Malware
Started by
Trent M
, Dec 30 2006 09:36 PM
-
This topic is locked
#16
Posted 04 January 2007 - 05:16 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
#17
Posted 04 January 2007 - 05:37 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Deleted the item, robooted, and new scan was clean.
I re-ran the ComboFix program, with log below, with no sign of pe386.
Then my Secretmaker program intercepted an attempt for the pe386 to add itself back into the computer with the same file name as the one we just deleted with the AntiRootKit program. I denied it's access, but maybe it will try again. I re-ran the AntiRootkit yet again to make sure it didn't get around Secretmaker, and the scan was clean again.
Trent
Laura - 07-01-04 18:25:27.92 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Laura\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Laura\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\Laura\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Laura\My Documents\RACLE~1\?racle
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to
2007-01-04 ))))))))))))))))))))))))))))))))))
2007-01-03 16:39 <DIR> dr-h----- C:\Documents and Settings\Laura\Recent
2007-01-02 00:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-02 00:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-01-02 00:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-02 00:29 <DIR> d-------- C:\Program Files\NavNT
2007-01-02 00:29 <DIR> d-------- C:\Program Files\Common Files\Symantec
Shared
2007-01-01 16:53 <DIR> d-------- C:\Program Files\System Security Suite
2006-12-31 22:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-12-31 22:55 <DIR> d-------- C:\Documents and Settings\Laura\Application
Data\SUPERAntiSpyware.com
2006-12-31 22:54 <DIR> d-------- C:\Program Files\Common Files\Wise
Installation Wizard
2006-12-31 22:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-31 22:01 <DIR> d-------- C:\Program Files\Grisoft
2006-12-30 21:46 <DIR> d-------- C:\Program Files\Hijack This
2006-12-30 21:43 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-30 21:43 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-30 21:38 <DIR> d-------- C:\Config.Msi
2006-12-30 17:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-30 17:51 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-30 17:51 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-12-30 16:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-30 12:33 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-25 17:40 <DIR> d-------- C:\Documents and Settings\Laura\Application
Data\Apple Computer
2006-12-25 17:39 <DIR> d-------- C:\Program Files\QuickTime
2006-12-25 17:39 <DIR> d-------- C:\Program Files\iTunes
2006-12-25 17:39 <DIR> d-------- C:\Program Files\iPod
2006-12-25 17:38 36,808,256 --a------ C:\Program Files\iTunesSetup.exe
2006-12-25 17:38 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Apple Computer
2006-12-25 16:33 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Windows Genuine Advantage
2006-12-23 11:40 <DIR> d-------- C:\Program Files\3DGroove
2006-12-22 18:27 <DIR> d-------- C:\Program Files\PeDevice
2006-12-22 14:52 <DIR> d--h----- C:\Program Files\Common Files\Uninstall
Information
2006-12-11 11:52 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-11 11:52 <DIR> d-------- C:\Program Files\TryMedia
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-04 14:10 -------- d-------- C:\Program Files\Common Files
2007-01-03 17:01 -------- d-------- C:\Program Files\Dl_cats
2007-01-02 00:29 -------- d-------- C:\Program Files\Symantec
2007-01-01 17:07 -------- d-------- C:\Program Files\Cosmi
2007-01-01 17:05 -------- d-------- C:\Program Files\Shockwave.com
2007-01-01 17:04 -------- d-------- C:\Program Files\iWin
2007-01-01 01:37 -------- d-------- C:\Program Files\Spybot - Search &
Destroy
2007-01-01 01:37 -------- d-------- C:\Program Files\Secretmaker
2007-01-01 01:35 -------- d-------- C:\Program Files\Internet Explorer
2007-01-01 01:34 -------- d-------- C:\Program Files\Google
2007-01-01 01:34 -------- d-------- C:\Program Files\Dell Photo AIO Printer
924
2006-12-31 23:35 -------- d-------- C:\Program Files\MSN Messenger
2006-12-30 21:43 -------- d-------- C:\Program Files\Windows Media Player
2006-12-30 17:36 2958 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-30 15:56 -------- d-------- C:\Program Files\Common Files\Real
2006-12-30 15:54 -------- d---s---- C:\Documents and
Settings\Laura\Application Data\Microsoft
2006-12-26 11:06 -------- d-------- C:\Program Files\MUSICMATCH
2006-12-02 17:14 -------- d-------- C:\Program Files\Common Files\Gibinsoft
Shared
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common
Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common
Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer
924\\dlccmon.exe\""
"DLCCCATS"="rundll32
C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,_RunDLLEntry@16"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware
7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe
SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 07-01-04 18:26:05.09
C:\ComboFix.txt ... 07-01-04 18:26
C:\ComboFix2.txt ... 07-01-04 14:11
I re-ran the ComboFix program, with log below, with no sign of pe386.
