Hi

I am new to the forum. I'd like some help dealing with the WINTDSSRTK and WINTDSSREG1 trojans. Spybot S&D identifies these but they keep reappearing and the computer has developed many "nasty" symptoms described below. I have run some elementary diagnostics but need some guidance please.


The story so far:

Machine is a Dell Inspiron 8200 laptop running W2K v5 SP4 and IE6 SP1. Rising anti-virus is doing a full scan from startup each time I boot up.

First symptoms:

System slow to boot
Lost webpage dropdown functionality
No version number displayed in IE6 Help/About
Webpage hyperlink buttons stopped working.


Actions:
Applied IEFIX v1.6
Downloaded IE6 SP1 from MS and reapplied

Rebooted after each of these to no effect.

Noticed these additional symptoms:

Can't get into Add/Remove progs
Can't inspect W2K event log entries by double clicking
Can't get into most of the Computer Management > system info screens (error msg: "The connection to could not be established...")
In Services>Applications>Internet Services Manager error: " Unable to connect to target machine...")
Unable to launch some apps from desktop
MS Word and Excel won't open properly (no OLE etc)
Can't print or see connected printers


Tried downloading MBAM but it was "prevented" from executing.

Downloaded Spybot S&D. It identified 3 malware items including WINTDSSRTK and WINTDSSREG1 and appeared to clean them.

Tried to reboot machine but couldn't. Msg: "STOP C000026C unable to load device driver. \SystemRoot\ device driver could not be loaded. Error status 0xc0000020"

Tried rebooting in Safe mode but got same message.

I don't have ERD so attempted boot from a W2K CD using repair option. Failed with same error message.

Ran Dell diagnostics CD on machine - all passed

Eventually booted using last known good config.

Ran Spybot again. Malware items WINTDSSRTK and WINRDSSREG1 entries previously cleaned were there again.

Downloaded Security Check from screen 317 (results below)

Downloaded DDS by sUBS (log file results below)

Downloaded RootRepeal. Failed to run after several tries (various messages, mostly " could not read boot sector..." and occasionally "could not allocate memory for our driver info" and "device I/O control error! Error code = 0x8). Tried adjusting the disk access level in the options dialog but it failed with same messages each time. Tried again in safe mode with same result.

As an alternative downloaded Sophos Anti-rootkit version 1.5, installed it and ran scan. (disconnected from Internet and disabled Spybot first but couldn't get into Rising antivirus to stop it).

Anti-rootkit identified 4 hidden registry keys:
\HKEY_LOCAL_MACHINE\SOFTWARE\UAC
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys

and numerous hidden files. While most of these were Temp Internet Files there were a few .dll's in Temp that looked related to the registry keys above:


C:\Documents and Settings\<user>\LocalSettings\Temp\nss18.tmp\UAC.dll
C:\Documents and Settings\<user>\LocalSettings\Temp\nsq1A.tmp\UAC.dll
C:\Documents and Settings\<user>\LocalSettings\Temp\nsr1E.tmp\UAC.dll
C:\Documents and Settings\<user>\LocalSettings\Temp\nsh21.tmp\UAC.dll
C:\Documents and Settings\<user>\LocalSettings\Temp\UAC5475.tmp
C:\WINNT\System32\drivers\UACKlrlovmycd.sys
C:\WINNT\System32\UACjkmpixnrwb.dll

The 4 hidden registry keys are stated as unremovable in Anti-rootkit
The 7 hidden files listed above were stated as removable but not recommended for cleanup.
I tagged them for clean up anyway and proceeded despite the warning, then restarted the system and opened the sarscan.log shown below,

I suspect there's more I need to do, so I would really appreciate some advice as to where to go from here (intiutively I might have tried Combofix but I'm nervous about doing this without guidance from one of your experts!). Please treat me as a relevant newbie - the steps I've taken above are "best efforts" based on my own web research (and excellent forums like yours) but I'm already several light years outside my comfort zone.

Kind regards

Paul

TEXT FILES:

Results of screen317's Security Check version 0.98.7
Windows 2000 Service Pack 4
``````````````````````````````
Antivirus/Firewall Check:
Rising Antivirus


``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent


``````````````````````````````
DNS Vulnerability Check:
nslookup.exe missing!
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````


DDS TEXT FILE

DDS (Ver_09-07-30.01) - NTFSx86
Run by paul at 12:23:38.29 on Fri 31/07/2009
Internet Explorer: 6.0.2800.1106

