Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit


  • Please log in to reply

#1
Roach63

Roach63

    New Member

  • Member
  • Pip
  • 8 posts
I have a new friend in my C:\WINDOWS\TEMP directory. I have tried a great numebr of things and cannot seem to rid myself of this plague. Here is the log from combofix.

ComboFix 09-04-29.01 - Owner 04/29/2009 18:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1016 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
D:\Autorun.inf

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 11:21 . 2009-04-29 23:45 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-29 11:21 . 2009-04-29 23:45 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-29 11:21 . 2009-04-29 23:37 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-29 11:21 . 2009-04-29 23:45 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-29 11:21 . 2009-04-29 11:21 -------- d-----w c:\windows\kdefense
2009-04-29 11:21 . 2009-04-29 11:21 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-04-29 05:14 . 2009-04-29 05:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Trend Micro
2009-04-29 05:12 . 2009-04-29 05:12 -------- d-----w c:\windows\LocalSSL
2009-04-29 05:12 . 2009-04-29 05:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-29 05:10 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-29 05:10 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-29 05:10 . 2009-04-29 05:19 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-29 05:07 . 2009-04-29 05:07 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-29 05:07 . 2009-04-29 05:07 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-29 05:07 . 2009-04-29 05:07 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-29 05:07 . 2009-04-29 05:07 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-29 05:07 . 2009-04-29 05:07 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-29 02:13 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-26 03:52 . 2009-04-26 03:52 -------- d-----w c:\documents and settings\Owner\Application Data\xjoejqoi
2009-04-26 03:52 . 2009-04-26 03:52 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\xjoejqoi
2009-04-24 18:38 . 2009-04-24 19:47 -------- d-----w c:\documents and settings\Owner\Application Data\Download Manager
2009-04-17 03:30 . 2009-04-26 01:56 287952 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-16 19:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 19:30 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 19:29 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:29 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:29 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:29 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:29 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:29 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:29 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:29 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:29 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 02:55 . 2009-04-14 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 02:55 . 2009-04-14 05:13 -------- d-----w c:\program files\ZAR
2009-04-14 02:08 . 2001-08-18 03:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-14 02:08 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-13 03:13 . 2009-04-13 03:13 -------- d-----w c:\documents and settings\Owner\Application Data\National Instruments
2009-04-13 01:40 . 2009-04-13 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-04-13 01:40 . 2009-04-13 01:40 -------- d-----w c:\program files\Seagate
2009-04-02 10:44 . 2009-04-02 13:04 -------- d-----w c:\documents and settings\Owner\.housecall6.6
2009-03-31 23:15 . 2009-03-31 23:16 -------- d-----w C:\6eda8e8d461ae6bfa115f5871aa75f
2009-03-31 23:14 . 2009-03-31 23:28 -------- d-----w c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 05:11 . 2009-03-24 04:25 -------- d-----w c:\program files\trend micro
2009-04-27 16:43 . 2007-11-16 01:49 -------- d-----w c:\program files\Coupons
2009-04-26 07:38 . 2009-03-23 19:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 03:47 . 2004-08-26 16:12 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-26 01:59 . 2008-04-04 17:35 127088 -c--a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-24 19:22 . 2005-06-08 15:23 -------- d-----w c:\program files\Common Files\Adobe
2009-04-24 19:13 . 2006-11-21 17:53 129784 ------w c:\windows\system32\PxAFS.DLL
2009-04-22 03:58 . 2008-05-14 16:19 -------- d-----w c:\program files\Napster
2009-04-17 11:48 . 2005-03-24 23:51 -------- d-----w c:\program files\Java
2009-04-13 01:41 . 2005-03-24 23:41 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 20:32 . 2009-03-23 19:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-23 19:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-24 01:50 . 2005-06-13 19:00 2266 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-03-19 01:55 . 2009-03-19 01:55 -------- d-----w c:\program files\activePDF
2009-03-13 00:34 . 2009-03-13 00:33 -------- d-----w c:\program files\PICC
2009-03-09 10:19 . 2008-11-26 15:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 22:42 . 2008-08-16 13:45 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-26 16:11 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-26 16:12 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-26 16:11 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-26 16:12 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-26 16:12 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-26 16:12 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll
2005-08-10 02:02 . 2005-08-10 02:02 3 -c--a-w c:\program files\sFile32sys.ico
2007-02-08 16:48 . 2007-02-08 16:48 133920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 00:03 . 2007-07-25 00:03 118784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2004-09-01 18:48 . 2004-09-01 18:48 278528 ----a-w c:\program files\internet explorer\plugins\PanoViewer.dll
2004-09-01 18:48 . 2004-09-01 18:48 143360 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-29 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-08-13 49152]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-08-13 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-29 492808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2008-9-2 1718]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

R2 FmeyPvoazr;FmeyPvoazr;c:\windows\System32\svchost.exe [2008-04-14 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
R3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver; [x]
S0 ohpzkmqi;ohpzkmqi;c:\windows\system32\drivers\ohpzkmqi.sys [2004-08-04 23424]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-02-12 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-04-29 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-04-29 335376]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qllowwhb
FmeyPvoazr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7062274-a193-11da-bfdf-806d6172696f}]
\Shell\AutoRun\command - E:\splash.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{05EBE2E0-1674-4565-B9E7-4EA59DAAC8AB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 19:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3864)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\trend micro\BM\TMBMSRV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\trend micro\Internet Security\SfCtlCom.exe
c:\program files\trend micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\trend micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-04-29 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 00:05

Pre-Run: 24,513,720,320 bytes free
Post-Run: 24,421,081,088 bytes free

222 --- E O F --- 2009-04-29 23:11
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP