hi,
when i was running the scan, a little window poppued up mentioning that some "rootkit activity" was found, and one of the lines in the log showed up in red color
hi,
when i was running the scan, a little window poppued up mentioning that some "rootkit activity" was found, and one of the lines in the log showed up in red color
Hi,
Lets do this
Backup Your Registry with ERUNT:
Note: to restore your registry, go to the backup folder and start ERDNT.exe
- Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip- Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
- Inside the new folder, double-click ERUNT.exe to start the program
- OK all the prompts to back up your registry to the default location.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::
Save this as CFScript to your desktop.Code:Rootkit:: C:\WINDOWS\system32\xqatbn.dll Registry:: [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\icvhhpb]
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Then run GMER again and post the new log
Last edited by ken545; 2009-04-22 at 20:57.
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Gamer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 5801 bytes
i only posted the HJT log. the combofix log is ABSOLUTELY HUGE! do you know how i can send it in a reply as an attachment?
same problems persist
Go ahead and attach the Combofix log.
Run GMER again and post the log
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
got an email addy i can send it to? the combofix log is ~500KB, whereas this website does not allow any attachments larger than ~50KB
We don't do email for security reasons. If you look up at the top of where you post, in the toolbar you will see an option to attach a file
I need to see the new GMER report
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-24 06:30:31
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF871A818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF871A7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF870EA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF870F2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF871A910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF871A794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF870F2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF871A866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF871A0B0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 12A 804E4964 4 Bytes JMP 9A0CF870
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 82F6E228
Device \FileSystem\Fastfat \FatCdrom 82B51A10
Device \Driver\ACPI \Device\00000043 82C965A0
Device \Driver\ACPI \Device\00000044 82C965A0
Device \Driver\ACPI \Device\00000053 82C965A0
Device \Driver\ACPI \Device\00000054 82C965A0
Device \Driver\ACPI \Device\00000060 82C965A0
Device \Driver\ACPI \Device\00000055 82C965A0
Device \Driver\ACPI \Device\00000061 82C965A0
Device \Driver\ACPI \Device\00000062 82C965A0
Device \Driver\ACPI \Device\00000049 82C965A0
Device \Driver\ACPI \Device\00000058 82C965A0
Device \Driver\Cdrom \Device\CdRom0 82E29E08
Device \Driver\Cdrom \Device\CdRom1 82E29E08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82E29198
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82E29198
Device \Driver\atapi \Device\Ide\IdePort0 82E29198
Device \Driver\atapi \Device\Ide\IdePort1 82E29198
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82E29198
Device \Driver\Cdrom \Device\CdRom2 82E29E08
Device \Driver\ACPI \Device\0000004a 82C965A0
Device \Driver\ACPI \Device\0000004b 82C965A0
Device \Driver\ACPI \Device\0000004c 82C965A0
Device \Driver\ACPI \Device\0000004d 82C965A0
Device \Driver\ACPI \Device\0000004e 82C965A0
Device \Driver\ACPI \Device\0000005d 82C965A0
Device \Driver\ACPI \Device\0000005e 82C965A0
Device \FileSystem\Npfs \Device\NamedPipe 82D9A388
Device \FileSystem\Msfs \Device\Mailslot 82D9B740
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 82E03D50
Device \Driver\d347prt \Device\Scsi\d347prt1 82E03D50
Device \FileSystem\Fastfat \Fat 82B51A10
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82D9E030
Device \FileSystem\Cdfs \Cdfs 82D96280
---- Modules - GMER 1.0.15 ----
Module _________ F86C5000-F86DD000 (98304 bytes)
---- Threads - GMER 1.0.15 ----
Thread System [4:220] 82C7D137
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] icvhhpb <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xA6 0xDC 0xFA 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
---- EOF - GMER 1.0.15 ----
i posted the GMER log but when i tried to click the button on the top of where i post to attach the combofix log, i got the same error message telling me that the attachment wont upload since the combofix log is greater than 50KB (the log is actually 500 kb). i have to go to classes soon but when i come back tonight, i will take the time out to break the combofix log into smaller notepad files. that will take some time.