3,644,800 a----r-- c:\windows\system32\drivers\ALCXWDM.SYS

2011-03-26 09:55 156,672 a----r-- c:\windows\system32\RTLCPAPI.dll

2011-03-26 09:55 90,112 a----r-- c:\windows\SOUNDMAN.EXE

2011-03-26 09:55 40,960 -----r-- c:\windows\system32\ChCfg.exe

2011-03-26 09:55 10,458,112 a----r-- c:\windows\system32\RTLCPL.EXE

2011-03-26 09:55 141,016 a----r-- c:\windows\system32\ALSNDMGR.WAV

2011-03-26 09:55 18,771,968 a----r-- c:\windows\system32\ALSNDMGR.CPL

2011-03-26 09:55 307,200 -----r-- c:\windows\alcupd.exe

2011-03-26 09:55 212,992 -----r-- c:\windows\alcrmv.exe

2011-03-26 09:48 466,944 a------- c:\windows\system32\CapabilityTable.exe

2011-03-26 09:46 356,352 a------- c:\windows\system32\NVUNINST.EXE

2011-03-26 09:46 810,056 a----r-- c:\windows\system32\SATA.bmp

2011-03-26 09:46 266 a----r-- c:\windows\system32\raidmgmt.ini

2011-03-26 09:45 2,683,904 a----r-- c:\windows\InstAll.exe

2011-03-26 09:45 1,030,656 a----r-- c:\windows\16copy.avi

2011-03-26 09:45 1,030,656 a----r-- c:\windows\copy.avi

2011-03-26 09:31 <DIR> --d----- c:\windows\system32\ReinstallBackups

2011-03-26 09:31 36,352 a------- c:\windows\system32\drivers\AmdK8.sys

2011-03-26 09:31 <DIR> --d----- c:\program files\AMD

2011-03-26 00:31 <DIR> --d----- c:\docume~1\willia~1\applic~1\Symantec

2011-03-26 00:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Symantec

2011-03-26 00:30 <DIR> --d----- c:\program files\common files\Symantec Shared

2011-03-26 00:28 12,800 a------- c:\windows\BS_DEF.sys

2011-03-26 00:28 306,688 a------- c:\windows\IsUninst.exe

2011-03-26 00:27 24,576 a----r-- c:\windows\system32\AsIO.dll

2011-03-26 00:27 4,962 a----r-- c:\windows\system32\drivers\AsIO.sys

2011-03-26 00:27 434,252 a------- c:\windows\system32\MSVCRTD.DLL

2011-03-26 00:27 5,120 a------- c:\windows\system32\drivers\AsInsHelp64.sys

2011-03-26 00:27 3,328 a------- c:\windows\system32\drivers\AsInsHelp32.sys

2011-03-26 00:27 962,612 a------- c:\windows\system32\mfc42d.dll

2011-03-26 00:27 <DIR> --d----- c:\program files\ASUS

2011-03-26 00:22 <DIR> --d----- c:\windows\pss

2011-03-25 21:44 26,006 a------- c:\windows\Ascd_log.ini

2011-03-25 21:43 <DIR> --d----- c:\windows\ASUSInstAll

2011-03-25 21:43 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys

2011-03-25 21:43 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS

2011-03-25 21:39 114,243 a------- c:\windows\system32\drivers\klin.dat

2011-03-25 21:39 97,859 a------- c:\windows\system32\drivers\klick.dat

2011-03-25 21:39 39,352 a------- c:\windows\system32\drivers\CSVirtualDiskDrv.sys

