Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

RootKit Infection

Started by Youdamnskippy , Nov 25 2005 01:14 AM

Please log in to reply

#1
Youdamnskippy

Posted 25 November 2005 - 01:14 AM

Member

Member
36 posts

I'm baaaaaaaaack! - and starting to feel like a Ping-Pong ball.

Okay, so now I've been diagnosed with a RootKit (2nd scan found 49,532 discrepancies); here is the link to that topic:
http://www.geekstogo...=0

And here is the link to round 1 on Malware:
http://www.geekstogo...=0

I think I'm ready to just re-format the system if I can't get the problems fixed this time on Malware. Thanks in advance to anyone who is willing to delve into this mess - you're efforts are appreciated :tazz:

#2
Kat

Posted 25 November 2005 - 01:34 AM

Retired

Retired Staff
19,711 posts

Hello! I'm sorry you're still having problems. Let's get you cleaned up, shall we? :tazz:

First, I need to see a HijackThis log, of course. I also need to see an uninstall log, please. To do this:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

#3
Youdamnskippy

Posted 25 November 2005 - 11:44 AM

Member

Topic Starter
Member
36 posts

Hi,
Below is the info you requested - Thank you

Logfile of HijackThis v1.99.1
Scan saved at 10:38:18 AM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.splor.com/slc/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:85
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.splor.com/slc/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557712453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125267076671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: WSGGFVSZUFD - Sysinternals - www.sysinternals.com - C:\WINDOWS\TEMP\WSGGFVSZUFD.exe

Uninstall List:

ACL Version 8
Actiontec Gateway
Ad-Aware SE Personal
Adobe Acrobat 5.0
American Greetings® CreataCard® Gold 5
ArcSoft PhotoStudio 5.5
AsusUpdate V3.29.06
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
ContextPlus
Easy-WebPrint
ewido security suite
Gamesurround Muse 5.1 DVD - User Manual
HERCULES® MediaStation II
HijackThis 1.99.1
InCD (Ahead Software)
InterActual Player
Kerio Personal Firewall
Lavasoft VX2 Cleaner
Lexmark Printer Software Uninstall
LiveUpdate 1.7 (Symantec Corporation)
Logitech iTouch Software
Macromedia Shockwave Player
MathPlayer
Media Library Management Wizard
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Encarta 96 Encyclopedia
Microsoft Office Outlook Connector for MSN
Microsoft Office XP Professional
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Web Publishing Wizard 1.52
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (1.0.7)
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.5
MSN Music Assistant
Nero
NeroMediaPlayer
Norton AntiVirus Corporate Edition
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PCI Audio Driver
Personal License Update Wizard for Windows Media Player
PH General Ledger 5E
PH ReEnforcer 5E
Photo Organizer
Plus! MP3 Audio Converter LE

PowerDVD - User Manual
Prevx Home
Quick Links
QuickTime
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Shockwave
Spybot - Search & Destroy 1.3
The Best Offers
TrojanHunter 4.2
TuneUp Utilities 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

#4
Kat

Posted 25 November 2005 - 12:59 PM

Retired

Retired Staff
19,711 posts

As I suspected, you have the Apropos rootkit. Let's take care of that first, ok?

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. I'd also like another Uninstall list, too please. :tazz:

Edited by Kat, 25 November 2005 - 01:00 PM.

#5
Youdamnskippy

Posted 25 November 2005 - 02:35 PM

Member

Topic Starter
Member
36 posts

Problem:
When I click on RunThis.bat I see a quick flash of the dos emoticon down in the taskbar and the file flashes but nothing happens. Same thing when I click on the other files in that folder.
I'm sending this from another computer in the house so everything is where I left it on the other system (safe mode, aproposfix folder open on desktop).

#6
Kat

Posted 25 November 2005 - 08:10 PM

Retired

Retired Staff
19,711 posts

I'm going to pm the maker of the apropos tool to get his take and suggestions on this! I'll get back to you as quickly as I hear from him. :tazz:

#7
Swandog46

Posted 26 November 2005 - 10:28 AM

Malware Expert

Member
1,026 posts

Hi Youdamnskippy :tazz:

Kat has asked me to give you a hand with this; let's see what might be the problem.

Please first move the AproposFix folder to the c:\ root directory. This will make it easier on us. So right-click on the whole folder on the desktop, choose Cut, then open My Computer, go to C:\ , go to Edit -> Paste.

Then please reboot back into Safe Mode, go to Start -> Run -> cmd and press Enter. At the command prompt type the following, pressing Enter after each of the commands:

cd c:\aproposfix
runthis

This time, whatever happens, it should stay on screen. I want to know, if there is an error message, what it actually says. Please post that for me.

#8
Youdamnskippy

Posted 26 November 2005 - 03:52 PM

Member

Topic Starter
Member
36 posts

Hi Swandog,

When I type in the command "ruthis" I get an error message that says, "The system cannot find the path specified." The dir does however show the .bat file being there.

#9
Swandog46

Posted 26 November 2005 - 05:15 PM

Malware Expert

Member
1,026 posts

You made sure to type runthis and not ruthis, as you spelled it in your last post?

Try this: just go to Start -> Control Panel -> Add/Remove Programs and uninstall the following:

ContextPlus
The Best Offers

Restart your computer and tell me what happens. :tazz:

#10
Youdamnskippy

Posted 26 November 2005 - 10:33 PM

Member

Topic Starter
Member
36 posts

I was able to delete The Best Offers by going to their website and downloading their uninstall program; When I tried to use Windows I got an error message from Microsoft Internet Explorer that said, "Cannot find' file:///C:/WINDOWS/boncpar.htm'. Make sure the path or Internet address is correct."

ContextPlus did not show up on the list of programs to remove.

I rebooted and nothing significant happend.
I re-booted again in safe mode and tried re-typing "runthis" but still got the same error message as previously posted.

Are we ready to take a hammer to this thing yet? ;-)

#11
Swandog46

Posted 27 November 2005 - 03:39 PM

Malware Expert

Member
1,026 posts

I don't give up so easily :tazz:

Can I see the following please? Please go to Start -> Run -> cmd and press Enter. At the command prompt type:

set >> c:\check.txt

Then please post the entire contents of c:\check.txt for me to see.

#12
Youdamnskippy

Posted 27 November 2005 - 06:01 PM

Member

Topic Starter
Member
36 posts

Glad to hear it! Here you are:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Hunter\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BASEMENT
ComSpec=c:\winnt\temp
DEVMGR_SHOW_NONPRESENT_DEVICES=1
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Hunter
LOGONSERVER=\\BASEMENT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Hunter\LOCALS~1\Temp
TMP=C:\WINDOWS\TEMP
USERDOMAIN=BASEMENT
USERNAME=Hunter
USERPROFILE=C:\Documents and Settings\Hunter
windir=C:\WINDOWS
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Hunter\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BASEMENT
ComSpec=c:\winnt\temp
DEVMGR_SHOW_NONPRESENT_DEVICES=1
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Hunter
LOGONSERVER=\\BASEMENT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Hunter\LOCALS~1\Temp
TMP=C:\WINDOWS\TEMP
USERDOMAIN=BASEMENT
USERNAME=Hunter
USERPROFILE=C:\Documents and Settings\Hunter
windir=C:\WINDOWS

#13
Swandog46

Posted 27 November 2005 - 07:31 PM

Malware Expert

Member
1,026 posts

That looks fine. Let's try this. Please make SURE you have moved the entire AproposFix folder to c:\aproposfix, so that c:\aproposfix\runthis.bat is correctly there!

Then please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Gotcha"="c:\\aproposfix\\RunThis.bat"

Save the file to the desktop as run.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on run.reg, and click Yes to merge it with the registry.

Restart your computer into Safe Mode as discussed above. The fix should run as your system reboots so it may be a little slow. Then please reboot back into normal mode and post the contents of c:\aproposfix\log.txt for me. :tazz:

#14
Youdamnskippy

Posted 27 November 2005 - 09:22 PM

Member

Topic Starter
Member
36 posts

Did everything you said but no txt file was created. I searched the system and it doesn't exist.
The RunThis.bat file is in the correct location though.

#15
Swandog46

Posted 28 November 2005 - 12:53 PM

Malware Expert

Member
1,026 posts

Well, first of all let's make sure you really are infected with Apropos. Please download Registry Search. Reboot into Safe Mode and doubleclick to start it. Enter "adchannel" in the edit and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Save this text, reboot into normal mode, and post the text here for me please. :tazz: