w32 rootkit gen x unusual behaviour

[akshayk29]

last night I found a rootkit on svchost and avast blocked it
then I ran a boot time scan and found rootkit w32 gen.
i moved it to chest
today when 1 opened my pc
every now and then the theme resets to windows classic
and no sound in my speakers
and when i click on volume control
it says there are no mixer devices available,please help!!!!

[akshayk29]

is there anyone who can reply? :'( :'( :'( :'(

[argus]

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

# Save both reports to your desktop.

 Attach log reports (DDS.txt)  back to topic.

[SafeSurf]

The OP double posted in this thread: http://forum.avast.com/index.php?topic=78399.0.

Essexboy has been notified to assist this OP for malware removal and was instructed to post an OTS log.  Thank you.

[argus]

Ok SafeSurf, greeting 

[akshayk29]

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

# Save both reports to your desktop.

 Attach log reports (DDS.txt)  back to topic.

it is like combofix or not?
should I do what you said or wait for essex boy?

[CraigB]

Please wait for Essexboy to assist you, he'll be on later tonight.

[akshayk29]

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

# Save both reports to your desktop.

 Attach log reports (DDS.txt)  back to topic.

here is the log

DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_24
Run by AKSHAY KUMAR at 12:45:26 on 2011-05-20
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.223.49 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\avastsoftware\AvastSvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\WINDOWS\system32\VTTimer.exe
D:\Program Files\Kodak\KODAK Share Button App\Listener.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\avastsoftware\avastUI.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\WINDOWS\system32\taskmgr.exe
C:\cur\setups\dds.scr
D:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: IE 4.x-6.x BHO for Internet Download Accelerator: {2a646672-9c3a-4c28-9a7a-1fb0f63f28b6} - c:\progra~1\ida\ida\idaiehlp.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Google Update] "d:\documents and settings\akshay kumar\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AudioDeck] d:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [KodakShareButtonApp] d:\program files\kodak\kodak share button app\Listener.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\avastsoftware\avastUI.exe" /nogui
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download ALL with IDA - c:\program files\ida\ida\idaieall.htm
IE: Download remotely with IDA - c:\program files\ida\ida\remdown.htm
IE: Download with IDA - c:\program files\ida\ida\idaie.htm
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - c:\program files\ida\ida\ida.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293860854781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {4DDA501E-3082-42F0-BF65-3138D10F2D1B} = 203.122.63.152,203.122.63.154
TCP: {FA4120D3-0AB8-4DA8-BF1C-EEBBDA613246} = 203.122.63.152,203.122.63.154
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\akshay kumar\application data\mozilla\firefox\profiles\etpk8ehl.default\
FF - plugin: d:\documents and settings\akshay kumar\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npida.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 ViBus;ViBus;d:\windows\system32\drivers\ViBus.sys [2010-10-14 16896]
R0 ViPrt;VIA SATA IDE Device Driver;d:\windows\system32\drivers\ViPrt.sys [2010-10-14 52224]
R1 aswSnx;aswSnx;d:\windows\system32\drivers\aswSnx.sys [2011-3-22 441176]
R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [2011-3-22 307928]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;d:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 IDMTDI;IDMTDI;d:\windows\system32\drivers\idmtdi.sys [2011-4-25 98160]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2011-3-22 19544]
R2 avast! Antivirus;avast! Antivirus;c:\avastsoftware\AvastSvc.exe [2011-3-22 42184]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2011-2-13 20952]
R3 MEMSWEEP2;MEMSWEEP2;\??\d:\windows\system32\d.tmp --> d:\windows\system32\D.tmp [?]
S1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S2 avgwd;AVG WatchDog;

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-13 363344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;

S3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\avgidsshim.sys --> d:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 cpuz132;cpuz132;

S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2011-2-13 38224]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [2011-5-1 27064]
S4 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\avgidsdriver.sys --> d:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S4 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\avgidseh.sys --> d:\windows\system32\drivers\AVGIDSEH.Sys [?]
S4 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\avgidsfilter.sys --> d:\windows\system32\drivers\AVGIDSFilter.Sys [?]
.
=============== Created Last 30 ================
.
2011-05-19 06:32:35   --------   d-----w-   d:\program files\Lame For Audacity
2011-05-15 10:22:39   --------   d-----w-   d:\documents and settings\all users\application data\Speedbit
2011-05-14 08:07:49   --------   d-----w-   d:\documents and settings\akshay kumar\local settings\application data\Daum
2011-05-14 06:09:38   404640   ----a-w-   d:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-01 10:38:10   --------   d-----w-   d:\windows\SxsCaPendDel
2011-05-01 06:43:32   --------   d-----w-   d:\documents and settings\akshay kumar\local settings\application data\VS Revo Group
2011-05-01 06:43:20   27064   ----a-w-   d:\windows\system32\drivers\revoflt.sys
2011-05-01 06:43:17   --------   d-----w-   d:\program files\VS Revo Group
2011-04-25 15:41:51   98160   ----a-w-   d:\windows\system32\drivers\idmtdi.sys
2011-04-23 08:31:15   --------   d-----w-   d:\documents and settings\akshay kumar\application data\IDM
.
==================== Find3M  ====================
.
2011-05-10 12:10:59   40112   ----a-w-   d:\windows\avastSS.scr
2011-05-10 12:03:54   441176   ----a-w-   d:\windows\system32\drivers\aswSnx.sys
.
============= FINISH: 12:46:28.21 ===============

[akshayk29]

p.s. I DON't use avg,I used It earlier and now I use mbam and avast

[SafeSurf]

While we are waiting for Essexboy, please do the following in the order I have posted:

1.  You show that AVG is active.  Please run the AVG Uninstaller Tool:   http://www.avg.com/us-en/download-tools then reboot your machine.

2. Make sure your MS / Windows Updates are up to date.

3. Download TFC by OldTimer to your desktop. http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
·   Please double-click TFC.exe to run it.  (Note: If you are running on
·   It will close all programs when running, so make sure you have saved all your work before you begin.
·   Click the Start button to begin the process. Let it run uninterrupted to completion.
·   Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

4. Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·   Download free http://www.malwarebytes.org/ (the blue button) for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner Settings:  Check all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

5. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode).  Post the MBAM log and the OTS log as an attachment (Additional Options > Attach > Post). 

***Please do not make any further changes to your machine after you have provided the logs.***

Let us know if you have any questions.  Thank you.

[essexboy]

Cheers Safesurf - I was going to recommend that as AVG is running a rootkit scan as well

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[akshayk29]

Cheers Safesurf - I was going to recommend that as AVG is running a rootkit scan as well

here is the log---

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 10:27:31
-----------------------------
10:27:31.750    OS Version: Windows 5.1.2600 Service Pack 2
10:27:31.750    Number of processors: 1 586 0x2C02
10:27:31.750    ComputerName: AKSHAY  UserName:
10:27:32.265    Initialize success
10:27:40.421    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
10:27:40.437    Disk 0 Vendor: achi_HDS721680PLA380_________________ OAB3A Size: 78533MB BusType: 3
10:27:42.468    Disk 0 MBR read successfully
10:27:42.468    Disk 0 MBR scan
10:27:42.468    Disk 0 Windows XP default MBR code
10:27:44.468    Disk 0 scanning sectors +160810650
10:27:44.484    Disk 0 scanning D:\WINDOWS\system32\drivers
10:27:48.156    Service scanning
10:27:49.234    Disk 0 trace - called modules:
10:27:49.234    ntkrnlpa.exe CLASSPNP.SYS disk.sys ViPrt.sys hal.dll ViBus.sys
10:27:49.234    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8135b9c0]
10:27:49.250    3 CLASSPNP.SYS[f9ed505b] -> nt!IofCallDriver -> \Device\00000060[0x812b1600]
10:27:49.250    Scan finished successfully
10:28:21.562    Disk 0 MBR has been saved successfully to "D:\Documents and Settings\AKSHAY KUMAR\Desktop\MBR.dat"
10:28:21.609    The log file has been saved successfully to "D:\Documents and Settings\AKSHAY KUMAR\Desktop\aswMBR.txt"

[argus]

Re-run DDS and set a new log

[akshayk29]

when i restarted my pc after running tfc ,it showed
rootkit blocked
avast has blocked a threat
name-w32 rootkit gen
from d/windows/...svchost.exe

[argus]

You uninstall AVG?


Disable Avast whilst this runs - set the shields to off until reboot

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.