PDA

View Full Version : Unknown rootkit (in system32 and windows folders)


anathema
2007-03-19, 13:34
Hello guys ;)

My software (UnHackMe) detected a rootkit AFX2005 or FU Rootkit in a proccess in system32 folder. But when I reboot to clean this with this program, another (or the same?) rootkit with another filename in the same dir appears! And I can't disinfect my system! I think that is the same rootkit that always changes names. Because I tried with Spybot and manually to delete and always a new proccess appears. Also this proccess appears and in Windows Startup and I delete it and appears again in every bootup!!!

Thanks!

My software: Nod32, Spybot, UnHackMe. Last versions with last updates.

I must add that I tried to delete system32 proccesses (@ Safe Mode) but another one proccess with different name appears in the next bootup!

My Hijackthis Log:


Logfile of HijackThis v1.99.1
Scan saved at 10:29:20 πμ, on 19/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\RootkitRevealer\RootkitRevealer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GDSBGMTNZ.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anathemaradio.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ecwknzoi] c:\windows\system32\ecwknzoi.exe ecwknzoi
O4 - HKLM\..\Run: [szwyevidq] c:\windows\system32\szwyevidq.exe szwyevidq
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095405492512
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: GDSBGMTNZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GDSBGMTNZ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LY.exe
O23 - Service: NJGKZPPCYFUMG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NJGKZPPCYFUMG.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Auto Power-on & Shut-down Service (PCAutoPowerOnService) - Unknown owner - C:\Program Files\Auto Power-on\PCAutoPowerOnService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: viz 2005 - Unknown owner - C:\Program Files\Autodesk Network License Manager\lmgrd.exe (file missing)
anathema
2007-03-19, 13:38
Panda Online Activescan log:



Incident Status Location

Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinner.exe
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinnerDll.dll
Adware:adware/navipromo Not disinfected c:\windows\system32\ypjxubr_nav.dat
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-1.txt[.maxserving.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-1.txt[.bravenet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-1.txt[.com.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-2.txt[.maxserving.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-2.txt[.bravenet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies-2.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[.burstnet.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Internetfuel Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9eyf2ca9.Default User\cookies.txt[.internetfuel.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.zedo.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[statse.webtrendslive.com/S152210]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\anathema_radio\Application
anathema
2007-03-19, 13:39
Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[statse.webtrendslive.com/S152210]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\anathema_radio\Application Data\Mozilla\Firefox\Profiles\le5tvfyn.default\cookies.txt[.fortunecity.com/]
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\uninst.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\bpwhmoylsi.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\dajyvg.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\dhkrncsu.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\dkbalueo.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\dogufvizys.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\dtflmsyo.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\gtlbeo.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\hpckzelbg.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\jitwkmr.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\jkbvcgetui.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\kidqgxe.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\kwbupt.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lfktyuc.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lkuoctzrqn.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\pqvjuf.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\qhejxiprdv.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\qlhaen.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\rjpmqdwtcv.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\rkyhtdesov.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\szwyevidq.exe.ren
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\tbwshyxu.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\tocmsgkzxw.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\ypjxubr.exe


Sorry for the next posts, but are too big to post
If you want I can post UnHackMe log
anathema
2007-03-19, 13:40
UnHackMe log:


Start checking at 18/3/2007 time:10:02:08 μμ

Key:Amshacmi
Source:\SYSTEM\CurrentControlSet\Services
Service/Driver Additional Information
Name:ErrorControl
Value:0
Type:REG_BINARY
Name:Type
Value:256
Type:REG_BINARY
Name:Group
Value:FSFilter Top
Type:REG_SZ
Name:Tag
Value:1
Type:REG_BINARY
Name:ImagePath
Value:C:\WINDOWS\System32\drivers\compbatt.sys
Type:REG_SZ
Name:Start
Value:4
Type:REG_BINARY
Start checking at 18/3/2007 time:10:02:48 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2684
SYSTEM32
Start checking at 18/3/2007 time:10:06:13 μμ
Finishing checking at 10:06:13 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:09:29 μμ
Finishing checking at 10:09:31 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:10:04 μμ
Finishing checking at 10:10:06 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:10:19 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2784
SYSTEM32
Start checking at 18/3/2007 time:10:11:14 μμ
Finishing checking at 10:11:15 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:11:32 μμ
Finishing checking at 10:11:32 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:13:58 μμ
Finishing checking at 10:14:01 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:14:37 μμ
Finishing checking at 10:14:39 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:14:41 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2292
SYSTEM32
Start checking at 18/3/2007 time:10:16:04 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2292
SYSTEM32
Start checking at 18/3/2007 time:10:18:21 μμ
Finishing checking at 10:18:22 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:18:57 μμ
Finishing checking at 10:18:59 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:19:07 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2640
SYSTEM32
Start checking at 18/3/2007 time:10:35:09 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2640
SYSTEM32
Start checking at 18/3/2007 time:10:35:26 μμ
Finishing checking at 10:35:26 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:35:58 μμ
Finishing checking at 10:35:58 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:36:58 μμ
Finishing checking at 10:36:58 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:37:45 μμ
Finishing checking at 10:37:45 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:37:57 μμ
Finishing checking at 10:37:58 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:44:01 μμ
Finishing checking at 10:44:01 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:44:57 μμ
Finishing checking at 10:44:59 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:45:48 μμ
Finishing checking at 10:45:49 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:45:58 μμ
Finishing checking at 10:45:58 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:49:14 μμ
Finishing checking at 10:49:16 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:49:49 μμ
Finishing checking at 10:49:51 μμ
-------------------------------------------------------
Start checking at 18/3/2007 time:10:51:02 μμ
Hidden Process Detected:CHTBNKQI.EXE PID=2692
SYSTEM32
Start checking at 18/3/2007 time:10:51:48 μμ
Finishing checking at 10:51:48 μμ
anathema
2007-03-19, 23:23
Anyone to help?

Thanks!
shelf life
2007-03-20, 00:34
hi anathema,

rootkit? you should really consider reformatting your hd.

you might want to copy/paste this into notepad and save it so you can read it in safe mode.

boot computer into safe mode then do this:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [ecwknzoi] c:\windows\system32\ecwknzoi.exe ecwknzoi
O4 - HKLM\..\Run: [szwyevidq] c:\windows\system32\szwyevidq.exe szwyevidq
--------------------------
next:

go to start>run and type in--> services.msc,<--in the list of services that comes up under the name column look for each of these one by one:

GDSBGMTNZ
LY
NJGKZPPCYFUMG

and do this for each one:
right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled
---------------------------
to show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

next:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

next:
using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\
------------------------------
also still in safe mode run NOD32
------------------------------


reboot computer normally.

1) try this automated rootkit remover, requires a reboot before using.
AVG antirootkit beta: run it first
http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

next:
2) also get AVG antispyware: run last

http://www.ewido.net/en/download/

This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition
files.
3. On the main screen select the icon "Update" then select the "
Update now" link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

* Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
* ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all
actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your computer.
Please post the AVG log in next reply.

------------------------------------
after you run avg antispyware, please rerun avg antirootkit once more

after the above please rescan and post a new hjt log along with the saved avg report.

shelf life
anathema
2007-03-20, 10:20
Thanks for the reply.
I can' format because I have too many setting to make after the format that I will spent 1 week!

I will do all the above and I will post.

One question: In the panda online scan, panda software found many spyware (60+) and 3 rootkits. I tried to install panda antivirus 2007 and I can't...

It tellsme in the setup to remove bitdefender and to run again the setup. But I dont have bitdefender.probably there are some files in my hd. What I can do?
The panda will remove my rootkits? I think that in the online scan detected many of them!!!

I will post again with the results
shelf life
2007-03-20, 11:57
hi anathema,


It tellsme in the setup to remove bitdefender and to run again the setup. But I dont have bitdefender.probably there are some files in my hd. What I can do?

probably because of this:
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

you can stop/disable the service

go to start>run type in cmd at the prompt type in:

sc stop bdss (enter)
then at next line type:
sc delete bdss (enter)

but lets use AVG antispyware and antirootkit first to try and clean up the computer.

shelf life
tashi
2007-03-28, 18:56
Still with us anathema?
tashi
2007-04-05, 09:56
:scratch:

This topic has been archived due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.