Page 4 of 6 FirstFirst 123456 LastLast
Results 31 to 40 of 56

Thread: malware problems; HJT log posted; please help!

  1. #31
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    hi,

    when i was running the scan, a little window poppued up mentioning that some "rootkit activity" was found, and one of the lines in the log showed up in red color

  2. #32
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Lets do this

    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe




    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::


    Code:
    Rootkit::
    C:\WINDOWS\system32\xqatbn.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\icvhhpb]
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



    Then run GMER again and post the new log
    Last edited by ken545; 2009-04-22 at 20:57.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #33
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:40, on 4/22/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    D:\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\Gamer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

    --
    End of file - 5801 bytes

  4. #34
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    i only posted the HJT log. the combofix log is ABSOLUTELY HUGE! do you know how i can send it in a reply as an attachment?

  5. #35
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    same problems persist

  6. #36
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Go ahead and attach the Combofix log.

    Run GMER again and post the log
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #37
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    got an email addy i can send it to? the combofix log is ~500KB, whereas this website does not allow any attachments larger than ~50KB

  8. #38
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    We don't do email for security reasons. If you look up at the top of where you post, in the toolbar you will see an option to attach a file

    I need to see the new GMER report
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #39
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    GMER 1.0.15.14966 - http://www.gmer.net
    Rootkit scan 2009-04-24 06:30:31
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.15 ----

    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF871A818]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF871A7D0]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF870EA20]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF870F2A8]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF871A910]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF871A794]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF870F2C8]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF871A866]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF871A0B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 12A 804E4964 4 Bytes JMP 9A0CF870

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 82F6E228
    Device \FileSystem\Fastfat \FatCdrom 82B51A10
    Device \Driver\ACPI \Device\00000043 82C965A0
    Device \Driver\ACPI \Device\00000044 82C965A0
    Device \Driver\ACPI \Device\00000053 82C965A0
    Device \Driver\ACPI \Device\00000054 82C965A0
    Device \Driver\ACPI \Device\00000060 82C965A0
    Device \Driver\ACPI \Device\00000055 82C965A0
    Device \Driver\ACPI \Device\00000061 82C965A0
    Device \Driver\ACPI \Device\00000062 82C965A0
    Device \Driver\ACPI \Device\00000049 82C965A0
    Device \Driver\ACPI \Device\00000058 82C965A0
    Device \Driver\Cdrom \Device\CdRom0 82E29E08
    Device \Driver\Cdrom \Device\CdRom1 82E29E08
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82E29198
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82E29198
    Device \Driver\atapi \Device\Ide\IdePort0 82E29198
    Device \Driver\atapi \Device\Ide\IdePort1 82E29198
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82E29198
    Device \Driver\Cdrom \Device\CdRom2 82E29E08
    Device \Driver\ACPI \Device\0000004a 82C965A0
    Device \Driver\ACPI \Device\0000004b 82C965A0
    Device \Driver\ACPI \Device\0000004c 82C965A0
    Device \Driver\ACPI \Device\0000004d 82C965A0
    Device \Driver\ACPI \Device\0000004e 82C965A0
    Device \Driver\ACPI \Device\0000005d 82C965A0
    Device \Driver\ACPI \Device\0000005e 82C965A0
    Device \FileSystem\Npfs \Device\NamedPipe 82D9A388
    Device \FileSystem\Msfs \Device\Mailslot 82D9B740
    Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 82E03D50
    Device \Driver\d347prt \Device\Scsi\d347prt1 82E03D50
    Device \FileSystem\Fastfat \Fat 82B51A10
    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82D9E030
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82D9E030
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82D9E030
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82D9E030
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82D9E030
    Device \FileSystem\Cdfs \Cdfs 82D96280

    ---- Modules - GMER 1.0.15 ----

    Module _________ F86C5000-F86DD000 (98304 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:220] 82C7D137

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] icvhhpb <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@DisplayName Center Boot
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Type 32
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Start 2
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Description Protects your computer from spyware
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters
    Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xA6 0xDC 0xFA 0xC3 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@DisplayName Center Boot
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Description Protects your computer from spyware
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@DisplayName Center Boot
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Type 32
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Start 2
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Description Protects your computer from spyware
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters
    Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll

    ---- EOF - GMER 1.0.15 ----

  10. #40
    Member
    Join Date
    Apr 2009
    Posts
    69

    Default

    i posted the GMER log but when i tried to click the button on the top of where i post to attach the combofix log, i got the same error message telling me that the attachment wont upload since the combofix log is greater than 50KB (the log is actually 500 kb). i have to go to classes soon but when i come back tonight, i will take the time out to break the combofix log into smaller notepad files. that will take some time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •