View Full Version : FProps.vbs.vir
Enemyboat
2007-09-24, 04:05
Hello.
First of all, I'd like to thank you all for Spybot. I'll be donating some money next month because of the program's help.
The computer seems to be auditing itself(the hard drive led flashes every second or so, even with 0 workload).
I was reading a thread with a similar computer issue, and I decided to try and run the combofix that this certain thread said to do. It found FProps.vbs.vir and so I decided to go through the 'readme first' steps.
Here are my logs.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:18 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hi\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 3425 bytes
___________________________________
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 23, 2007 2:48:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 24/09/2007
Kaspersky Anti-Virus database records: 422704
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 21987
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:11:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Local Settings\History\History.IE5\MSHist012007092320070924\index.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Flappi Rhino\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Flappi Rhino\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Squeezy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Squeezy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Squeezy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Squeezy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Squeezy\Local Settings\History\History.IE5\MSHist012007092320070924\index.dat Object is locked skipped
C:\Documents and Settings\Squeezy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Squeezy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Squeezy\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{E7A7C209-7F4E-4493-A4ED-E038583166CE}\RP16\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
__________________________________________
I think the Combofix program put the FProps.vbs.vir into a quarantine folder.
Thanks for the help in advance.:bigthumb:
Hi
Could you post Combofix log? Post also hjt log taken in normal mode.
Enemyboat
2007-09-25, 12:44
Thanks for the reply, and the assistance.
__________________________________
ComboFix 07-09-21.2 - "Flappi Rhino" 2007-09-25 2:35:01.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1672 [GMT -7:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.
2007-09-25 01:39 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-25 01:39 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-25 01:38 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-25 01:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-25 00:34 <DIR> d-------- C:\Program Files\Electronic Arts
2007-09-24 00:18 838 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 00:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 00:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 00:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 00:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-23 21:03 <DIR> d-------- C:\DOCUME~1\Squeezy\APPLIC~1\MySpace
2007-09-23 15:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 15:03 1,486,342 --a------ C:\ComboFix.exe
2007-09-23 12:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-23 12:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-22 20:04 <DIR> d-------- C:\Program Files\MySpace
2007-09-22 20:04 <DIR> d-------- C:\DOCUME~1\FLAPPI~1\APPLIC~1\MySpace
2007-09-22 19:18 <DIR> d-------- C:\DOCUME~1\Squeezy\APPLIC~1\Google
2007-09-22 19:16 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-22 19:16 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-22 19:16 <DIR> d-------- C:\DOCUME~1\Squeezy\Contacts
2007-09-22 14:46 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-22 14:21 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-09-22 14:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-09-22 14:14 <DIR> d-------- C:\goods
2007-09-22 11:30 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-22 11:30 <DIR> d-------- C:\Program Files\Analog Devices
2007-09-22 11:14 <DIR> d-------- C:\DOCUME~1\FLAPPI~1\APPLIC~1\WinRAR
2007-09-22 11:13 <DIR> d-------- C:\DOCUME~1\Squeezy\APPLIC~1\WinRAR
2007-09-22 10:45 <DIR> d-------- C:\Program Files\THQ
2007-09-22 09:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-22 09:18 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2007-09-22 09:05 <DIR> d-------- C:\DOCUME~1\FLAPPI~1\Contacts
2007-09-22 09:01 <DIR> d-------- C:\Program Files\Windows Live
2007-09-22 09:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2007-09-22 08:33 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-09-22 08:28 <DIR> d-------- C:\Program Files\Hi
2007-09-22 00:27 <DIR> d-------- C:\Program Files\Avira
2007-09-22 00:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2007-09-22 00:06 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-09-22 00:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-22 00:06 <DIR> d-------- C:\Program Files\DIFX
2007-09-21 23:56 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-09-21 23:56 <DIR> d-------- C:\WINDOWS\nview
2007-09-21 23:56 <DIR> d-------- C:\NVIDIA
2007-09-21 23:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-21 23:49 <DIR> d-------- C:\Program Files\Google
2007-09-21 23:49 <DIR> d-------- C:\DOCUME~1\FLAPPI~1\APPLIC~1\Google
2007-09-21 23:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-21 23:14 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-21 23:10 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-21 23:10 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-21 23:10 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-21 20:06 984,576 --a------ C:\WINDOWS\system32\syssetup.dll
2007-09-21 20:06 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-09-21 15:03 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-09-21 15:03 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-09-21 15:02 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-21 15:01 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-09-21 15:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-09-21 15:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 00:43 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-21 22:42 --------- d-------- C:\Program Files\CCleaner
2007-09-21 22:29 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-26 08:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 07:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
.
((((((((((((((((((((((((((((( snapshot_Sun 09-23-2007_150844.48 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\$hf_mig$\KB920872\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$hf_mig$\KB920872\spuninst.exe
----a-w 172,416 2006-06-14 08:50:19 C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\kmixer.sys
----a-w 6,272 2006-06-14 08:50:19 C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\splitter.sys
----a-w 82,944 2006-06-14 09:17:04 C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\wdmaud.sys
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\$hf_mig$\KB920872\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\$hf_mig$\KB920872\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\$hf_mig$\KB920872\update\updspapi.dll
------w 172,416 2006-06-14 08:47:45 C:\WINDOWS\Driver Cache\i386\kmixer.sys
------w 6,400 2006-06-14 08:47:46 C:\WINDOWS\Driver Cache\i386\splitter.sys
------w 82,944 2006-06-14 09:00:45 C:\WINDOWS\Driver Cache\i386\wdmaud.sys
------w 172,416 2006-06-14 08:47:45 C:\WINDOWS\system32\dllcache\kmixer.sys
------w 6,400 2006-06-14 08:47:46 C:\WINDOWS\system32\dllcache\splitter.sys
------w 82,944 2006-06-14 09:00:45 C:\WINDOWS\system32\dllcache\wdmaud.sys
----a-w 172,416 2006-06-14 08:47:45 C:\WINDOWS\system32\drivers\kmixer.sys
----a-w 6,400 2006-06-14 08:47:46 C:\WINDOWS\system32\drivers\splitter.sys
----a-w 82,944 2006-06-14 09:00:45 C:\WINDOWS\system32\drivers\wdmaud.sys
.
----a-w 171,776 2004-08-04 06:07:50 C:\WINDOWS\system32\drivers\kmixer.sys
----a-w 6,400 2004-08-04 06:07:48 C:\WINDOWS\system32\drivers\splitter.sys
----a-w 82,944 2004-08-04 06:15:06 C:\WINDOWS\system32\drivers\wdmaud.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 06:34]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 23:49]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService WebClient LmHosts RemoteRegistry upnphost SSDPSRV
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fdc1ac3-688e-11dc-997a-806d6172696f}]
AutoRun\command- D:\Setup.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 02:35:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-25 2:35:59
C:\ComboFix-quarantined-files.txt ... 2007-09-25 02:35
C:\ComboFix2.txt ... 2007-09-24 14:33
C:\ComboFix3.txt ... 2007-09-23 17:20
.
--- E O F ---
and ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:20 AM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hi\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 4188 bytes
Looks good. :) Below are some instructions for future.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Enemyboat
2007-09-26, 00:58
Nope :oops:, my computer still has something on it.
I was looking on hijackme's forum and it said it was a good idea to rename hijackme before you run it because there are viruses that watch for it.
I re-downloaded and re-ran the program (I think it might be a different version of hijackme), and 2 new entries came up under the 022, which would explain why the computer seems to be auditing itself... I really think those have a part in this problem. :bigthumb:
Thank you for your continued help Blade.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:48:14 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mejax\hi10395.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 4015 bytes
Enemyboat
2007-09-26, 01:01
If you are confused, the entry
C:\Program Files\mejax\hi10395.exe
thats what I renamed Hijackme to be.
Hi
Those entries are both legal. Have you defragged your hard drive(s) lately? If not, do so.
Enemyboat
2007-09-26, 18:01
Yep, I used a program that I downloaded off of majorgeeks.com.
There is still malware on my computer. This computer is an opteron dual core am2 chip with 2 gigs of ddr2 @ 800 mhz. The computer shouldn't have any hickups, yet it still seems like it's running like a single core. I'm scared to reinstall windows, because the last time I did, this virus changed my hardware's firmware somehow, and I don't want to have to buy another computer.
Enemyboat
2007-09-26, 19:07
Another reason why I know I still have malware is because I usually log onto my computer as a user with limited rights, and then run those computer tasks that I need using run as administrator.
After the past few days, the computer has changed the strict policy for disallowing me to run any programs without running as administration; now, I can run almost all the programs on my computer without any errors relating to limited user.
When I start up in safe mode, I see the files that it loads, and there are 3 different case-sensitive entrys for c:\windows\system32.
SYSTEM32
System32
and
system32
I am almost 100% sure that microsoft does not use different case-sensitive letters, and in the past when I didn't have a virus, the windows directory was not c:\WINDOWS, it was c:\Windows.
Another thing that this virus has done on this computer, and in the past is give errors about file locations. An example is
\??\C:\windows
And finally, I can't run sfc /scannow. This command won't run for any of the administration logins that I have. The error that comes up is
0x000006ba.
RPC server unavailible.
Whatever Rootkit or Botnet or Virus is controlling the computer, it is disallowing itself to be copied over, and its just waiting for me to reinstall windows so it can take over the partition tables like it did with my last computer.
Hi
I still don't believe you having any malware there.
And finally, I can't run sfc /scannow. This command won't run for any of the administration logins that I have. The error that comes up is
0x000006ba.
RPC server unavailible.
Check this (http://discussions.virtualdr.com/showthread.php?t=182818) (14th post of the thread).
Enemyboat
2007-09-27, 03:32
:eek::eek::eek:
I found some really cool links that led me to 2 really cool programs, one of which has found the problems.
My computer is infected with a Rootkit called FUTo.
http://www.rootkit.com/project.php?id=12
At the bottom of that page there is a link for RAIDE. I just happened to see it, and download it.
I ran it under the dos prompt and I here is the dos prompt copy/paste
____________________________________________
C:\RAIDE_BETA_1>rcc
RCC.exe <scan options> <other options>
scan options:
scan_processes - scans the system for hidden processes only
scan_kernel - only scans the kernel for hooks ignores userland a
nd process checks
scan_user - only scans the userland for hooks does not check the
kernel for hooks
scan_hooks - scans the whole system kernel and userland for hook
s
scan_all - scans for everything userland, kernel hooks and hidde
n processes
scan - this is the default scan checks the kernel for hooks and
checks for hidden processes
other options:
log - will log the raide output to a file in the current directo
ry. Since the console output can be a little overwhelming this helps for deciphe
ring the data.
C:\RAIDE_BETA_1>rcc scan_all
By using RAIDE you the user agree that those responsible for developing and
distributing this program, including the lead developer, Peter Silberman, are no
t responsible for any damage, disruptions, or losses of injuries of any kind tha
t RAIDE may cause including without limitation damage to your hard drive, proces
sor or other hardware, damage to your operating system or other software, and lo
sses of data to you or your business. You the user understand and agree that RAI
DE is provided AS IS and no representations, warranties or promises of any kind
are made with respect to the stability, safety, or effectiveness of this program
whether used in its intended fashion or otherwise. If you agree to all of the t
erms and conditions set forth above, type 'yes' otherwise type 'no.'
