PDA

View Full Version : Rootkit! Help! :(



eyebot1
2008-05-03, 19:48
Hello,
I've been hit with a rootkit, I've tried a bunch of programs to help get rid of it, but nothing has worked. I tried programs like lightsword and HijackThis, but whenever I try to run them my computer freezes and I have to throw the switch! I know for a fact the I have hldrrr.exe and srosa.sys on my machine from a Blacklight scan, but when I tried to rename the files they just keep on coming back. Does anyone have any suggestions on what I should try next? It will be much appreciated!
Thanks,

-eyebot1

Rorschach112
2008-05-03, 19:53
Hello

Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif


It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------


Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**




Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.




Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

eyebot1
2008-05-03, 20:42
Thank you very much for the response! I ran Combo-Fix.exe and here is the output log:

ComboFix 08-05-01.3 - test 2008-05-03 12:07:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT -5:00]
Running from: C:\Documents and Settings\test\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\127468.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\142312.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\155734.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\178031.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\310796.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\340156.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\365875.exe.ren.ren
C:\WINDOWS\system32\drivers\downld\377656.exe.ren.ren
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-03 10:02 . 2008-05-03 10:03 12,378,112 --a------ C:\WINDOWS\system32\ULTESC
2008-05-03 09:48 . 2008-05-03 09:48 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVGTOOLBAR
2008-05-02 14:09 . C:\WINDOWS\(2) C:\Combo-Fix\winstart.bat
2008-05-02 12:59 . 2008-05-02 12:59 123 --a------ C:\WINDOWS\rootkitno.ini
2008-05-02 09:40 . 2008-05-02 20:00 <DIR> d-------- C:\RootkitNO
2008-05-02 09:15 . 2008-05-02 20:15 <DIR> d-------- C:\Program Files\UnHackMe
2008-05-01 21:48 . 2008-05-01 21:48 <DIR> d-------- C:\Program Files\AVG
2008-05-01 21:48 . 2008-05-03 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-01 21:22 . 2008-05-03 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-01 19:25 . 2008-05-02 09:43 88,748 --a------ C:\WINDOWS\system32\drivers\SROSA.SYS.del
2008-04-30 17:04 . 2008-04-30 17:12 <DIR> d-------- C:\Documents and Settings\test\.idlerc
2008-04-29 20:09 . 2008-04-29 20:09 <DIR> d-------- C:\Program Files\rgcaudio
2008-04-27 00:42 . 2008-04-27 10:31 407 --a------ C:\WINDOWS\toolsx86.INI
2008-04-26 21:06 . 2008-04-26 21:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-26 17:06 . 2008-04-26 17:06 <DIR> d-------- C:\Program Files\Sugar Bytes
2008-04-26 17:06 . 2008-04-26 17:06 <DIR> d-------- C:\Program Files\Steinberg
2008-04-26 17:06 . 2002-10-18 21:44 1,032,266 --a------ C:\WINDOWS\system32\libmmd.dll
2008-04-26 11:54 . 2008-04-26 11:55 <DIR> d-------- C:\Documents and Settings\test\Data
2008-04-19 13:57 . 2008-04-19 13:57 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-04-19 12:34 . 2008-04-19 12:34 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-04-19 12:33 . 2008-04-19 12:33 <DIR> d-------- C:\WINDOWS\vocoder
2008-04-16 22:49 . 2008-04-16 22:53 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-16 22:49 . 2008-04-16 22:53 <DIR> d-------- C:\Program Files\Autodesk
2008-04-16 22:48 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-16 22:31 . 2008-04-16 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-07 20:42 . 2008-04-07 20:43 74,522,624 --a------ C:\1.wav
2008-04-06 22:24 . 2008-04-06 22:24 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-06 22:23 . 2008-04-06 22:23 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-06 22:23 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-06 22:22 . 2008-04-06 22:23 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-06 22:22 . 2008-04-06 22:22 <DIR> d-------- C:\Program Files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 18:50 --------- d-----w C:\Program Files\eMule
2008-05-02 14:26 --------- d-----w C:\Program Files\M-Audio Uno
2008-05-02 02:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 00:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-29 03:00 --------- d-----w C:\Program Files\Cakewalk
2008-04-27 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 17:34 --------- d-----w C:\Program Files\Vstplugins
2008-04-01 23:22 --------- d-----w C:\Program Files\valve
2008-03-26 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-03-26 01:23 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-26 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-25 22:57 --------- d-----w C:\Documents and Settings\test\Application Data\InstallShield
2008-03-25 22:27 --------- d-----w C:\Program Files\Common Files\Softimage
2008-03-24 00:49 --------- d-----w C:\Program Files\DivX
2008-03-23 21:35 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-20 19:32 --------- d-----w C:\Program Files\CamStudio
2008-03-18 18:28 --------- d-----w C:\Documents and Settings\test\Application Data\Sony
2008-03-18 05:04 --------- d-----w C:\Documents and Settings\test\Application Data\NeroDigital™
2008-03-17 19:18 --------- d-----w C:\Program Files\GCFScape
2008-03-16 21:37 --------- d-----w C:\Program Files\NeroInstall.bak
2008-03-16 21:35 --------- d-----w C:\Documents and Settings\test\Application Data\Nero
2008-03-16 21:33 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-16 21:31 --------- d-----w C:\Program Files\Nero
2008-03-16 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-16 17:47 --------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2008-03-16 15:57 --------- d-----w C:\Documents and Settings\test\Application Data\Publish Providers
2008-03-16 15:54 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-16 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-03-16 15:52 --------- d-----w C:\Program Files\Sony
2008-03-16 01:32 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-16 01:30 --------- d-----w C:\Program Files\Windows Media Connect
2008-03-16 01:24 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-16 00:46 --------- d-----w C:\Program Files\MSBuild
2008-03-16 00:42 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-15 23:36 --------- d-----w C:\Program Files\Google
2008-03-15 23:28 --------- d-----w C:\Program Files\Java
2008-03-15 23:25 --------- d-----w C:\Program Files\Common Files\KnifeEdge
2008-02-28 22:38 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 21:14 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-26 02:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-02-18 21:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

------- Sigcheck -------

2005-03-15 02:50 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [ ]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2006-09-22 09:02 679936]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-15 18:29 171448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= usbmn1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
--a------ 2007-11-03 11:11 1421312 C:\downloads\muBlinder\muBlinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-06-03 20:51 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 18:11 1271032 D:\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Combat Flight Simulator 3\\fs9.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Steam\\steamapps\\keimei\\garrysmod\\hl2.exe"=
"D:\\Steam\\steamapps\\keimei\\half-life 2 deathmatch\\hl2.exe"=
"D:\\Steam\\steamapps\\keimei\\team fortress 2\\hl2.exe"=
"D:\\3ds Max 9\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys []
S3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-02-14 14:16]
S3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-01-31 18:39]
S3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-01-31 18:39]
S3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-01-31 18:39]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:56]
S3 USB11LDR;M-Audio USB Uno Loader;C:\WINDOWS\system32\drivers\usb11ldr.sys [2004-12-08 15:29]
S3 USBMN1X1;M-Audio USB Uno MIDI Driver;C:\WINDOWS\system32\drivers\usbmn1x1.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 12:15:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\pv6mrw1x.TMP

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-05-03 12:25:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 17:25:10

Pre-Run: 38,712,832,000 bytes free
Post-Run: 40,466,268,160 bytes free

235

Like I said I was having trouble trying to get HijackThis running because of the rootkit, and about the online scanning, I disconnected my infrected computer from the internet to hopefully stop it from getting worse, so I am using a different computer right now, would it be safe to have it connect now?
-eyebot1

Rorschach112
2008-05-03, 21:02
Go ahead and run those online scans, need to see them

Rorschach112
2008-05-08, 04:03
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Rorschach112
2008-05-13, 03:56
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.