Then my Secretmaker program intercepted an attempt for the pe386 to add itself back into the computer with the same file name as the one we just deleted with the AntiRootKit program. I denied it's access, but maybe it will try again. I re-ran the AntiRootkit yet again to make sure it didn't get around Secretmaker, and the scan was clean again.
Trent
Laura - 07-01-04 18:25:27.92 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Laura\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Laura\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\Laura\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Laura\My Documents\RACLE~1\?racle
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to
2007-01-04 ))))))))))))))))))))))))))))))))))
2007-01-03 16:39 <DIR> dr-h----- C:\Documents and Settings\Laura\Recent
2007-01-02 00:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-02 00:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-01-02 00:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-02 00:29 <DIR> d-------- C:\Program Files\NavNT
2007-01-02 00:29 <DIR> d-------- C:\Program Files\Common Files\Symantec
Shared
2007-01-01 16:53 <DIR> d-------- C:\Program Files\System Security Suite
2006-12-31 22:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-12-31 22:55 <DIR> d-------- C:\Documents and Settings\Laura\Application
Data\SUPERAntiSpyware.com
2006-12-31 22:54 <DIR> d-------- C:\Program Files\Common Files\Wise
Installation Wizard
2006-12-31 22:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-31 22:01 <DIR> d-------- C:\Program Files\Grisoft
2006-12-30 21:46 <DIR> d-------- C:\Program Files\Hijack This
2006-12-30 21:43 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-30 21:43 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-30 21:38 <DIR> d-------- C:\Config.Msi
2006-12-30 17:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-30 17:51 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-30 17:51 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-12-30 16:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-30 12:33 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-25 17:40 <DIR> d-------- C:\Documents and Settings\Laura\Application
Data\Apple Computer
2006-12-25 17:39 <DIR> d-------- C:\Program Files\QuickTime
2006-12-25 17:39 <DIR> d-------- C:\Program Files\iTunes
2006-12-25 17:39 <DIR> d-------- C:\Program Files\iPod
2006-12-25 17:38 36,808,256 --a------ C:\Program Files\iTunesSetup.exe
2006-12-25 17:38 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Apple Computer
2006-12-25 16:33 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Windows Genuine Advantage
2006-12-23 11:40 <DIR> d-------- C:\Program Files\3DGroove
2006-12-22 18:27 <DIR> d-------- C:\Program Files\PeDevice
2006-12-22 14:52 <DIR> d--h----- C:\Program Files\Common Files\Uninstall
Information
2006-12-11 11:52 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-11 11:52 <DIR> d-------- C:\Program Files\TryMedia
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-04 14:10 -------- d-------- C:\Program Files\Common Files
2007-01-03 17:01 -------- d-------- C:\Program Files\Dl_cats
2007-01-02 00:29 -------- d-------- C:\Program Files\Symantec
2007-01-01 17:07 -------- d-------- C:\Program Files\Cosmi
2007-01-01 17:05 -------- d-------- C:\Program Files\Shockwave.com
2007-01-01 17:04 -------- d-------- C:\Program Files\iWin
2007-01-01 01:37 -------- d-------- C:\Program Files\Spybot - Search &
Destroy
2007-01-01 01:37 -------- d-------- C:\Program Files\Secretmaker
2007-01-01 01:35 -------- d-------- C:\Program Files\Internet Explorer
2007-01-01 01:34 -------- d-------- C:\Program Files\Google
2007-01-01 01:34 -------- d-------- C:\Program Files\Dell Photo AIO Printer
924
2006-12-31 23:35 -------- d-------- C:\Program Files\MSN Messenger
2006-12-30 21:43 -------- d-------- C:\Program Files\Windows Media Player
2006-12-30 17:36 2958 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-30 15:56 -------- d-------- C:\Program Files\Common Files\Real
2006-12-30 15:54 -------- d---s---- C:\Documents and
Settings\Laura\Application Data\Microsoft
2006-12-26 11:06 -------- d-------- C:\Program Files\MUSICMATCH
2006-12-02 17:14 -------- d-------- C:\Program Files\Common Files\Gibinsoft
Shared
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common
Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common
Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer
924\\dlccmon.exe\""
"DLCCCATS"="rundll32
C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,_RunDLLEntry@16"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware
7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe
SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 07-01-04 18:26:05.09
C:\ComboFix.txt ... 07-01-04 18:26
C:\ComboFix2.txt ... 07-01-04 14:11
#18
Posted 04 January 2007 - 05:44 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
Looks OK, could you post a new HJT log?