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [internat.exe] internat.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DiTask.exe] "c:\program files\eicon\diva\DiTask.exe"
mRun: [Divamon.exe] "c:\program files\eicon\diva\Divamon.exe"
mRun: [Eicon TechnologyLAN_DAEMON] "c:\program files\eicon\diva\watch.exe"
mRun: [CGServer] "c:\program files\eicon\diva\cgserver.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [EPSON Stylus Photo R340 Series] c:\winnt\system32\spool\drivers\w32x86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RavTask] "c:\program files\rising\rav\RavTask.exe" -system
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/01dad4cd3d29af0c6206/netzip/RdxIE601.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.4199768519
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: ActiveSync - WcesWlgn.dll
Notify: nwprovau - nwprovau.dll
SEH: ShlExecHack Class: {32cd708b-60a7-4c00-9377-d73eaa495f0f} - c:\winnt\system32\RavExt.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-31 10:13 16,384 a------t c:\winnt\system32\Perflib_Perfdata_38c.dat
2009-07-31 10:07 16,384 a------t c:\winnt\system32\Perflib_Perfdata_390.dat
2009-07-30 20:33 289 a------- c:\winnt\wininit.ini
2009-07-30 19:34 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-30 19:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-30 19:27 16,409,960 a------- C:\spybotsd162.exe
2009-07-30 19:24 28,944 ac------ c:\winnt\system32\dllcache\ibmexmp.sys
2009-07-30 19:19 <DIR> --d----- c:\program files\TeamViewer
2009-07-30 19:06 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-30 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-30 19:06 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-30 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 19:04 3,775,176 a------- C:\mbam-setup.exe
2009-07-30 19:02 <DIR> --d----- c:\docume~1\paul\applic~1\TeamViewer
2009-07-30 19:01 <DIR> --d----- c:\documents and settings\paul\temp
2009-07-30 14:46 37,144 a------- c:\winnt\system32\net.net

==================== Find3M ====================

2008-10-08 11:35 12,888 a------- c:\docume~1\paul\applic~1\GDIPFONTCACHEV1.DAT
2003-03-17 16:59 21,952 ----h--- c:\program files\folder.htt
2003-03-17 16:59 271 ----h--- c:\program files\desktop.ini
1999-12-06 14:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 12:23:53.39 ===============

DDS attach.TXT

==== Installed Programs ======================

Acrobat.com
Actiontec MD56ORD V92 MDC Modem
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player ActiveX
Adobe MPEG Encoder
Adobe Premiere 6.5
Adobe Reader 9
Advanced Excel Repair v1.4
Advertisement Service
AT&T Global Network Client
Borland Delphi 6
Cimaware OfficeFIX 6
Diva Assistant
Diva Tools
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Print CD
EPSON PRINT Image Framer Tool
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ESPR340 User's Guide
getPlus(R) for Adobe
Internet Explorer Q822925
Kernel for Excel ver 7.05.01
Malwarebytes' Anti-Malware
Microsoft ActiveSync
Microsoft Internet Explorer 6 SP1
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2000
Microsoft SQL Server 2000 Windows CE Edition
Microsoft SQL Server CE Server Tools
Microsoft Visio Professional 2002 [English]
NVIDIA Windows 2000/XP Display Drivers
ORiNOCO AP Manager
Panda ActiveScan 2.0
PIF DESIGNER
QuickTime
Rising Antivirus
Sony Ericsson PC Suite
Spybot - Search & Destroy
TeamViewer 4
Terminal Services Client
The Operations Database
WAP11 Utility
WebFldrs
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824146
Windows Installer 3.1 (KB893803)
Windows Media Player system update (9 Series)
WinZip

==== End Of File ===========================

SOPHOS ANTI-ROOTKIT SCAN LOG


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 31/07/2009 at 13:28:17
User "paul" on computer "ARIEL"
Windows version 5.0 SP 4.0 Service Pack 4 build 2195 SM=0x0 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\search[1].sys
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\search[1].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\mode_hybrid[1].gif
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YLOBITI5\SecurityCheck[2].exe
Hidden: file C:\Transfer\Projects\CHS_I\StockBrowser\UActors.pas
Hidden: file C:\Transfer\Projects\CHS_I\Invoicing\UActors.bkm
Hidden: file C:\Transfer\Projects\CHS_I\Invoicing\UActors.pas
Hidden: file C:\Transfer\Projects\CHS_I\Invoicing\UActors.~pas
Hidden: file C:\Documents and Settings\paul\Local Settings\Temp\nss18.tmp\UAC.dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temp\nsq1A.tmp\UAC.dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temp\nsr1E.tmp\UAC.dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WCK2HJ41\ie6setup[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temp\nsh21.tmp\UAC.dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\sar_15_sfx[2].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\emailVal[2].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G71RM2Z5\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G71RM2Z5\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G71RM2Z5\SYS_vjo_e595i7697294_1_en_GB[23].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G71RM2Z5\Fastfold-projector-screen-10x7-5-Screenworks-F-R_W0QQitemZ330299044646QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Accessories_[1].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G71RM2Z5\Fastfold-projector-screen-10x7-5-Screenworks-F-R_W0QQitemZ330299044646QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Accessories_[2].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\SYS_vjo_e595i7697294_1_en_GB[15].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\CAEFTV96.js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\CAU1KN81.css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\SYS_vjo_e599i7773850_1_en_GB[46].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\SYS_vjo_e599i7773850_1_en_GB[76].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\SYS_vjo_e599i7773850_1_en_GB[43].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[6].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\SYS_vjo_e599i7773850_1_en_GB[45].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\SYS_vjo_e599i7773850_1_en_GB[39].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\SYS_vjo_e599i7773850_1_en_GB[68].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\SYS_vjo_e599i7773850_1_en_GB[51].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CJ63MQCO\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CJ63MQCO\SYS_vjo_e599i7773850_1_en_GB[12].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\RavINT_AU[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\google.co[13]
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8D07CNI9\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[15].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[28].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6VEFG1YF\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[42].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[48].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\3H87B04O\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[47].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CJ63MQCO\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CJ63MQCO\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\GlobalNavVjoOpt23_Ebay_e601i7856465_en_GB[50].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\GlobalNavVjoOpt23_EbayR2_e601i7856465_en_GB[8].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\GlobalNavVjoOpt23_EbayR2_e601i7856465_en_GB[16].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YLOBITI5\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[6].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\GlobalNavVjoOpt23_Ebay_e603i7942770_en_GB[50].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\GlobalNavVjoOpt23_Ebay_e603i7942770_en_GB[9].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\CAE7WHA2.css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\SYS_vjo_e601i7856464_1_en_GB[38].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\ZQON7HWD\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\eBayISAPI[9].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\GlobalNavVjoOpt23_Ebay_e603i7942770_en_GB[25].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\eBayISAPI[10].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CJ63MQCO\%7Bmod_zoom,mod_trends,mod_transitlyr,mod_traffic_app,mod_scrollwheel,mod_lyrsctrl,mod_lyrs,mod_keyboard,mod_jslinker,mod_extended_dom,mod_drag,mod_controls,mo[2].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\eBayISAPI[11].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WTGJOXM5\CAYPB6FF
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\GPYJOXUB\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\OOSRBOWZ\procexp[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\GlobalNav14_Ebay_e605i8038212_en_GB[27].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\_WINNT_system32_dxtrans[1].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\Scopus728x90_flash[1].swf
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\BU8RBDWD\eBayISAPI[17].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[10].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\GlobalNav14_EbayR2_e605i8085187_en_GB[24].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[11].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\GlobalNav14_EbayR2_e605i8085187_en_GB[30].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[6].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\OOSRBOWZ\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\eBayISAPI[6].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\A4NCCH29\GlobalNav14_EbayR2_e605i8085187_en_GB[4].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\JXH8395C\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8D07CNI9\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YJUJO9IZ\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YJUJO9IZ\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YJUJO9IZ\CATTEZDE
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\BU8RBDWD\eBayISAPI[18].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WCK2HJ41\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\DA-LITE-FAST-FOLD-REAR-PROJECTION-SCREEN-COMPLETE-BOXED_W0QQitemZ190295243279QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Acces[1].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\GlobalNav14_EbayR2_e607i8123656_en_GB[36].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\main_e6071uk[3].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\GlobalNav14_EbayR2_e607i8123656_en_GB[48].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\SRIBATTB\globals_e6091uk[3].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[12].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6VEFG1YF\Unicol-AV-Mounting-Brackets-Selection-of-17-parts_W0QQitemZ280326282262QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Accessories[1].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6VEFG1YF\Unicol-AV-Mounting-Brackets-Selection-of-17-parts_W0QQitemZ280326282262QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Accessories[2].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\4TCFOFWR\eBayISAPI[5].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\I5DAJM10\eBayISAPI[18].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6VEFG1YF\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\eBayISAPI[11].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\6FOZQ9AN\GlobalNav14_EbayR2_e607i8123656_en_GB[17].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YJUJO9IZ\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\GPYJOXUB\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\STE7K52Z\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\eBayISAPI[6].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\Nucleus-Kernel-Excel[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\excelfixinstaller[2].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\expansion_embed[42].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\UNOWHDFY\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\I5DAJM10\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\WCK2HJ41\Fastfold-Fast-fold-Screen-Drape-Kit-Case-BARGAIN_W0QQitemZ170332710990QQcmdZViewItemQQptZUK_BOI_Office_Equipment_Supplies_Presentation_Projection_Accessories_[1].htm
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\STE7K52Z\Excalibur5-5-0[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\I5DAJM10\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\OOSRBOWZ\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\TF3JH5CE\eBayISAPI[9].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CBEFCVKZ\eBayISAPI[8].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CBEFCVKZ\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CBEFCVKZ\eBayISAPI[12]
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KLEJSXMF\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\YLOBITI5\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\eBayISAPI[2].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\8TKTE709\eBayISAPI[7].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KLEJSXMF\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\BU8RBDWD\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\X7VJXXSE\SYS_YODA2_vjo_e625i9680358_1_en_GB[9].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CNDN2QFD\eBayISAPI[3].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\CNDN2QFD\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\Setup-e92_02009-1938[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\gorcheoronte[1].html
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W\Setup-6a1_02009-1938[1].exe
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\eBayISAPI[21].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\836DWVG1\GH_YODA1_Ebay_e623i9600654_en_GB[27].css
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KLEJSXMF\eBayISAPI[4].dll
Hidden: file C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KLEJSXMF\SYS_YODA2_vjo_e625i9680358_1_en_GB[24].js
Hidden: file C:\Documents and Settings\paul\Local Settings\Temp\UAC5475.tmp
Hidden: file C:\WINNT\system32\drivers\UACklrlovmycd.sys
Hidden: file C:\WINNT\system32\UACjkmpixnrwb.dll
Stopped logging on 31/07/2009 at 17:25:30

