Author Topic: rootkit in system 32 (Read 17191 times)

SUSZANNAH · « **Reply #15 on:** April 26, 2008, 11:16:08 PM »

Here goes....I hope lol

ComboFix 08-04-24.1 - HP_Owner 2008-04-26 22:02:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735 [GMT 1:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 21:32 . 2008-04-26 21:32   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-26 19:58 . 2008-04-26 19:58   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-04-26 19:58 . 2008-04-26 19:58   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 01:39 . 2008-04-26 01:39   <DIR>   d--------   C:\fsaua.data
2008-04-20 23:56 . 2008-04-20 23:56   <DIR>   d--------   C:\Program Files\Xilisoft
2008-04-19 22:07 . 2008-04-19 22:07   <DIR>   d--------   C:\Program Files\YASAMP4Converter
2008-04-19 21:57 . 2008-04-19 22:01   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\DVD Flick
2008-04-16 01:09 . 2008-04-16 01:09   <DIR>   d--------   C:\Program Files\eBay
2008-04-16 01:09 . 2008-04-16 01:09   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2008-04-16 01:09 . 2008-04-16 12:21   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\eBay
2008-04-16 01:09 . 2008-04-26 21:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-04-16 01:09 . 2008-04-16 01:09   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\eBay
2008-04-12 21:26 . 2008-04-13 21:22   0   --a------   C:\temp\EnhancedDataOutput.txt
2008-04-12 03:18 . 2008-04-22 21:54   54,156   --ah-c---   C:\WINDOWS\QTFont.qfn
2008-04-12 03:18 . 2008-04-12 03:18   1,409   --a--c---   C:\WINDOWS\QTFont.for
2008-04-06 15:55 . 2008-04-06 15:55   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-03-31 20:52 . 2008-04-26 01:23   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\OpenOffice.org2
2008-03-31 20:48 . 2008-03-31 20:48   <DIR>   d--------   C:\Program Files\OpenOffice.org 2.4
2008-03-31 20:47 . 2008-03-31 20:47   <DIR>   d--------   C:\Program Files\OpenOffice.org 2.4 (en-US) Installation Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 18:58   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2008-04-22 02:31   ---------   d-----w   C:\Program Files\YouTube Downloader
2008-04-22 02:27   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 02:26   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-04-20 22:55   ---------   d-----w   C:\Program Files\Common Files\AVSMedia
2008-04-20 22:55   ---------   d-----w   C:\Program Files\AVS4YOU
2008-04-19 16:28   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\uTorrent
2008-04-16 00:09   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-15 23:06   ---------   d-----w   C:\Program Files\Nokia
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-18 19:10   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\Ahead
2008-03-18 18:09   ---------   d-----w   C:\Program Files\Ahead
2008-03-18 18:05   ---------   d-----w   C:\Program Files\Common Files\Ahead
2008-03-18 17:58   ---------   d-----w   C:\Program Files\UnderCoverXP
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Yahoo!
2008-03-17 02:41   ---------   d-----w   C:\Program Files\SlySoft
2008-03-17 02:41   ---------   d-----w   C:\Program Files\QuickTime
2008-03-17 02:41   ---------   d-----w   C:\Program Files\PC Wizard 2006
2008-03-17 02:41   ---------   d-----w   C:\Program Files\jv16 PowerTools
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Java
2008-03-17 02:41   ---------   d-----w   C:\Program Files\InterVideo
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Common Files\Real
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Common Files\MAGIX Shared
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Common Files\aolshare
2008-03-17 02:41   ---------   d-----w   C:\Program Files\Common Files\AOL
2008-03-17 02:40   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-17 02:40   ---------   d-----w   C:\Program Files\AOL 9.0
2008-03-17 02:30   ---------   d-----w   C:\Program Files\Common Files\Logitech
2008-03-17 01:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-17 01:48   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple
2008-03-15 00:51   ---------   d-----w   C:\Program Files\Ashampoo
2008-03-12 01:57   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\AVS4YOU
2008-03-12 01:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-11 21:54   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\Ashampoo Photo Commander 5
2008-03-03 22:25   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\Ashampoo
2008-03-03 22:12   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\ashampoo
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2006-05-23 17:34   24,192   -c--a-w   C:\Documents and Settings\HP_Owner\usbsermptxp.sys
2006-05-23 17:34   22,768   -c--a-w   C:\Documents and Settings\HP_Owner\usbsermpt.sys
2001-03-28 11:02   122,880   -c--a-w   C:\WINDOWS\inf\Agfa\message.exe
2005-01-21 19:35   0   -csha-w   C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Acme.PCHButton"="C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe" [2004-01-02 04:14 159744]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37 79224]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 19:57 1048576]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe" [2006-11-17 14:21 50736]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-13 14:30 652528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

SUSZANNAH · « **Reply #16 on:** April 26, 2008, 11:17:31 PM »

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-17 14:21 50736 C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2007-05-18 22:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
-----c--- 2007-09-07 17:13 292152 C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-06-11 18:16 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1178117888\\ee\\aolsoftware.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{430c15e6-ba3f-11dc-9065-00038a000015}]
\Shell\AutoRun\command - InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af3188d4-bd67-11dc-906b-00038a000015}]
\Shell\AutoRun\command - InstallTomTomHOME.exe

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 22:04:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-26 22:07:42
ComboFix-quarantined-files.txt 2008-04-26 21:06:38

Pre-Run: 59,660,808,192 bytes free
Post-Run: 59,648,499,712 bytes free

175 --- E O F --- 2008-04-10 02:04:35

sorry it was too big for 1 post

SUSZANNAH · « **Reply #17 on:** April 26, 2008, 11:20:37 PM »

ummm what did the big red warning message about not having recovery installed mean???

polonus · « **Reply #18 on:** April 26, 2008, 11:24:12 PM »

Hi SUSZ,

Here is your hjt logfile analysis, and it will be here for the next consequent three days:
http://www.hijackthis.de/logfiles/dd86db7977768246e654304a05bd3bfb.html

Cannot see much wrong here.
Just wait what oldman's verdict on the ComboScript outcome will be, and mind you to follow his instructions to clean up precisely when you have arrived at the end of his proposed cleansing routine. Follow his instructions to the dot, and you cannot be any more secure..

Surf safe and stay malware free is the wish and the command of,

Damian

P.S. Info about the red message here:
http://jkontherun.blogs.com/jkontherun/2004/10/windows_xp_reco.html

pol

SUSZANNAH · « **Reply #19 on:** April 26, 2008, 11:26:30 PM »

Thank you Damian, much appreciate everyone's help

oldman · « **Reply #20 on:** April 26, 2008, 11:43:21 PM »

Looks like avast and F-secure removed what bit there was. Nothing is showing in the logs. You can fix the 2 06 lines in HJT if you wish.

Open hjt, do a system scan only, checkmark the two lines, click fix. Close all browsers etc before fixing.

Which ashampoo products are you using?

polonus · « **Reply #21 on:** April 26, 2008, 11:46:08 PM »

Hi oldman,

Well I think she is OK now, but always better safe than sorry, don't you think so,

polonus

oldman · « **Reply #22 on:** April 26, 2008, 11:53:27 PM »

Hi polonus

For sure, there is no harm in investigating further when a detection is made. As mentioned, avs aren't perfect. Nice to see avast nab the first one.

SUSZANNAH

After you fix the lines, if you chose to do so, you can remove combofix

* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

If you are still experiencing problems, I don't believe they are malware related. Possibly security programs doing their startup scans.

polonus · « **Reply #23 on:** April 27, 2008, 12:09:07 AM »

Hi Susz,

These two o6 lines could have been made there with your best interest at heart, if you decide to fix them using hjt, feel free to do so. But you could contemplate to install SafeXP, save your current settings first, and then you can make your own restrictions at will or undo them again. You can get it from here: http://www.theorica.net/download.htm
,and read about it here:
http://www.theorica.net/safexp.htm

I use it at my workplace, and it never has failed me even while I had only normal user rights on that account,

polonus

SUSZANNAH · « **Reply #24 on:** April 27, 2008, 12:35:46 AM »

Well once again thanks to you all, I have no idea where I picked this up from or how long it was there undetected.......

Had something similar last year....must have been 1 of the longest threads ever lol

Will have to make sure I scan more often in future

oldman · « **Reply #25 on:** April 27, 2008, 12:45:05 AM »

Do a full scan with avast once a week, the same with SAS wouldn't hurt.

To help keeping clean

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".

Click the download button on the right.

> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u6-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

* Check if you have insecure applications with Secunia Software Inspector

SUSZANNAH · « **Reply #26 on:** April 27, 2008, 01:10:56 AM »

Great thank you.... have printed all the info and will get all that sorted tomorrow, one last question I am using diskeeper lite (free) and not that impressed can you suggest anything better to use?

Once again thank you for all your time and trouble

DavidR · « **Reply #27 on:** April 27, 2008, 02:59:23 AM »

I don't know what it is that your not impressed with in diskeeper lite, but it is a shadow of its big brother, the paid for option. There are many that say it is really an enticement to buy the

I have three defrag programs (they work in different ways) listed in the order of use/speed ect., the one I use most is RejZoR's Power Defragmenter, that is basically a GUI interface for what is a dos style command line defrag it is very fast, but doesn't optimise the order of files on the disk. RejZoR's Power Defragmenter - RejZoRs - eXcessive-software.eu.tt Site

I also use Defragler which is relatively straight forward and not bad speed wise, http://www.defraggler.com/.

The other is JKDefragGUI, another GUI interface to a defrag program obviously called JKDefrag this is quite a good defrag program with many optimisation options though this slows the defrag down. But for a regular defrag without optimisation it is quite quick.
http://www.emro.nl/freeware/ for the GUI and http://www.kessels.com/JkDefrag/ just the program.

There are many, many more but these are the ones I know most about and they aren't automated (which I prefer) I just run one of them about once a month. There are some that say you don't need a defrag program, obviously I'm not one of those.

SUSZANNAH · « **Reply #28 on:** April 27, 2008, 03:08:01 AM »

Hi David, I find diskeeper lite leaves loads of unfragmented files and keep popping up every other day to remind me to do it......have loads of red blocks every time it defrags

I will give them a try....thanks

SUSZANNAH · « **Reply #29 on:** April 27, 2008, 03:18:19 AM »

Sorry oldman, forgot to put in Ashampoo Burning Studio 6, music studio 2007 and photo commander 5

Author Topic: rootkit in system 32 (Read 17191 times)

SUSZANNAH

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

polonus

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

oldman

Re: rootkit in system 32

polonus

Re: rootkit in system 32

oldman

Re: rootkit in system 32

polonus

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

oldman

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

DavidR

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32

SUSZANNAH

Re: rootkit in system 32