2011-03-25 21:39 88,632 a------- c:\windows\system32\drivers\CSCrySec.sys

2011-03-25 21:38 <DIR> --d----- c:\program files\common files\InfoWatch

2011-03-25 21:38 <DIR> --d----- c:\program files\Kaspersky Lab

2011-03-25 21:38 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab

2011-03-25 21:37 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files

2011-03-25 21:31 <DIR> --d----- c:\documents and settings\William Osipoff

2011-03-25 21:30 <DIR> --ds---- c:\windows\system32\Microsoft

2011-03-25 21:30 8,192 a------- c:\windows\REGLOCS.OLD

2011-03-25 21:27 8,704 ac------ c:\windows\system32\dllcache\infoctrs.dll

2011-03-25 21:26 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx

2011-03-25 21:25 <DIR> --dsh--- c:\documents and settings\all users.windows\DRM

2011-03-25 21:25 488 a---hr-- c:\windows\system32\WindowsLogon.manifest

2011-03-25 21:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest

2011-03-25 21:25 <DIR> --ds---- c:\windows\Downloaded Program Files

2011-03-25 21:25 <DIR> --d--r-- c:\windows\Offline Web Pages

2011-03-25 21:25 749 a---hr-- c:\windows\WindowsShell.Manifest

2011-03-25 21:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest

2011-03-25 21:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest

2011-03-25 21:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest

2011-03-25 21:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest

2011-03-25 21:25 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest

2011-03-25 21:25 <DIR> --d-h--- c:\program files\WindowsUpdate

2011-03-25 21:25 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex

2011-03-25 21:25 <DIR> --d----- c:\windows\system32\DirectX

2011-03-25 21:24 <DIR> --d----- c:\program files\common files\MSSoap

2011-03-25 21:22 <DIR> --d----- c:\program files\Online Services

2011-03-25 21:22 <DIR> --d----- c:\program files\Messenger

2011-03-25 21:22 <DIR> --d----- c:\program files\MSN Gaming Zone

2011-03-25 21:21 <DIR> --d----- c:\program files\Windows NT

2011-03-25 16:13 <DIR> --d--r-- c:\documents and settings\all users.windows\Documents

2011-03-25 12:01 <DIR> --d----- c:\program files\common files\ODBC

2011-03-25 12:00 <DIR> --d----- c:\program files\common files\SpeechEngines

==================== Find3M ====================

2011-03-27 19:35 252,080 a------- c:\windows\system32\nvdrsdb1.bin

2011-03-27 19:35 252,080 a------- c:\windows\system32\nvdrsdb0.bin

2011-03-26 11:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2011-03-25 21:22 21,640 a------- c:\windows\system32\emptyregdb.dat

2011-03-05 13:39 323,624 a------- c:\windows\system32\wiaaut.dll

2011-02-09 09:53 270,848 a------- c:\windows\system32\sbe.dll

2011-02-09 09:53 186,880 a------- c:\windows\system32\encdec.dll

2011-02-02 03:58 2,067,456 a------- c:\windows\system32\mstscax.dll

2011-01-27 07:57 677,888 a------- c:\windows\system32\mstsc.exe

2011-01-21 10:44 439,296 a------- c:\windows\system32\shimgvw.dll

2011-01-07 23:27 14,671,872 a------- c:\windows\system32\nvoglnt.dll

2011-01-07 23:27 13,004,800 a------- c:\windows\system32\nvcompiler.dll

2011-01-07 23:27 6,397,824 a------- c:\windows\system32\nv4_disp.dll

2011-01-07 23:27 4,980,736 a------- c:\windows\system32\nvcuda.dll

2011-01-07 23:27 2,916,968 a------- c:\windows\system32\nvcuvid.dll

2011-01-07 23:27 2,292,678 a------- c:\windows\system32\nvdata.bin

2011-01-07 23:27 2,251,368 a------- c:\windows\system32\nvcuvenc.dll

2011-01-07 23:27 1,958,400 a------- c:\windows\system32\nvapi.dll

2011-01-07 23:27 941,160 a------- c:\windows\system32\nvdispco322090.dll

2011-01-07 23:27 837,736 a------- c:\windows\system32\nvgenco322040.dll

2011-01-07 23:27 61,440 a------- c:\windows\system32\OpenCL.dll

2011-01-07 19:56 81,920 a------- c:\windows\system32\nvwddi.dll

2011-01-07 19:56 580,200 a------- c:\windows\system32\easyUpdatusAPIU.dll

2011-01-07 19:56 13,880,424 a------- c:\windows\system32\nvcpl.dll

2011-01-07 19:56 277,608 a------- c:\windows\system32\nvmccs.dll

2011-01-07 19:56 156,776 a------- c:\windows\system32\nvsvc32.exe

2011-01-07 19:56 145,000 a------- c:\windows\system32\nvcolor.exe

2011-01-07 19:56 111,208 a------- c:\windows\system32\nvmctray.dll

2011-01-07 10:09 290,048 a------- c:\windows\system32\atmfd.dll

2010-12-31 09:10 1,854,976 a------- c:\windows\system32\win32k.sys

============= FINISH: 21:06:53.09 ===============

Link to post
Share on other sites

I don't know if you still have combofix still or not, but use these instructions.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

OK, I ran Combofix. After installing the recovery console it ran and then said it found evidence of rootkit activity on the machine. Two reboots later it produced the following log: :)

ComboFix 11-03-31.01 - William Osipoff 03/31/2011 17:31:23.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1574 [GMT -4:00]

Running from: c:\documents and settings\William Osipoff\Desktop\ComboFix.exe

AV: Kaspersky PURE *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky PURE *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users.WINDOWS\Start Menu\HP Image Zone .lnk

c:\windows\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))

.

