Results 1 to 2 of 2

Thread: Rootkit.Agent.FFY

  1. 2009-01-23, 04:58 #1
    choconick
    choconick is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    9

    Default Rootkit.Agent.FFY

    hello, need some help to remove these nasty crap.
    I tried to scan and fix with my Spyware Doctor and Spybot. they're still there
    it called Rootkit.Agent.FFY in Spyware Doctor
    C:\Windows\System32\kavo.exe
    C:\Windows\System32\kavo0.dll

    I searched through the forum and someone else had similar problem and was advice to use ComboFix and Hijackthis.
    so I've run both of them, ComboFix 1st and hijackthis.
    what should I do now?
    anyway here's the logs, any help is so much appreciate. thanksyou..

    -------------------------------------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:46:06 AM, on 23/01/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4095 bytes
    --------------------------------------------------

    ComboFix 09-01-21.04 - Fei 2009-01-23 11:34:14.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.189 [GMT 8:00]
    Running from: c:\documents and settings\Fei\Desktop\ComboFix.exe
    FW: ZoneAlarm Pro Firewall *disabled*
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    c:\windows\system32\kavo.exe
    c:\windows\system32\kavo0.dll
    D:\Autorun.inf
    E:\Autorun.inf
    H:\autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
    .

    2009-01-23 11:16 . 2009-01-23 11:16 <DIR> d-------- c:\program files\Trend Micro
    2009-01-23 11:05 . 2009-01-23 11:06 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
    2009-01-23 10:48 . 2009-01-23 10:48 0 --a------ c:\windows\system32\regsvr32
    2009-01-23 09:21 . 2009-01-23 09:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-01-23 09:21 . 2009-01-23 10:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-01-23 08:52 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
    2009-01-22 22:03 . 2009-01-22 22:03 <DIR> d-------- c:\documents and settings\Fei\Application Data\Media Player Classic
    2009-01-22 21:49 . 2009-01-22 21:49 <DIR> d-------- c:\documents and settings\Fei\Application Data\Foxit
    2009-01-22 19:41 . 2009-01-22 19:41 <DIR> dr------- c:\documents and settings\Fei\Application Data\Brother
    2009-01-22 19:10 . 2009-01-22 19:31 <DIR> d-------- c:\documents and settings\Fei\Application Data\uTorrent
    2009-01-22 18:51 . 2009-01-22 18:51 <DIR> d---s---- c:\documents and settings\Fei\UserData
    2009-01-22 18:13 . 2009-01-22 18:13 <DIR> d-------- c:\documents and settings\Fei\Application Data\PC Tools

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-23 03:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-22 14:08 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-01-22 14:08 --------- d-----w c:\program files\Analog Devices
    2009-01-22 14:02 --------- d-----w c:\program files\K-Lite Codec Pack
    2009-01-22 14:00 --------- d-----w c:\program files\AskBarDis
    2009-01-22 13:49 --------- d-----w c:\program files\Foxit Software
    2009-01-22 11:36 --------- d-----w c:\program files\Brownie
    2009-01-22 11:36 --------- d-----w c:\program files\Brother
    2009-01-22 11:35 --------- d-----w c:\program files\Common Files\InstallShield
    2009-01-22 11:32 --------- d-----w c:\program files\Microsoft ActiveSync
    2009-01-22 11:10 --------- d-----w c:\program files\uTorrent
    2009-01-22 10:18 --------- d-----w c:\program files\Spyware Doctor
    2009-01-22 10:07 --------- d-----w c:\program files\Norton AntiVirus
    2009-01-22 10:06 --------- d-----w c:\program files\Common Files\Symantec Shared
    2009-01-22 09:51 --------- d-----w c:\program files\microsoft frontpage
    2009-01-22 09:26 9,216 ----a-w c:\windows\Internet Logs\xDB2.tmp
    2009-01-22 09:24 72,192 ----a-w c:\windows\Internet Logs\xDB1.tmp
    2009-01-22 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
    2009-01-22 09:17 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
    2009-01-22 09:16 --------- d-----w c:\program files\Windows Sidebar
    2009-01-22 09:16 --------- d-----w c:\program files\NortonInstaller
    2009-01-22 09:16 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
    2009-01-22 09:14 --------- d-----w c:\program files\VIA
    2009-01-22 09:14 --------- d-----w c:\program files\Elaborate Bytes
    2009-01-22 09:12 1,354,240 ----a-w c:\windows\Internet Logs\xDB3.tmp
    2009-01-22 09:10 --------- d-----w c:\program files\ATI Technologies
    2009-01-22 08:58 --------- d-----w c:\program files\Zone Labs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-30 52168]
    "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/22/2009 6:13:11 PM 356920]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KTEPROC
    *Deregistered* - kteproc
    *Deregistered* - mchInjDrv

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\8uot.exe
    \Shell\explore\Command - D:\8uot.exe
    \Shell\open\Command - D:\8uot.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\8uot.exe
    \Shell\explore\Command - E:\8uot.exe
    \Shell\open\Command - E:\8uot.exe
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-23 11:35:56
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(736)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2009-01-23 11:38:14
    ComboFix-quarantined-files.txt 2009-01-23 03:36:57

    Pre-Run: 28,502,945,792 bytes free
    Post-Run: 28,599,013,376 bytes free

    133
  2. 2009-01-26, 12:00 #2
    choconick
    choconick is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    9

    Default

    please help
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules