Thread: Need help removing Rootkit-gen and WIN32:Trojan(RESOLVED)
View Single Post
  #9 (permalink)  
Old 03-08-2008, 09:09 PM
saint_aubin saint_aubin is offline
Junior Member
New Recruit
  
Join Date: Jun 2005
Posts: 47
saint_aubin Is a beginner here at D-A-L
re: Need help removing Rootkit-gen and WIN32:Trojan(RESOLVED)
I'm back again with the results, and again my heartiest thanks again to you for your help.

While the SUperantispyware was beign done, I got some virus pop up alerts form avast for the Rootkin-gen adaware/virus. This is the first time it is happening since we started this exercise working on the pc.

About terrible state of the pc, wow, I am shocked. It was that bad huh? I dont recall trying to performany transaction since the pc was down since I barely was able to log on to the net. I may have logged onto my bank account (which is always empty except for payday) but thats it until yesterday I think. After I did the SDFix and fully got back my internet connection, I went online and may have logged onto other bank accounts and/or credit cards. Would that count as being in danger still? Otherwise, I have a file on my pc where I store the dozens of different passwords I use on these websites...please tell me that the files were not "copyable" or "readable" by these pathogens.

What good program can Iuse to monitor my system tray and turn off tuff that I dont want to start automatically? I've always used msconfig but only recently I am finding out that this is not the ideal route to take.

Here are the SuperAntiSpyware and a new HJT log. Why is that Rootkin-gen crap so hard to get rid of? drats!
Anyway, thanks again and I am looking forward to your response.


SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 08/03/2008 at 03:04 PM

Application Version : 4.15.1000

Core Rules Database Version : 3524
Trace Rules Database Version: 1514

Scan type : Complete Scan
Total Scan Time : 01:07:58

Memory items scanned : 423
Memory threats detected : 0
Registry items scanned : 8963
Registry threats detected : 9
File items scanned : 29670
File threats detected : 45

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks#{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32#ThreadingModel
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\ProgID

Adware.MyWebSearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Adware.Tracking Cookie
C:\Documents and Settings\Jabur\Cookies\jabur@208.122.40[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@serve.clickbooth[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@advertising[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@media.vlzserver[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@bs.serving-sys[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@imageads3.googleadser vices[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@forcefinder[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@kontera[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@scanner.vav-scan[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@findwhat[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@questionmarket[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@directtrack[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@tremor.adbureau[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@revenue[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@realmedia[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@ads.vlaze[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@bgtpartners.112.2o7[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@stopzilla[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@tribalfusion[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@ads.techguy[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@bluestreak[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@global-clicks[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@ads.monster[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@statcounter[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@imageads3.googleadser vices[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@specificclick[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@zedo[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@www.stopzilla[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@angleinteractive.dire cttrack[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@ads.addynamix[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@revsci[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@atdmt[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@rotator.adjuggler[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@insightexpressai[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@adopt.specificclick[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@trafficmp[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@bgu.directtrack[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@casalemedia[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@cache.trafficmp[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@doubleclick[1].txt
C:\Documents and Settings\Jabur\Cookies\jabur@ad.yieldmanager[2].txt
C:\Documents and Settings\Jabur\Cookies\jabur@serving-sys[1].txt

Worm.Rbot Variant
C:\WINDOWS\INSTALLER\{8E3CC782-7FBD-4D02-A470-C0510280EC02}\IE.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\STUTV.INI


-------------------------+++++++++++++++++------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:53 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {F15AFE86-B573-405A-A335-74108BB1DC4C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: BlackPlanet.com - Login
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148914635156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://webcam.florida.scripps.edu/activex/AMC.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmkhgge - pmkhgge.dll (file missing)
O20 - Winlogon Notify: yayaxvs - yayaxvs.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://pictures.sprintpcs.com/mmps/R...,255,1,0,0,0,0
O24 - Desktop Component 2: (no name) - Google

--
End of file - 11399 bytes






Thanks again!!
Au Revior
Reply With Quote