yes
RAIDE has discovered that this system is on more than one processor. Having
to processors may make some of RAIDEs actions less stable than if you were runni
ng one processor. Do you wish to continue? (yes or no)
yes
Since the system is not supported it is up to you to continue and run RAIDE at y
our own risk. Do you want to? ('yes' or 'no')yes
[-] Installing RAIDE on the system
[-] RAIDE can currently recognize 8 products, and identify 253 hooks from these
products
[-] Starting Process Detection
[-] Finished Process Detection
[-] Found 2 hidden proccess(es) on the system
[-] Check the system for hooks
[-] Finished checking the system for hooks
[-] Found 30 hook(s) on the system
[-] Found a hidden process. wmiprvse.exe:2100 is hidden using PspCidTable Remove
method. This method is commonly used by FUTo.
[-] What action do you want to take against the process hidden using DKOM method
?
1. Dump the process address space to files on disk for furt
her analysis.
2. Do nothing
[-] Found a hidden process. alg.exe:456 is hidden using PspCidTable Remove metho
d. This method is commonly used by FUTo.
[-] What action do you want to take against the process hidden using DKOM method
?
1. Dump the process address space to files on disk for furt
her analysis.
2. Do nothing
1
[-] C:\WINDOWS\system32\kernel32.dll has had one of its functions modified. Func
tion GetUserDefaultLangID has been modified with an inline hook to point a modul
e that could not be identified (0x7c80bf64).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function D
eleteCriticalSection has been changed to point a module that could not be identi
fied (0x7c91188a).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function E
nterCriticalSection has been changed to point a module that could not be identif
ied (0x7c901005).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function L
eaveCriticalSection has been changed to point a module that could not be identif
ied (0x7c9010ed).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function H
eapFree has been changed to point a module that could not be identified (0x7c910
43d).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function H
eapReAlloc has been changed to point a module that could not be identified (0x7c
9179fd).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function H
eapAlloc has been changed to point a module that could not be identified (0x7c91
05d4).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function G
etLastError has been changed to point a module that could not be identified (0x7
c910331).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function S
etLastError has been changed to point a module that could not be identified (0x7
c910340).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function H
eapSize has been changed to point a module that could not be identified (0x7c910
9ed).
No action can be taken against IAT hooks
[-] C:\WINDOWS\system32\kernel32.dll has had it's IAT table modified. Function R
tlUnwind has been changed to point a module that could not be identified (0x7c93
7a40).
No action can be taken against IAT hooks
[-] Found an index hook in the System Service Desriptor Table. NtCreateThread is
hooked and points to code that is not associated with a module.
[-] What action do you want to take against the System Service Descriptor Table
Index Overwrite?
1. Restore this hook to its original code/value
2. Restore all hooks to their original code/value
3. Ignore this hook (take no action)
4. Ignore this type of hook
5. Only display hooks (don't prompt)
2
[-] Found an index hook in the System Service Desriptor Table. NtOpenThread is h
ooked and points to code that is not associated with a module.
[-] Found an index hook in the System Service Desriptor Table. NtTerminateProces
s is hooked and points to code that is not associated with a module.
[-] Found an index hook in the System Service Desriptor Table. NtWriteVirtualMem
ory is hooked and points to code that is not associated with a module.
Received a request to terminate from the system. Will do so.
C:\RAIDE_BETA_1>
___________________________________
The damn thing uses kernal32.dll. I knew I was being hooked by something because the screen had a major flicker before the logon screen, and then also when I press the power button to immediately initiate shutoff of the computer.
Are you in the dark with this stuff? lol I just stumbled over it.
Either way I didn't clean the rootkit up because I wanted to consult with you. I just let RAIDE put everything back the way it was.
:funny::bigthumb:
Hi
Not every hidden process rootkit detectors found is bad. I checked your RAIDE log and those meantioned are all legal files. :)
Enemyboat
2007-09-27, 22:14
I am confused.
Have you ever used GMER?
Its a cool program like Hijackthis, except it has alot more features.
I ran that, and all the errors in the SDT pointed to fltmgr.sys
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-27 12:13:20
Windows 5.1.2600 Service Pack 2
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA6E1454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BA6E1454] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BA6E11DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BA6D4F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BA6D4F4C] fltMgr.sys
---- EOF - GMER 1.0.13 ----
Yeah, I'm used Gmer in many cases. fltMgr.sys is a legal file. No signs of rootkit :)
Enemyboat
2007-09-28, 03:36
ok, so I don't have a rootkit.
Let's say I got rid of the rootkit.
But, let's say the hacker who used the rootkit took control of my system using files from windows nt, along with his own services. What would I do then?
There are 2 very questionable services in msconfig
TFKNYKL
and
PEXWYXYBWW
they are both stopped, so it's safe to say that they unloaded their payloads, and aren't needed anymore.
Would you like to see a scan of all the unknown services that GMER comes up with. LOL it's stupid how many there are.
The harddrive led has been running about double the normal rate since I ran RAINE to try and straighten out the partition table. Needless to say, the kernal virus (or whatever it is) actually disallows me to imput selections because the program is shut down as soon as there is a prompt for interactivity.
Thanks for the continued help.
Hi
Let's see what we can find in your registry with those two service names.
Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for TFKNYKL and click OK. Post the logfile from the tool here for me. Do the same thing with PEXWYXYBWW string.
Enemyboat
2007-09-30, 05:07
WOW I'm not crazy. There really is something on my computer. :laugh:
____________________________________________
; Registry search results for string "PEXWYXYBWW" 9/29/2007 7:02:22 PM
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"PEXWYXYBWW"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW]
"DisplayName"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW\Enum]
"0"="Root\\LEGACY_PEXWYXYBWW\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PEXWYXYBWW]
"DisplayName"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PEXWYXYBWW\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW]
"DisplayName"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW\Enum]
"0"="Root\\LEGACY_PEXWYXYBWW\\0000"
___________________________________________________
; Registry search results for string "TFKNYKL" 9/29/2007 7:04:14 PM
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"TFKNYKL"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL]
"DisplayName"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL\Enum]
"0"="Root\\LEGACY_TFKNYKL\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TFKNYKL]
"DisplayName"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TFKNYKL\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL]
"DisplayName"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL\Enum]
"0"="Root\\LEGACY_TFKNYKL\\0000"
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList]
"d"="TFKNYKL.exe"
Enemyboat
2007-09-30, 05:14
I think I understand why I can't find a rootkit now.
I saw in my reg that I have 4 mounted drive entries just in the currentuserset001.
If that is true, the rootkit is essentially looking for an emulated rootkit, and not the hijacked computer rootkit.
What do you think?
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Search for TFKNYKL.exe & PEXWYXYBWW.exe files and upload them to http://www.virustotal.com if found. Post back the results.
Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose
System registry.
Then click OK.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"PEXWYXYBWW"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PEXWYXYBWW]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PEXWYXYBWW]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"TFKNYKL"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TFKNYKL]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TFKNYKL]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFKNYKL]
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList]
"d"=-
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
After that reboot and run Registry search tool again as instructed in my previous post. Then post results.
Enemyboat
2007-10-01, 01:04
Thanks for the continued help Blade81.
Both TFKNYKL.exe & PEXWYXYBWW.exe were not found in searches. I searched both before the reboot, and after.
Here is my updated registry searches.
____________________________________
; Registry search results for string "TFKNYKL" 9/30/2007 2:50:56 PM
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
"Service"="TFKNYKL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000]
"DeviceDesc"="TFKNYKL"
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="TFKNYKL.exe"
______________________________________________
Registry search results for string "PEXWYXYBWW" 9/30/2007 2:53:21 PM
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"Service"="PEXWYXYBWW"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000]
"DeviceDesc"="PEXWYXYBWW"
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="PEXWYXYBWW.exe"
_____________________________________________________
Hi
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"=-
[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Download Registrar Lite from here (http://www.majorgeeks.com/download469.html) and install it.
