Author Topic: win32:rootkit-gen(rtk) and win32:trojan-gen (other)  (Read 14654 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32:rootkit-gen(rtk) and win32:trojan-gen (other)
« Reply #15 on: April 19, 2009, 07:40:48 PM »
O1 HOSTS File: (2 bytes) - D:\Windows\System32\drivers\etc\Hosts
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [amd_dc_opt] D:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\ipoint.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [itype] "D:\Program Files\Microsoft IntelliType Pro\itype.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\AdvancedOptions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives =  [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2007\\Parser.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -  File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -  File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -  File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -  File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -  File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -  File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - D:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - D:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - D:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - D:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [mdnsNSP] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: Microsoft XML Parser for Java file:///D:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32:rootkit-gen(rtk) and win32:trojan-gen (other)
« Reply #16 on: April 19, 2009, 07:42:48 PM »
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{967E33F9-D88B-49FA-9F4D-DC82959DC49A}\\NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - D:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - D:\Windows\System32\relog_ap.dll (Acronis)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
 
========== Files/Folders - Created Within 30 Days ==========
 
[2009/04/19 18:04:17 | 00,007,180 | ---- | C] () -- D:\Users\Martin\Desktop\SysRestorePoint_v12.zip
[2009/04/19 09:50:05 | 00,562,019 | ---- | C] () -- D:\Users\Martin\Desktop\KIF_0162.JPG
[2009/04/19 09:49:57 | 00,583,920 | ---- | C] () -- D:\Users\Martin\Desktop\KIF_0161.JPG
[2009/04/12 09:41:16 | 00,000,004 | ---- | C] () -- D:\Windows\csdf.bak
[2009/04/11 18:06:10 | 00,000,000 | ---D | C] -- D:\Users\Martin\AppData\Local\Apple Computer
[2009/04/10 18:17:05 | 00,000,004 | ---- | C] () -- D:\Windows\csdf_sdum.dat
[2009/04/10 18:07:28 | 00,040,464 | ---- | C] (COMODO Security Solutions Inc.) -- D:\Windows\System32\drivers\csdf.sys
[2009/04/10 18:07:28 | 00,037,904 | ---- | C] (COMODO Security Solutions Inc.) -- D:\Windows\System32\drivers\crpf.sys
[2009/04/10 18:07:28 | 00,007,928 | ---- | C] (COMODO Security Solutions Inc.) -- D:\Windows\System32\cnat.exe
[2009/04/10 18:07:26 | 00,000,000 | ---D | C] -- D:\Program Files\COMODO
[2009/04/07 21:33:05 | 00,000,000 | ---D | C] -- D:\Program Files\iPod
[2009/04/07 21:33:03 | 00,000,000 | ---D | C] -- D:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/07 21:33:03 | 00,000,000 | ---D | C] -- D:\Program Files\iTunes
[2009/04/07 21:31:54 | 00,000,000 | ---D | C] -- D:\Program Files\Bonjour
[2009/04/01 21:27:29 | 00,000,000 | ---D | C] -- D:\Users\Martin\Documents\DVDVideoSoft
[2009/03/31 22:56:23 | 00,000,394 | -H-- | C] () -- D:\Windows\tasks\User_Feed_Synchronization-{1FE75B64-8298-4D79-B25D-27EB3AF04F19}.job
[2009/03/29 21:34:50 | 00,076,406 | ---- | C] () -- D:\Users\Martin\Desktop\p901_01_jpg_400.jpg
[2009/03/29 15:29:05 | 00,001,239 | RH-- | C] () -- D:\Windows\EPMBatch.ept
[2009/03/29 15:27:36 | 00,000,011 | ---- | C] () -- D:\Windows\EuBcd.ini
[2009/03/29 15:25:34 | 01,907,712 | ---- | C] () -- D:\Windows\System32\BootMan.exe
[2009/03/29 15:25:34 | 00,086,408 | ---- | C] () -- D:\Windows\System32\setupempdrv03.exe
[2009/03/29 15:25:34 | 00,014,848 | ---- | C] () -- D:\Windows\System32\EuEpmGdi.dll
[2009/03/29 15:25:34 | 00,009,728 | ---- | C] () -- D:\Windows\System32\epmntdrv.sys
[2009/03/29 15:25:34 | 00,003,072 | ---- | C] () -- D:\Windows\System32\EuGdiDrv.sys
[2009/03/29 15:25:26 | 00,000,000 | ---D | C] -- D:\Program Files\EASEUS
[2009/03/26 21:43:04 | 00,000,000 | ---D | C] -- D:\Program Files\MSECache
[2009/03/25 22:21:50 | 00,000,000 | ---D | C] -- D:\Program Files\Secunia
[2009/03/25 00:11:09 | 00,000,000 | ---D | C] -- D:\Program Files\VS Revo Group
[2009/03/24 20:06:39 | 00,000,000 | ---D | C] -- D:\Program Files\WinAce
 