Hi,

I dont think combofix will run on W2K. Next suggestion would be Malwarebytes which you already have used, these items you posted are most likely not caused by any malware:


* Can't get into Add/Remove progs
* Can't inspect W2K event log entries by double clicking
* Can't get into most of the Computer Management > system info screens (error msg: "The connection to could not be established...")
* In Services>Applications>Internet Services Manager error: " Unable to connect to target machine...")
* Unable to launch some apps from desktop
* MS Word and Excel won't open properly (no OLE etc)
* Can't print or see connected printers


you should read this (http://technet.microsoft.com/en-us/library/cc512587.aspx) info. Notice it dosnt even mention the word rootkit but it all still applies.

You can also try using SDfix which does run on W2K. Only runs in safe mode. Link and directions:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in your reply.

Thanks very much for the reply

I will download and run SDfix as you suggest.

In the meantime, and just for your info, ALL the symptoms I listed which you quote in your reply disappeared immediately after I used Sophos anti-rootkit to delete the 7 hidden and "suspect" UAC files I listed.

I made no other changes whatsoever, and have been keeping a careful log at every stage, so I'm surprised that you say these symptoms probably have nothing to do with the trojan. I've also left the machine turned on ever since, fearing that the symptoms might reappear on next boot up.

I'll run SDfix late tonight and report back.

Thanks again

Paul

so I'm surprised that you say these symptoms probably have nothing to do with the trojan.

Iam surprised too. what a productive little trojan!!

Hi

Ran SDFix as suggested.
It completed first part (in "safe" mode)
It didn't quite complete final stage of second part (after reboot)

Program Error:

Cghtme.exe has generated errors and will be closed by Windows. You will need to restart the program, An error log is being created.

Please advise whether you want me to try running cghtme.exe from the SDFix directory, or whether you want me to run SDFix again (I tried running batch file runthis.bat again as I thought this was what the error message wanted me to restart but as you might expect it wouldn't load)

Anyway, here is the SDFix (incomplete) report.txt (let me know if there is some other error log you need)


SDFix: Version 1.240
Run by paul on Sat 01/08/2009 at 22:12

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :


Remaining Services :

Dont worry about running SDfix again. Lets try Dr. Web:

download Dr Web (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to your desktop

Click the icon and click start

It will first scan files resident in memory. (A short scan)

If something is found, click the YES button when it asks you if you want to cure it.

If you get a pop up about purchasing the software just click the x in the corner to close it.

Once the memory scan is done click on complete scan on the left hand side.

Next click the greenish arrow button over on the right to start the full scan.

This scan will take some time to complete.

if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

Note:(If the file cannot be cured, Dr.Web will automatically delete the file)

Once the scan is complete, on the menu bar, click file and choose report list.

Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

Hi

The DrWeb scan just finished (12 hours)

Here is the Drweb.txt log

I wasn't sure what to do with the SDFix items classed as "hacks" in the stats, so I moved them

I asked for the two reported trojans to be cured and they were deleted.

Rgds

Paul

Drweb.txt Report

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\paul\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\paul\Desktop;Archive contains infected objects;Moved.;
SDFix[1].exe\SDFix\apps\Process.exe;C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB\SDFix[1].exe;Tool.Prockill;;
SDFix[1].exe;C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\G5QJ45QB;Archive contains infected objects;Moved.;

Setup-e92_02009-1938[1].exe;C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\MXLMZ65W;Trojan.DownLoad.40862;Deleted.;

Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;

net.net;C:\WINNT\system32;Trojan.Click.25308;Deleted.;

ok thanks for the info. You can delete the SDFix folder from its default install location. Some AV will flag certain components in tools as hack or risk tools.

Combofix will run on W2K. One of the steps before running it is to install the recovery console. The recovery console install is a precaution in case its needed for some reason.

Without it combofix will run in a reduced mode.
Since MS support for W2k has ended i dont know if downloading the recovery console will present any problems. Do you happen to have the original W2k install disk? It should be present on that. You can either try to install the recovery console first or run it without it being installed. Up to you. There is a disclaimer during the running of combofix. In any case read this guide first:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

See near bottom of page: "Basically, the Recovery Console can be loaded in one of three ways"
http://www.practicalpc.co.uk/computing/windows/win2krec4.htm

It wouldnt hurt to check MBAM for updates and run it again also. You can post the log like this:

After checking for updates. Select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer most likely will be required to remove some items.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

OK

I ran Combofix and MBAM as you suggested and the log files are at the end of this email.

A few events in this process of note (one or two might explain some of the Combofix logfile entries):


Deleted SDFix as suggested
Didn't have original W2K install disks to manually load WRC (had another W2K install CD but this didn't have the cmdcons file)
Read Combofix guidelines which said it would try to load WRC if it couldn't see it so proceeded to download and run Combofix
After initial screens Combofox launched straight into scan (didn't appear to check for WRC or offer to load it as I had expected)
When Combofix rebooted machine two things happened
Firstly a SQL Server error message came up "SQL Server could not find default instance of MSSQL Server.. if you believe it is corrupt or has been tampered with , uninstall then rerun setup to correct this problem") Note: I can probably live with this or correct it
Secondly I started to get Rising Anti Virus (RAV) pop up screens warning of attempted registry violations during the final stage but BEFORE Combofix finished. On first glance it seems that RAV automatically re-enables monitoring on start up and had become automatically re-enabled when Combofix auto-rebooted. I had disabled all RAV scheduled scans and I had manually and individually disabled a group of RAV monitors prior to downloading and running Combofix. A number of these RAV monitors (File Monitor, Email Monitor, Script Blocking, Application Access Control, Application Protection, Program Startup Control, Malicious Behaviour Detection, Hidden Process Detection) had become re-enabled when Combofix rebooted. Although I had to use the keyboard to acknowledge RAV warnings before Combofox finished I don't think it affected the final stage of Combofix processing but it might explain one or two Combofix report entries.
Before running MBAM I disabled all these RAV utilities again.
I deleted my existing MBAM files (you will note from my very first post that MBAM had been prevented from running at that stage, presumably by the trohan, and I thought it best to re-download MBAM) and I downloaded a fresh version of MBAM and updates, and ran the full MBAM scan.


Here are the log files - thanks for your ongoing help with this!

Paul

COMBOFIX

ComboFix 09-08-02.03 - paul 03/08/2009 9:18.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.44.1033.18.511.304 [GMT 1:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 32A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DBNMP3.DLL
c:\documents and settings\paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Rising Antivirus.lnk
c:\winnt\Downloaded Program Files\RdxIE.dll
c:\winnt\system32\Cache
c:\winnt\Web\default.htt


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 09:27 . 2009-08-03 09:27 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_658.dat
2009-08-02 07:55 . 2009-08-02 08:48 -------- d-----w- c:\documents and settings\paul\DoctorWeb
2009-08-01 21:10 . 2009-08-01 21:10 403216 -c--a-w- c:\winnt\system32\dllcache\user32.dll
2009-08-01 20:49 . 2009-08-01 20:49 -------- d-----w- c:\winnt\ERUNT
2009-08-01 08:53 . 2009-08-01 08:53 -------- d-----w- c:\program files\ERUNT
2009-07-31 16:49 . 2009-06-18 11:55 18816 ------w- c:\winnt\system32\SAVRKBootTasks.sys
2009-07-31 12:23 . 2009-07-31 12:23 -------- d-----w- c:\program files\Sophos
2009-07-30 18:34 . 2009-07-30 18:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 18:34 . 2009-07-30 18:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-30 18:27 . 2009-07-30 18:29 16409960 ----a-w- C:\spybotsd162.exe
2009-07-30 18:24 . 1999-11-30 22:39 17680 -c--a-w- c:\winnt\system32\dllcache\hr132.dll
2009-07-30 18:19 . 2009-07-30 18:19 -------- d-----w- c:\program files\TeamViewer
2009-07-30 18:06 . 2009-07-13 12:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-30 18:06 . 2009-07-30 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-30 18:06 . 2009-07-13 12:36 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-30 18:06 . 2009-07-30 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 18:04 . 2009-07-14 23:02 3775176 ----a-w- C:\mbam-setup.exe
2009-07-30 18:02 . 2009-07-30 18:02 -------- d-----w- c:\documents and settings\paul\Application Data\TeamViewer
2009-07-30 18:01 . 2009-07-30 18:01 -------- d-----w- c:\documents and settings\paul\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 16:17 . 2003-03-17 15:56 -------- d-----w- c:\program files\Accessories
2003-03-17 15:59 . 2003-03-17 15:59 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [1999-12-06 20752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"nwiz"="nwiz.exe" [2003-02-10 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [1999-12-06 20752]

c:\documents and settings\Mattho\Start Menu\Programs\Startup\
Shortcut to OCNLauncher.lnk - c:\program files\OCN\CTS\LAUNCHER\OCNLauncher.exe [2003-3-28 651264]

c:\documents and settings\paul\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2003-3-19 74308]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-3-17 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "c:\winnt\system32\RavExt.dll" [2009-01-30 113264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
2006-11-13 13:38 16168 ----a-w- c:\winnt\system32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
2003-06-19 11:05 139536 ----a-w- c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 bsmain

R0 DiMaint;Eicon Maintenance Driver;c:\winnt\system32\drivers\disdn\dimaint.sys [19/02/2003 16:26 91408]
R0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [30/01/2009 11:03 28544]
R0 RsNTGDI;RsNTGDI;c:\winnt\system32\drivers\RsNTGdi.sys [30/01/2009 13:14 10736]
R1 HookCont;HookCont;c:\winnt\system32\drivers\HookCont.sys [30/01/2009 13:14 13808]
R1 HookNtos;HookNtos;c:\winnt\system32\drivers\HookNtos.sys [30/01/2009 13:14 62576]
R1 HookReg;HookReg;c:\winnt\system32\drivers\HOOKREG.sys [30/01/2009 13:14 38256]
R1 HookSys;HookSys;c:\winnt\system32\drivers\HookSys.sys [30/01/2009 13:14 164848]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\winnt\system32\SAVRKBootTasks.sys [31/07/2009 17:49 18816]
R2 DiCapi;Eicon CAPI 2.0 Driver;c:\winnt\system32\drivers\disdn\capi202k.sys [19/02/2003 16:26 199312]
R2 diport;Eicon Port Driver;c:\winnt\system32\drivers\disdn\diport40.sys [19/02/2003 16:26 207776]
R2 RsCCenter;Rising Process Communication Center;c:\program files\Rising\Rav\CCenter.exe [30/01/2009 13:14 162416]
R3 DiWan;Eicon Driver for all Diva Client cards;c:\winnt\system32\drivers\disdn\Diwan.sys [19/02/2003 16:26 1727984]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [17/03/2003 16:41 61712]
R3 Ich;Ich;c:\winnt\system32\drivers\Ich.sys [13/01/2002 17:25 65916]
S2 BridDfu;LINKSYS WAP11 USB Device Driver;c:\winnt\system32\drivers\BridDFU.sys [03/11/2003 16:53 16302]
S2 RsRavMon;Rising RealTime Monitor;c:\program files\Rising\Rav\RavMonD.exe [30/01/2009 13:14 395888]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/01/2009 21:42 33752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\winnt\system32\14.tmp --> c:\winnt\system32\14.tmp [?]
S3 usb_rndisy;USB RNDIS Adapter;c:\winnt\system32\drivers\usb8023y.sys [08/03/2006 10:57 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 10:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_658.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\winnt\system32\14.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(168)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(268)
c:\winnt\AppPatch\AcLayers.DLL
.
Completion time: 2009-08-03 10:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 09:32

Pre-Run: 17,190,469,120 bytes free
Post-Run: 27,808,158,720 bytes free

132

MALWAREBYTES

Malwarebytes' Anti-Malware 1.39
Database version: 2549
Windows 5.0.2195 Service Pack 4

03/08/2009 11:38:50
mbam-log-2009-08-03 (11-38-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206095
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hi,

thanks for all the info. looks like it all went pretty good. AV and other anti this or that can interfere with the smooth running of combofix as you found out. Log looks ok to me.
this service was removed: Service_UACd.sys
This: MEMSWEEP2;\??\c:\winnt\system32\14.tmp belongs to Sophos anti-rootkit
This: NWCWORKSTATION is used for file/printer sharing on netware servers. No need to expose unneeded services.

Other than that it looks good. Hows it all looking on your end now?

"Yes, it's looking OK" (he said nervously!)

Most of the "nasty" symptoms that made the system almost unusable at the end of last week have stayed away.

Subject to anything else you might recommend I'll monitor it over the next few days and report back with my findings at the end of this week.

In the meantime, just for clarification, I have a few quick questions:

1. In an earlier message to you I said that Sophos anti-rootkit had identified some suspicious looking registry entries:
Anti-rootkit identified 4 hidden registry keys:
\HKEY_LOCAL_MACHINE\SOFTWARE\UAC
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys
Sorry if this is a daft question, but I've not seen these mentioned in any log file since (even though Sophos was unable to deal with them). Is this important?

2. I've had my normal AV tool (Rising) disabled for the last 4 days while running the various utilities you recommend. On recent scans beforehand it identified a possible backdoor trojan (I think it was subseven.c?). Again, I have not seen this mentioned in any of the (other) scans over the last few days so should I re-enable Rising A/V to see if it picks it up again.

