PDA

View Full Version : Some Type of Nasty


dmoss2
2008-01-14, 03:07
GMER reported some type of rootKit issue
MS Security baseline seemed to solve some of the issues.
Now all mis installs seem to hang.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:46 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Starfield\offsync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OFFSync] "C:\Program Files\Starfield\offsync.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: U.S. Bancorp - VPN Client 4.6.03.lnk = C:\Program Files\USBancorp\USBancorp VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191824677093
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5966 bytes
dmoss2
2008-01-14, 03:09
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-13 17:19:12
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.13 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [F78A0F5E] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [F78A10E0] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE [F78A0F5E] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_NAMED_PIPE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DIRECTORY_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FILE_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_LOCK_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_MAILSLOT [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER [F78A10E0] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CHANGE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_QUOTA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_QUOTA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE [F78A0F5E] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_NAMED_PIPE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLOSE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_EA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_VOLUME_INFORMATION [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DIRECTORY_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FILE_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_LOCK_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_MAILSLOT [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_SECURITY [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER [F78A10E0] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CHANGE [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_QUOTA [F78A0A96] hotcore3.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_QUOTA [F78A0A96] hotcore3.sys

---- EOF - GMER 1.0.13 ----