Thread: [Active] Persistent Win32:Rootkit-gen (Rtk)
View Single Post
  #1 (permalink)  
Old 27-06-2009, 01:08 PM
bir_25 bir_25 is offline
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
[Active] Persistent Win32:Rootkit-gen (Rtk)
This malware has blocked my avast protection including the boot time scanner. It has disabled regedit, taskmanager, unhiding of files, safe mode boot etc. Only after running MABM latest and restarting the PC, Avast protection is able to run and notifies me of Win32:Rootkit-gen (Rtk) and identifies it as Rootkit. My PC is crashing frequently with an error title "GENERIC HOST PROCESS FOR WIN32 SERVICES".

First Hijackthis log---------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:50 PM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbtfuty.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkuxjgh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsWmiApSrv (RpcSsWmiApSrv) - Unknown owner - C:\WINDOWS\system32\icsxmlo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8401 bytes

--------------------------------------------------------------------------------
After doing MABM full scan, the log is:--------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2340
Windows 5.1.2600 Service Pack 2

6/27/2009 4:37:17 PM
mbam-log-2009-06-27 (16-37-17).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 184723
Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\winbtfuty.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winkuxjgh.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASecurityCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\winbtfuty.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winkuxjgh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\system volume information\_restore{5b7aa32f-a0d6-4edf-a767-1db4335bf422}\RP1\A0000274.exe (Spyware.Agent) -> Quarantined and deleted successfully.
d:\system volume information\_restore{5b7aa32f-a0d6-4edf-a767-1db4335bf422}\RP1\A0000690.exe (Spyware.Agent) -> Quarantined and deleted successfully.
d:\f\pastedesktop\Mcl\Softw\CP_Setup.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashd iuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\oashdihasidhasuidhiasdhiash diuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------
After restarting hijackthis log is:--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:20 PM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsWmiApSrv (RpcSsWmiApSrv) - Unknown owner - C:\WINDOWS\system32\icsxmlo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8260 bytes
--------------------------------------------------------------------------------------------------------------
Only in this session that avast runs and shows the Win32:Rootkit-gen (Rtk). Deleting or moving it to chest only calms avast. After finishing this session, again the same problem persists i.e avast gets blocked, MABM agains detects those registry hijacks and other items.
Reply With Quote