========== Files - Modified Within 30 Days ==========
 
[1 D:\Windows\System32\*.tmp files]
[2009/04/19 18:26:18 | 00,002,577 | ---- | M] () -- D:\Windows\System32\config.nt
[2009/04/19 18:04:20 | 00,007,180 | ---- | M] () -- D:\Users\Martin\Desktop\SysRestorePoint_v12.zip
[2009/04/19 18:00:01 | 00,000,488 | ---- | M] () -- D:\Windows\tasks\1-Click Maintenance.job
[2009/04/19 17:13:01 | 00,003,680 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/04/19 17:13:01 | 00,003,680 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/04/19 15:29:58 | 00,690,960 | ---- | M] () -- D:\Windows\System32\PerfStringBackup.INI
[2009/04/19 15:29:58 | 00,600,266 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2009/04/19 15:29:58 | 00,105,772 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2009/04/19 15:13:01 | 00,000,006 | -H-- | M] () -- D:\Windows\tasks\SA.DAT
[2009/04/19 15:12:55 | 00,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2009/04/19 11:19:45 | 04,253,963 | -H-- | M] () -- D:\Users\Martin\AppData\Local\IconCache.db
[2009/04/19 11:03:33 | 00,000,394 | -H-- | M] () -- D:\Windows\tasks\User_Feed_Synchronization-{1FE75B64-8298-4D79-B25D-27EB3AF04F19}.job
[2009/04/19 09:50:49 | 00,583,920 | ---- | M] () -- D:\Users\Martin\Desktop\KIF_0161.JPG
[2009/04/19 09:50:33 | 00,562,019 | ---- | M] () -- D:\Users\Martin\Desktop\KIF_0162.JPG
[2009/04/12 09:41:16 | 00,000,004 | ---- | M] () -- D:\Windows\csdf.bak
[2009/04/10 18:17:05 | 00,000,004 | ---- | M] () -- D:\Windows\csdf_sdum.dat
[2009/04/03 12:18:10 | 00,040,464 | ---- | M] (COMODO Security Solutions Inc.) -- D:\Windows\System32\drivers\csdf.sys
[2009/04/03 12:17:04 | 00,037,904 | ---- | M] (COMODO Security Solutions Inc.) -- D:\Windows\System32\drivers\crpf.sys
[2009/04/03 12:16:20 | 00,007,928 | ---- | M] (COMODO Security Solutions Inc.) -- D:\Windows\System32\cnat.exe
[2009/03/29 21:34:32 | 00,076,406 | ---- | M] () -- D:\Users\Martin\Desktop\p901_01_jpg_400.jpg
[2009/03/29 16:28:28 | 00,001,239 | RH-- | M] () -- D:\Windows\EPMBatch.ept
[2009/03/29 15:54:12 | 00,000,011 | ---- | M] () -- D:\Windows\EuBcd.ini
[2009/03/24 12:03:08 | 00,007,808 | ---- | M] (Secunia) -- D:\Windows\System32\drivers\psi_mf.sys
 

jamboy

  • Guest
Re: win32:rootkit-gen(rtk) and win32:trojan-gen (other)
« Reply #17 on: April 20, 2009, 08:08:46 PM »
***

An analysis of your second HJT log shows little to worry about. Only one thing of note.

We didn't detect any active process of a firewall on your system.
Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.

I suppose you are using Windows firewall?

Otherwise, a good HJT log.


***

yeah i only have windwos firewall on this computer. does anyone know of a good free firewall? and r yall saying this computer is fine now?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: win32:rootkit-gen(rtk) and win32:trojan-gen (other)
« Reply #18 on: April 20, 2009, 08:19:11 PM »
does anyone know of a good free firewall? and r yall saying this computer is fine now?
1. Online Armour
2. PcTools
3. Comodo
4. ZoneAlarm
The best things in life are free.