YIKES, Please help!

N

nacra

New member
Just got a laptop from work. It's running Win 2000 pro. It was locking up, then connection speed went down to very slow. I suspected spyware/viruses. I installed spybot 1.4 and AVG. Ran them both and got some bad stuff. Spybot came up with Jupilites, smitfraud-C, Torpig , and system doctor. Subsequent scans reveal that Jupilites, Smitfraud-C and Torpig are still on the system. It also stripped the cyber angel off, but this is not a big deal according to cyber angel. They gave me instructions to reinstall, which I haven't done yet.

Now the real bad news.:sad: Upon boot up , i get a device driver entry point box that says"

C:\WINNT\\System32\MZU_DRV.system device driver could not locate the entry point ZWQuery Information Thread in driver ntoskrnll.exe?????H????????? (maybe more or less question marks)

Even worse is when I try a dial up connection, or use the vpn adapter, upon user authentication, the system reboots. I tried safe mode and get a blue screen that locks up :

stop:0x0000001E (0xC0000005,0xBFDB3952,0xC00000000,0x0000003C K(?)MODE_EXCEPTION_NOT_HANDLED Address BFD1000,Datestamp4553cfbd-system 32:lzx
and get a message saying to make sure I have enough memory (not a problem) check for bios updates and hardware updates. I don't know how to do a bios update.

I made the emergency disks after installing AVG and have them. I am reluctant to use this as this laptop has proprietary software on it and I don't want to lose that.

Thanks for your help
 
Hi nacra and welcome to Safer Networking Forums :)

That is an infection :(

Please post a HijackThis log to here and I'll have a look :bigthumb:

Please post a HijackThis log to here:
  • Click here to download HijackThis.exe
  • Save HijackThis.exe to your desktop.
  • Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
  • Run HijackThis.exe
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
nacra

:eek: I downloaded hijack to a floppy on another machine and tried to install . After several attempts I get the same message. Hijack this caused an error in windows , restart the program. an error log is being created:eek:
 
Hi again :)

Ok, please try to rename HijackThis.exe to scanner.exe and try to run it again.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
 
nacra

mr.jak3,

Sorry it has taken me so long. i have the hijackthis logfile but was unable to put gmer on. This laptop does not have winzipso I can't open it. very frustrating.


Logfile of HijackThis v1.99.1
Scan saved at 06:15:04 PM, on 11/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\wlmsngr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {81D36CB0-55C2-4D91-93AB-25B5AE8F095F} - C:\WINNT\system32\xxwxv.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: xxwxv - C:\WINNT\system32\xxwxv.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe (file missing)
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe
 
Hi again :)

One or more of the identified infections is a backdoor trojan. You also got at least two infections with rootkit capabilities....

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor/rootkit functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

If you want to continue, you may download the unzipped Gmer.exe from my homepage -> LINK

:bigthumb:
 
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.
 
nacra

mrjak3
here is the gmer log
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-30 20:24:42
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT IPVNMon.sys ZwDeviceIoControlFile <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!tcpxsum + 5D6 B9B7A805 6 Bytes CALL B9C1911D
.text tcpip.sys!IPTransmit + 4195 B9B7EA68 6 Bytes CALL B9C1911D
.text tcpip.sys!IPTransmit + 6168 B9B80A3B 6 Bytes CALL B9C1911D
.text wanarp.sys ED2ACDFE 7 Bytes CALL B9C19127
.text NTDLL.DLL!NtCreateProcess 77F83B9E 2 Bytes JMP 72033BB5
.text NTDLL.DLL!NtCreateProcess + 3 77F83BA1 2 Bytes
.text NTDLL.DLL!NtClose 77F84D93 5 Bytes JMP 72033A2A
.text NTDLL.DLL!NtCreateSection 77F935BF 5 Bytes JMP 72033A48

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ntdll.dll!NtCreateProcess + 3 77F83BA1 2 Bytes
.text D:\gmer.exe[612] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptImportKey 7C2EA2C9 5 Bytes JMP 01161978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 01161A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptGenKey 7C2F5C93 5 Bytes JMP 011618EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 0116191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptGetUserKey 7C2F6249 5 Bytes JMP 0116194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptEncrypt 7C2F64CD 5 Bytes JMP 011619AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDecrypt 7C2F65CB 5 Bytes JMP 01161A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 01161783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 0116185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!WSASend 75031525 5 Bytes JMP 011616AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!send 75031BCC 6 Bytes JMP 01161580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!recv 7503A101 6 Bytes JMP 01161616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 011614CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\Explorer.EXE[1252] WS2_32.dll!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\WINNT\Explorer.EXE[1252] WS2_32.dll!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
 
nacra

.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 01001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 010018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 0100191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 0100194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 010019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 01001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 01001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 0100185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!WSASend 75031525 5 Bytes JMP 010016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!send 75031BCC 6 Bytes JMP 01001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!recv 7503A101 6 Bytes JMP 01001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 010014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!WSARecv 7503138E 5 Bytes JMP 016E1783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!closesocket 7503145E 14 Bytes JMP 016E185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!WSASend 75031525 5 Bytes JMP 016E16AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!send 75031BCC 6 Bytes JMP 016E1580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!recv 7503A101 6 Bytes JMP 016E1616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!connect 7503C1B9 6 Bytes JMP 016E14CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptImportKey 7C2EA2C9 5 Bytes JMP 016E1978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 016E1A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptGenKey 7C2F5C93 5 Bytes JMP 016E18EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 016E191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptGetUserKey 7C2F6249 5 Bytes JMP 016E194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptEncrypt 7C2F64CD 5 Bytes JMP 016E19AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDecrypt 7C2F65CB 5 Bytes JMP 016E1A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\HP\HP Software Update\HPWuSchd.exe[1412] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
 
nacra

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys

---- Services - GMER 1.0.12 ----

Service C:\WINNT\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
 
nacra

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINNT\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----



Thank you
 
Hi again :)

Ok let's begin the cleaning. You're really infected so we're going to need a few steps...

Some of the tools were zip files so I've temporarily uploaded those to my homepage.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles.

Download SDFix and save it to your desktop. Run SDFix.exe and a notepad window will tell that it has been installed

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, go to C:\SDFix folder
  • Double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Download RootkitRevealer
  • Create a new folder named RKR to your C-drive, C:\
  • Move RootkitRevealer.exe to C:\RKR folder
  • Open C:\RKR folder and doubleclick RootkitRevealer.exe file
  • Click Scan button and wait for the scanning to end
  • NOTE! Don't use your computer when the scan is in progress
  • When the scan has finished, click on File
  • Then click on the Save button
  • Save the RootkitRevealer log to C:\RKR folder
When you're ready, please post the following logs to here:
- a fresh HijackThis log
- Rustock.b logs
- SDfix report (SDFix folder, Report.txt)
- RootkitRevealer log
 
nacra

Logfile of HijackThis v1.99.1
Scan saved at 08:43:24 PM, on 12/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {52023652-0F9C-4C6B-BF7E-EC930C3CE730} - C:\WINNT\system32\xxwxv.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: xxwxv - C:\WINNT\system32\xxwxv.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
 
nacra

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpwheqst

*******************

Script file located at: \??\C:\Documents and Settings\swaqscro.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Sat 12/02/2006 19:51:19.99


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69434
Total size: 69434 bytes.
Attempting to remove ADS...
system32: deleted 69434 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************
 
nacra

SDFix: Version 1.44
********************

Sat 12/02/2006 - 20:23:07.09

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:

MsaSvc
MZU_RK
WINLOGON
wlmsngr

File Path:

C:\WINNT\system32\msasvc.exe
\??\C:\WINNT\system32\MZU_DRV.sys
"C:\WINNT\system\winlogon.exe"
"C:\WINNT\wlmsngr.exe"

MsaSvc Service Deleted...
MZU_RK Service Deleted...
WINLOGON Service Deleted...
wlmsngr Service Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\COCQ.EXE
C:\DGFXGGS.EXE
C:\ILICAAML.EXE
C:\QQQTLGAD.EXE
C:\QWUK.EXE
C:\SILEOLQ.EXE
C:\WINNT\system32\mini8tone.ini
C:\WINNT\system32\i
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\MZU_DRV.sys
C:\WINNT\wlmsngr.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINNT\MsCae32.dll
C:\WINNT\system32\byxwxwv.dll
C:\WINNT\system32\xxwxv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ffvvrwch.exe
C:\WINNT\IdleProc.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2947.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2.tmp
C:\Program Files\InterActual\InterActual Player\itiE.tmp
C:\WINNT\Temp\$_2341233.TMP
C:\WINNT\Temp\$_2341234.TMP
C:\WINNT\Temp\$_2341235.TMP

FINISHED!



HKLM\SECURITY\Policy\Secrets\SAC* 11/20/2001 10:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/20/2001 10:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{2BEB8402-C3AF-11D3-9571-0008C7C94F96}* 08/11/2005 1:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{E9D8BB13-6B95-11d3-953F-0008C7C94F96}* 08/11/2005 1:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:744cd9f6-0251-4f8e-b32d-71df94d65ac5* 01/09/2002 3:56 PM 0 bytes Key name contains embedded nulls (*)
 
nacra

:bigthumb: mrjak3.

here are all of the logs. i hope that i did everything correctly. Again thanks for your help in this.

nacra
 
Ok good work, looks better but we still got cleaning to do :)

You don't seem to a firewall running, you must install one firewall.

These are good (free) firewalls:Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download F-Secure Blacklight and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Run also a new scan with GMER and post the fresh log to here.
 
You must log in or register to reply here.
Back
Top