.

2011-03-31 00:17 . 2005-12-16 22:18 2537304 ----a-w- c:\temp\HP_WebRelease\setup\sipm\HpTcpMon.exe

2011-03-30 00:29 . 2011-03-31 00:14 -------- d-----w- C:\TEMP

2011-03-29 23:56 . 2011-03-29 23:56 -------- d-----w- C:\My Images

2011-03-27 23:26 . 2011-03-27 23:26 -------- d-----w- C:\NVIDIA

2011-03-27 02:13 . 2011-03-27 02:14 -------- d-----w- C:\2ff26beee0a37e7abce04b8faa8c86ac

2011-03-26 20:47 . 2011-03-26 20:47 -------- d-----r- C:\AHCache

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-08 03:27 . 2008-04-14 00:12 6397824 ----a-w- c:\windows\system32\nv4_disp.dll

2011-01-08 03:27 . 2007-04-13 03:44 1958400 ----a-w- c:\windows\system32\nvapi.dll

2011-01-08 03:27 . 2007-04-13 03:44 14671872 ----a-w- c:\windows\system32\nvoglnt.dll

2011-01-07 23:56 . 2011-01-07 23:56 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-01-07 23:56 . 2011-01-07 23:56 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-01-07 23:56 . 2011-01-07 23:56 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-01-07 23:56 . 2011-01-07 23:56 156776 ----a-w- c:\windows\system32\nvsvc32.exe

2011-01-07 23:56 . 2011-01-07 23:56 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-01-07 23:56 . 2011-01-07 23:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll

2011-01-07 23:56 . 2011-01-07 23:56 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2011-03-18 17:53 . 2011-03-26 16:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]

@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]

2010-10-02 03:05 129624 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-02 348760]

"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 3627008]

"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

.

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [3/25/2011 9:39 PM 88632]

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 10:18 PM 36880]

R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [3/25/2011 9:39 PM 39352]

R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [3/29/2011 8:02 PM 39824]

R2 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 6:34 PM 743992]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 3:42 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]

R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [3/29/2011 8:02 PM 162096]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 BS_DEF;BS_DEF;c:\windows\BS_DEF.sys [3/26/2011 12:28 AM 12800]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

.

------- Supplementary Scan -------

.

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\William Osipoff\Application Data\Mozilla\Firefox\Profiles\93xsdpge.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-31 17:41

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2056)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\progra~1\COMMON~1\X10\Common\x10nets.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Completion time: 2011-03-31 17:46:25 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-31 21:46

.

Pre-Run: 483,611,856,896 bytes free

Post-Run: 483,862,790,144 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

.

- - End Of File - - F414A1E6EDF5E6C45BC76E3344C43D2B

Regarding how the computer is doing, it seems to be running great. However, still have intermittent drive activity shown for no apparent reason. In addition, The system log for some reason has it's last entry at 7:52:25 PM on 3/27/2011. It's almost as if logging has been disabled somehow... :blink:

Link to post
Share on other sites

The system log for some reason has it's last entry at 7:52:25 PM on 3/27/2011. It's almost as if logging has been disabled somehow.

Are you referring to the Event Viewer?

Did CF show removing the two rootkits?

Nothing bad in the scan that I can see

Link to post
Share on other sites

Sorry, after I hit enter I realized I didn't refer to the Event Viewer. Yes, the Event Viewer System log entry ends at 7:52:25 PM on 3/27/2011. I'm used to seeing entries every day. I didn't change anything, could this be a rootkit related action?

Also, you say two rootkits. ComboFix-quarantined-files.txt shows the following:

2011-03-31 21:35:41 . 2011-03-31 21:35:41 8,017 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-03-31 21:17:47 . 2011-03-31 21:29:53 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-03-31 00:50:30 . 2011-03-31 00:50:30 898 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Start Menu\HP Image Zone .lnk.vir

2011-03-26 13:45:40 . 2005-10-03 03:12:40 2,683,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\InstAll.exe.vir

Since this is a new clean install I have been slowly bringing capabilities on line since the install, like my HP printer. I scanned the HP install package with Kaspersky Pure before I ran it. Could that be a false detection, or did the install process somehow become infected due to rootkit activity?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.