3. Although I've deleted or uninstalled some of the utilities we've used over the last few days I still have a number on the desktop including:
Root Repeal
Sophos Anti rootkit
DrWeb
Combofix
Malwarebytes

I guess, once we confirm that the immediate problems have been resolved, you'll advise me on an appropriate protection regime for the future, and that would be very helpful. In the meantime, are there any utilities I should remove, and are there any you'd like me to re-run.

Many thanks again for your ongoing help

Rgds

Paul

thanks for the info. In answer to your questions:

2)Yes, enable and run your AV

3) You cah delete Root Repeal, and Dr Web from the desk top.
Sophos may have a uninstall option in the add/remove programs panel, not sure check there first before deleting icon from desktop.
Malwarebytes you can keep as a anti-malware solution. The free version requires manually updating it before a scan. Combofix: Go to start>run and type in combofix /u click ok or enter. Note: there is a space after the x and before the /

1)Normally registry values are not a problem once the core files have been removed. We can delete those using regedit. First we will have to backup each of the values just in case. I will post back with more directions.

For now you can go to start>run and type in regedit32
the Windows registry should open.
Under File do you see a Import/Export option?

Start>run>regedit32 returns "cannot find the file regedit32 etc etc"
Start>run>regedit works and has "import registry file" and "export registry file" options.

Paul

Just finished Rising Anti Virus (RAV) scan.

It reported three viruses:

worm.feebs.ls in file TBN%20Registration_adpliblite[2].js in Temporary Internet Files

backdoor.Win32.SubSeven.c (two instances) in application executable vessmgr.exe

Not sure why these were not picked up by Spybot, MBAM or any of the other utilities we've run. My free subscription to RAV has expired and it will now just scan (but not fix). Should I pay for a RAV subscription or can you recommend another (free) tool that will deal with these?

Many thanks

Paul

what did your AV do with the files? Are they in quarantine or it didnt do anything because of the subscription being expired.


an appropriate protection regimeI save that for last


Should I pay for a RAV subscription or can you recommend another (free) tool that will deal with these?You can renew it if you want or you can get a free one. No AV alone can handle a root kit.


We will backup each of these first before deleting.
\HKEY_LOCAL_MACHINE\SOFTWARE\UAC
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys

If you start regedit on the left hand side you will see all the hives listed.
you can drill down by clicking on the + sign to expand each option.
For the first one above, on the left hand side click on the plus sign by:
HKEY_LOCAL_MACHINE
then click the + sign for Software
Last, still on the left: click on the UAC folder
then go to file>export
You can name it uacbkup.reg (uac back up) and save it to your deskstop

Next drill down to the UACd.sys folder in each of the 3 different control sets.
save each one like above as a backup to your desktop.
Once you have the 4 backups on your desktop we can try a deletion like this:

copy paste whats in bold into notepad

Windows Registry Editor Version 4.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\UAC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys]

Go to File --> Save As..., and save the file as fix.reg (make sure the Save As Type is set to: All Files).
Save it to your Desktop.

Go to your Desktop, double-click fix.reg and merge the information with the registry.

OK

1. Rising anti-virus (RAV) did nothing with the 3 items listed (except report them on scan) as my sub had expired.

I'll decide today whether to renew Rising sub to see if RAV is able to fix or delete, or get some other antivirus software.


2. When I use regedit and drill down the hives I cannot see the 4 UAC entries in HKEY_LOCAL_MACHINE . I guess that's because Sophos anti-rootkit described them as HIDDEN registry entries.

Rgds

Paul

Further to my earlier email I decided to renew my sub to Rising Anti Virus.

Unfortunately they didn't want my money (the payment checkout would not load despite numerous attempts), so I uninstalled my existing RAV software and downloaded and installed the latest free version of RIS (Rising Internet Security 2009).

I have run a scan using RIS:
It has fixed the worm.feebs.ls
It has deleted the files with backdoor.win32.subseven.c trojans

Rgds

Paul

I didnt know in what context Sophos was meaning by "hidden", if they contain NULL characters then they wont be displayed using regedit. There are apps they will display (hidden) entries, but I dont know of any that will let you do anything with them, ie; remove them from the registry. The core files appear to have been removed so the registry entries are just a leftover.

Lets get one more tool just for rootkits. Its called Gmer. Link and directions for Gmer:

download Gmer from one of these links;

zip file:
http://gmer.net/gmer.zip

randomly named .exe:
http://gmer.net/download.php


unzip the file to your desktop.

close all running programs.

doubleclick the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

--->select NO<---

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

Here is the GMER log:

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-06 18:12:26
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwAssignProcessToJobObject [0xEB74C010]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateKey [0xEB74C118]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateMutant [0xEB74C094]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateProcess [0xEB74BE21]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateThread [0xEB74BEA5]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeleteKey [0xEB74C17B]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeleteValueKey [0xEB74C15A]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeviceIoControlFile [0xEB74C031]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwFsControlFile [0xEB74C0B5]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwLoadDriver [0xEB74BE63]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwLockVirtualMemory [0xEB74BF8C]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenKey [0xEB74C1DE]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenProcess [0xEB74C0F7]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenSection [0xEB74BEC6]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwProtectVirtualMemory [0xEB74BF6B]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueryDirectoryFile [0xEB74C073]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQuerySystemInformation [0xEB74BE00]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueryValueKey [0xEB74BFEF]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueueApcThread [0xEB74BF4A]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwRequestWaitReplyPort [0xEB74BFCE]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwRestoreKey [0xEB74C1BD]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetContextThread [0xEB74BF29]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSecurityObject [0xEB74C19C]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSystemInformation [0xEB74BFAD]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSystemTime [0xEB74C052]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetValueKey [0xEB74C139]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSuspendThread [0xEB74BF08]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwTerminateProcess [0xEB74BE42]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwTerminateThread [0xEB74BEE7]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwUnmapViewOfSection [0xEB74C0D6]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwWriteVirtualMemory [0xEB74BE84]

---- Kernel code sections - GMER 1.0.15 ----

? dimaint.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT Ntfs.sys[NTOSKRNL.EXE!MmFlushImageSection] [BE80208E] \SystemRoot\system32\drivers\HookSys.sys (Hooksys.sys/Beijing Rising Information Technology Co., Ltd.)
IAT Ntfs.sys[NTOSKRNL.EXE!IoCheckShareAccess] [BE802008] \SystemRoot\system32\drivers\HookSys.sys (Hooksys.sys/Beijing Rising Information Technology Co., Ltd.)
IAT Ntfs.sys[NTOSKRNL.EXE!SeAccessCheck] [BE802108] \SystemRoot\system32\drivers\HookSys.sys (Hooksys.sys/Beijing Rising Information Technology Co., Ltd.)
IAT \??\C:\WINNT\system32\win32k.sys[NTOSKRNL.EXE!KeAddSystemServiceTable] [EB74C472] \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
IAT \??\C:\WINNT\system32\win32k.sys[NTOSKRNL.EXE!KeUserModeCallback] [EB74CDA0] \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCheckShareAccess] [BE802008] \SystemRoot\system32\drivers\HookSys.sys (Hooksys.sys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!MmFlushImageSection] [BE80208E] \SystemRoot\system32\drivers\HookSys.sys (Hooksys.sys/Beijing Rising Information Technology Co., Ltd.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Ip HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip rfwtdi.sys (rfwtdi5.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\RAW \Device\RawTape HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Tcp HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp rfwtdi.sys (rfwtdi5.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\Rdbss \Device\FsWrap HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Udp HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp rfwtdi.sys (rfwtdi5.sys/Beijing Rising Information Technology Co., Ltd.)

Device \Driver\Tcpip \Device\RawIp HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp rfwtdi.sys (rfwtdi5.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\RAW \Device\RawDisk HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\RAW \Device\RawCdRom HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fastfat \Fat HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\FatRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Cdfs \Cdfs HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

hi,

that all looks ok except for the root kit item. I believe this is a false positive. Its the only entry in the Gmer log. Normally the root kits associated files show up in other sections of Gmer. There is a legit MSTask. exe and its in the right location. You can see if you can spot it in the C:\WINNT\system32 dir and upload it here. (http://www.virustotal.com/) using the send button.
You see the UACd.sys registry entries in gmer also. You can try right clicking on one of them and see if there are any delete options, maybe that ability has been added to Gmer.

I uploaded the mastask.exe file to virustotal as suggested and it reported it as OK (0/39)

I will now run gmer to see if there are any options to delete the registry entries

Paul

Further to my earlier post I have had a look at gmer

If I go to the registry tab and drill down to the UACD.sys folder in services in the relevant control set, the right click option only allows you to MODIFY the value data for that registry entry. There is no delete option I can see

Paul

ok thanks for the info. No luck with Gmer i see. Are you willing to leave the registry entries? The associated files with the root kit seem to have been removed. I dont know how they could be removed short of doing a reformat/re-install of W2k.

Thanks

If your advice is that these registry entries are benign or harmless then I have no problem leaving them there

Paul

hi PaulDSC,

Yes with the core files removed then the registry leftovers are harmless. You can delete the Gmer icon and remove combofix like this;
Start>run and type in: combofix /u
click ok or enter
Note: there is a space after the x and before the /
Always check Malwarebytes for updates before a scan.
And last; some tips for reducing your risk to malware;

10 Tips for Reducing Your Risk To Malware:


1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. All browsers can have vulnerabilities but statistically it is the most commonly used browser that will be targeted the most. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another potential malware source?

A longer version in link below.

Happy Safe Surfing.