#19
Posted 04 January 2007 - 05:59 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Do you think that pe386 is going to keep trying to gain access? Where would it be coming from?
Logfile of HijackThis v1.99.1
Scan saved at 6:54:00 PM, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Secretmaker.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1167519003671
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 6:54:00 PM, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Secretmaker.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1167519003671
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
#20
Posted 04 January 2007 - 06:04 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
Probably not. It's a rootkit - possibly the most insideous form of malware because of it's stealth properties. Let's purge your system. Run System Security Suite again.
Download and run Silent Runners.vbs from HERE
It generates a log, please post the information back in this thread
Download and run Silent Runners.vbs from HERE
It generates a log, please post the information back in this thread
Edited by Daemon, 04 January 2007 - 06:07 PM.
#21
Posted 04 January 2007 - 06:23 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Here's the log. I'll catch up tomorrow. Take care for now.
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"IntelMeM" = "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
["Intel Corporation"]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe""
["CyberLink Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
["Apple Computer, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"ISUSPM Startup" = ""C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield
Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield
Software Corporation"]
"dlccmon.exe" = ""C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe""
["Dell"]
"DLCCCATS" = "rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16"
[MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple
Computer, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) =
"C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{A491D208-B353-490F-B81A-A8A3DC97042D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeHelper Class"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\smiehlp.dll" ["Secretmaker"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program
Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Laura" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Laura\Start Menu\Programs\Startup
"Secretmaker" -> shortcut to: "C:\Program Files\Secretmaker\secretmaker.exe"
["Secretmaker"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar2.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development
a.s."]
Canon Camera Access Library 8, CCALib8, "C:\Program
Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
dlcc_device, dlcc_device, "C:\WINDOWS\system32\dlcccoms.exe -service" [empty
string]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe""
["Apple Computer, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe"
[MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell 924 Port\Driver = "dlcclmpm.DLL" [empty string]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF Port\Driver = "C:\WINDOWS\system32\pdfports.dll" ["Adobe Systems
Incorporated."]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 24 seconds, including 5 seconds for message
boxes)
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"IntelMeM" = "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
["Intel Corporation"]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe""
["CyberLink Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
["Apple Computer, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"ISUSPM Startup" = ""C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield
Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield
Software Corporation"]
"dlccmon.exe" = ""C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe""
["Dell"]
"DLCCCATS" = "rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16"
[MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple
Computer, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) =
"C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{A491D208-B353-490F-B81A-A8A3DC97042D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeHelper Class"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\smiehlp.dll" ["Secretmaker"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program
Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Laura" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Laura\Start Menu\Programs\Startup
"Secretmaker" -> shortcut to: "C:\Program Files\Secretmaker\secretmaker.exe"
["Secretmaker"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar2.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development
a.s."]
Canon Camera Access Library 8, CCALib8, "C:\Program
Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
dlcc_device, dlcc_device, "C:\WINDOWS\system32\dlcccoms.exe -service" [empty
string]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe""
["Apple Computer, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe"
[MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell 924 Port\Driver = "dlcclmpm.DLL" [empty string]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF Port\Driver = "C:\WINDOWS\system32\pdfports.dll" ["Adobe Systems
Incorporated."]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 24 seconds, including 5 seconds for message
boxes)
#22
Posted 05 January 2007 - 12:49 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
That looks OK. Let me know if you have any further intrusion attempts or if the shutdown issue is still giving you a problem.
#23
Posted 05 January 2007 - 01:08 AM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Thanks. I'll need a couple days to see if the computer is behaving properly. I'll keep you posted.
In the meantime, can I ask.... these infections occured as a result of my nephew bypassing the security checks in his efforts to download free games from unreputable sites and from opening links while chatting on MSN Messenger. He also downloads music from Limewire. I've explained the pitfalls to him, and if I now block him from downloading programs and games, would his continued use of Limewire and Messenger pose a high risk of reinfection? ie. should I remove these programs?
Trent
In the meantime, can I ask.... these infections occured as a result of my nephew bypassing the security checks in his efforts to download free games from unreputable sites and from opening links while chatting on MSN Messenger. He also downloads music from Limewire. I've explained the pitfalls to him, and if I now block him from downloading programs and games, would his continued use of Limewire and Messenger pose a high risk of reinfection? ie. should I remove these programs?
Trent
#24
Posted 05 January 2007 - 01:38 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
More than likely the source, not necessarily the applications themselves but P2P file sharing, downloading warez and cracks, drive by's from dodgy sites are common infectors. Obviously if you don't do it the risks are reduced. You can put some silent protection in place. Install IE-Spyads, see here for a tutorial: http://www.bleepingc...tutorial53.html
#25
Posted 06 January 2007 - 09:14 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Hi Daemon,
I haven't had any more recent intrusion attempts or random shutdowns. It appears that the pe386 rootkit driver was the problem and is no longer active.
However, I re-ran the AVG AntiSpyware program, and it found 2 threats. The second threat in the System32 folder is the one that was previously associated with the pe386 driver that was deleted by AVG AntiRootkit. The antispyware scan report indicates that it was quarantined. I re-ran AVG AntiRootkit and it found nothing. Not sure why it showed up here, but can we consider this driver officially terminated?
SUPERAntiSpyware scan is still clean.
Trent
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:25:45 PM 06/01/2007
+ Scan result:
C:\Program Files\PeDevice\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
I haven't had any more recent intrusion attempts or random shutdowns. It appears that the pe386 rootkit driver was the problem and is no longer active.
However, I re-ran the AVG AntiSpyware program, and it found 2 threats. The second threat in the System32 folder is the one that was previously associated with the pe386 driver that was deleted by AVG AntiRootkit. The antispyware scan report indicates that it was quarantined. I re-ran AVG AntiRootkit and it found nothing. Not sure why it showed up here, but can we consider this driver officially terminated?
SUPERAntiSpyware scan is still clean.
Trent
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:25:45 PM 06/01/2007
+ Scan result:
C:\Program Files\PeDevice\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
#26
Posted 07 January 2007 - 11:35 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
I think so - lets monitor it for a couple more days.
#27
Posted 09 January 2007 - 01:03 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
How has it been behaving?
Thanks for the donation, it is very much appreciated
Thanks for the donation, it is very much appreciated
Edited by Daemon, 09 January 2007 - 01:04 AM.
#28
Posted 09 January 2007 - 09:38 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Thanks for hanging in there.... this is the forum topic that never ended....
The computer seems to be running fine down. Strangely, it appears that everytime I run the AVG antispyware program, it finds malware. The scan today found 4 more items, all of which had been previously found and quarantined. I quarantined them all again, rebooted, and re-scaned, and 3 of them reappeared. If I run the scan twice in a row without rebooting, it only finds the Trojan.Rustock.nbd. But as I said, my system is now asymptomatic.
I'm puzzled by how they keep entering my system. I'm not the only person that uses the computer, but the others have told me that they haven't been downloading anything, and haven't noticed any obvious intrusion attempts. Perhaps one solution is to pay to upgrade to the AVG program to allow real-time protection.
Any other thoughts?
Trent
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:18:32 PM 09/01/2007
+ Scan result:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000043.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
The computer seems to be running fine down. Strangely, it appears that everytime I run the AVG antispyware program, it finds malware. The scan today found 4 more items, all of which had been previously found and quarantined. I quarantined them all again, rebooted, and re-scaned, and 3 of them reappeared. If I run the scan twice in a row without rebooting, it only finds the Trojan.Rustock.nbd. But as I said, my system is now asymptomatic.
I'm puzzled by how they keep entering my system. I'm not the only person that uses the computer, but the others have told me that they haven't been downloading anything, and haven't noticed any obvious intrusion attempts. Perhaps one solution is to pay to upgrade to the AVG program to allow real-time protection.