Start Registrar Lite.
Type in to Address field this and click ok: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000
Right-click that key and choose Properties. Click "Take ownership".
Right-click that key again and choose Delete.
Repeat process for these key(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000
KEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW
After that run registry search tool in the same way as two previous times. Post back the results.
Enemyboat
2007-10-02, 00:07
I installed and ran the registry program you told me to. Just looking around my HKLM I saw the security section in red.... its locked. I can't export it, or change it, or view permissions.
I decided to right click on properties of HKLM and this is where the first incite to my problem is. The computer has been programmed to enumerate the HKLM/security when anyone tries to alter it.
When I pressed the 'contents' tab, my computer started enumerating the content amounts, and wouldn't stop. Then I closed the tab, and reopened it again, and it started from low number again, enumerating how many contents were in HKLM.
Here is a list of services that are on my computer.
lol.
WZCSVC
Workstation
WindowsMedia
Windows Update Agent
Windows Script Host
Windows Installer 3.1
Windows File Protection
Win32k
W32Time
viaide
VgaSave
USER32
ultra
udfs
toside
TermServSessDir
TermService
TermServDevices
TermDD
tdi
TCPMon
Tcpip
System Error
sym_u3
sym_hi
symc8xx
symc810
StillImage
SSDPSRV
Srv
srservice
sr
sparrow
sndblst
Simbad
SideBySide
sfloppy
Setup
Service Control Manager
Server
serial
scsiport
Schedule
Schannel
SCardSvr
Save Dump
SAM
RSVP
Removable Storage Service
RemoteAccess
redbook
Rdbss
RasMan
RasAuto
ql1280
ql1240
ql12160
ql10wnt
ql1080
PSched
Processor
Print
PptpMiniport
PolicyAgent
PlugPlayManager
perc2
pcmcia
pciide
pci
parvdm
partmgr
parport
OSPFMib
OSPF
NVENETFD
nvata
nv
null
NtServicePack
ntfs
npfs
Nla
Netlogon
NetDDE
NetBT
NetBIOS
NdisWan
ndis
Mup
msfs
msadlib
MrxSmb
MRxDAV
mraid35x
mouhid
mouclass
Modem
LsaSrv
LmHosts
LDMS
LDM
lbrtfdc
Kerberos
kbdclass
isapnp
IPXSAP
IPXRouterManager
IPXRIP
IPXCP
IPSec
IPRouterManager
IPRIP2
IPNATHLP
IPMGM
IPBOOTP
intelide
ini910u
IGMPv2
i8042prt
i2omp
i2omgmt
Http
hpn
ftdisk
fs_rec
flpydisk
Fips
fdc
fastfat
eventlog
efs
dpti2o
Dnscache
Dnsapi
dmio
dmboot
Distributed Link Tracking Client
disk
Dhcp
DfsSvc
DfsDriver
DCOM
dac960nt
dac2w2k
cpqarray
cmdide
changer
cdrom
Cdm
cdfs
cdaudio
cd20xrnt
cbidf2k
Browser
BITS
avgntflt
Atmarpc
atdisk
atapi
AsyncMac
asc3550
asc3350p
asc
Application Popup
apphelp
amsint
ami0nt
AmdK8
aliide
aic78xx
aic78u2
aha154x
adpu160m
acpiec
acpi
abp480n5
abiosdsk
System
alot of bad ones......
I think that you are right. There is no rootkit on this computer. I believe that all that I have now is a script that is constantly running (doesn't except shutdowns) and this script does a checks and balances system by putting a little piece of itself in lots of places on the hard drive so it doesn't get taken down.
I was reading about such Kernel attacks on Nvidia motherboard systems. That is were I get the idea above.
Enemyboat
2007-10-02, 03:57
That registry program had the "Take ownership" button grayed out. So, I used regedit to take ownership and then delete the keys manually.
_________________________________________
Registry search results for string "TFKNYKL" 10/1/2007 5:53:08 PM
"HKU\\S-1-5-18"="address=HKU\\S-1-5-18[::]category=SIDS[::]description=User profile for NT AUTHORITY\\SYSTEM[::]color=1"
@="description=HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TFKNYKL"
And
0 PEXWYXYBWW found
Hi
Could you run Registry search tool again?
Enemyboat
2007-10-02, 22:51
; Registry search results for string "TFKNYKL" 10/2/2007 12:49:51 PM
"HKU\\S-1-5-18"="address=HKU\\S-1-5-18[::]category=SIDS[::]description=User profile for NT AUTHORITY\\SYSTEM[::]color=1"
@="description=HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TFKNYKL"
______________________________________
No instances of PEXWYXYBWW found.
Hi
That's ok now. To comment that service list you posted earlier.. those are legal :)
Enemyboat
2007-10-07, 07:49
Hey Blade.
I restarted my computer yesterday, and it wouldn't startup.
I re-installed windows, and I think I am glad I did so.
I decided to use the following programs for protection this time around:
Spybot
F-Secure Internet Security 2008
AdawareSE Personal
_______________________________________
Right at the windows installation blue screen, my computer started auditing again, just like it had never blinked.
I do have something on my computer.
I found a program called Flister from
http://www.invisiblethings.org/tools.html
I had ran a gmer scan while I was in the middle of an F-Secure scan, and I found something very hidden.
(This is from the gmer log)
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
The Flister program allowed me to navigate in dos to:
C:\Program Files\Windows NT>flister c:\progra~1\window~4
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
installer
Messenger
those 2 directories are hidden. and I have all hidden files showing.
So, here are the 2 directories, and their contents:
C:\Program Files\Windows NT>flister c:\progra~1\window~4\messen~1\
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
abssm.dll
contact.dll
contactsUX.dll
custsat.dll
Device Manager
dfsr.dll
ErrorResponse.xml
fsshext.8.5.1288.0816.dll
highcont.thm
htc.dll
lcapi.dll
lcres.dll
license.rtf
livecall.exe
lmcdata.dll
MessengerClient.dll
msgrapp.8.5.1288.0816.dll
msgrvsta.thm
msgsc.8.5.1288.0816.dll
msgslang.8.5.1288.0816.dll
msgsres.dll
msgswcam.dll
msidcrl40.dll
msncore.dll
msnmsgr.exe
msvs.exe
msvsConfig2.xml
msvsui.dll
newalert.wma
newemail.wma
nudge.wma
online.wma
outgoing.wma
pcsexeps.dll
phone.wma
psmsong.8.5.1288.0816.dll
RTMPLTFM.dll
softphone.dll
softphoneps.dll
softphoneres.dll
type.wma
usnsvc.exe
usnsvcps.dll
vimdone.wma
wmaecdmort.dll
wmp8stub.dll
wmv9vcm.dll
C:\Program Files\Windows NT>flister c:\progra~1\window~4\instal~1\
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
Dashboard.exe
DashboardLoc.dll
DashboardRes.dll
Dashboard_en.cat
hc.thm
Microsoft.VC80.CRT.manifest
msvcr80.dll
SqmApi.dll
UXCore.dll
WLSetupSvc.exe
Some of those files have come up as bad in google search.
What do you think?
Hi
As I've tried to tell you there isn't any malware in your system. Of course can't say if there's some other problems but anyway it's out of our scope. We concentrate only on malware removing here. You could ask at PCPitstop (http://forums.pcpitstop.com).
Enemyboat
2007-10-08, 02:26
Ok, thanks blade.
I'll come back and give you an update when I find this rootkit/virus/whatever.
This topic has been moved to archives.
Regards. :)