Any other thoughts?
Trent
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:18:32 PM 09/01/2007
+ Scan result:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000043.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
#29
Posted 10 January 2007 - 12:37 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
The version of AVG antispyware you have is fully functioning for a month so you are getting real time protection now. It will also be constantly updating itself so maybe what you are seeing is new detections because the database is bigger. Looking at what it found this time:
The restore file is not 'live' infection - it's a snapshot taken by Windows that contains whatever malware was there at the time. Let's purge and set a new one, do this:
1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.
2. Reboot.
3. Repeat the process but this time remove the check from the box.
The Ipwindows is a new detection, delete this folder: C:\Program Files\Ipwindows.
The file in the recycle bin was previously detected by Panda but no action taken. It should have been removed by System Security Suite however which is a bit puzzling. Manually empty the recycle bin.
Which brings us back to Rustock. If you notice, the file extension is .sy_ which denotes that it is a compressed system file whereas the original rootkit used the expanded file. Is AVG antirootkit still coming back clean? Do you have multiple copies of this file in your AVG antispyware quarantine folder? Sometimes 'protection' programs actually hinder things by interfering with removals by putting things back - can't see Adwatch or Spybot's teatimer running, the only one I'm not sure of is Secretmaker.
Could you boot into Safe mode and run the two AVG antispyware scans (without rebooting) and let me know what the result is?
The restore file is not 'live' infection - it's a snapshot taken by Windows that contains whatever malware was there at the time. Let's purge and set a new one, do this:
1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.
2. Reboot.
3. Repeat the process but this time remove the check from the box.
The Ipwindows is a new detection, delete this folder: C:\Program Files\Ipwindows.
The file in the recycle bin was previously detected by Panda but no action taken. It should have been removed by System Security Suite however which is a bit puzzling. Manually empty the recycle bin.
Which brings us back to Rustock. If you notice, the file extension is .sy_ which denotes that it is a compressed system file whereas the original rootkit used the expanded file. Is AVG antirootkit still coming back clean? Do you have multiple copies of this file in your AVG antispyware quarantine folder? Sometimes 'protection' programs actually hinder things by interfering with removals by putting things back - can't see Adwatch or Spybot's teatimer running, the only one I'm not sure of is Secretmaker.
Could you boot into Safe mode and run the two AVG antispyware scans (without rebooting) and let me know what the result is?
#30
Posted 11 January 2007 - 08:24 PM
Trent M
- Topic Starter
-
- Member
-
- 47 posts
Member
Hi. Sorry about the slow replies.... working night shifts this week.
Deleted the Ipwindows folder. Emptied the recyle bin manually. I did reset my system restore folder a few days ago as you described, but I forgot to do it again just before running the new scans. I'll redo this process again when I get a chance. Didn't see multiple copies of Rustock in quarantine folder.
The AVG Anti-Rootkit was clean.
I did some google searching on the C:\WINDOWS\system32:lzx32.sy_ filename. I found a reference suggesting that the AVG Anti-Rootkit program renames the driver so that the driver will not be loaded at the next reboot, but doesn't remove the actual rootkit ADS and its registry entries. It was suggested that it could be removed by a program called ADS Spy. So it's probably harmless in its current renamed form, which is why I'm not experiencing shutdown problems anymore.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:50:44 PM 11/01/2007
+ Scan result:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000202.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
Deleted the Ipwindows folder. Emptied the recyle bin manually. I did reset my system restore folder a few days ago as you described, but I forgot to do it again just before running the new scans. I'll redo this process again when I get a chance. Didn't see multiple copies of Rustock in quarantine folder.
The AVG Anti-Rootkit was clean.
I did some google searching on the C:\WINDOWS\system32:lzx32.sy_ filename. I found a reference suggesting that the AVG Anti-Rootkit program renames the driver so that the driver will not be loaded at the next reboot, but doesn't remove the actual rootkit ADS and its registry entries. It was suggested that it could be removed by a program called ADS Spy. So it's probably harmless in its current renamed form, which is why I'm not experiencing shutdown problems anymore.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:50:44 PM 11/01/2007
+ Scan result:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000202.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sy_ -> Trojan.Rustock.nbd : Cleaned with backup (quarantined).
::Report end
Edited by Trent M, 12 January 2007 - 02:24 AM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
