[Active] Persistent Win32:Rootkit-gen (Rtk)

broni · #21 (**permalink**) 30-06-2009, 10:33 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\FOUND.000
C:\FOUND.051
C:\FOUND.050
C:\FOUND.049
c:\windows\system32\drivers\lhllpn.sys


Folder::

Driver::
abp470n5
AdobeHidServ
ALGlanmanserverWmi
AudioSrvRemoteAccess
AudioSrvScheduleThemesose
AudioSrvUPSWZCSVC
avast!lanmanserverWmiNetDDE
dmadminSCardSvr
dmserverBITS
ERSvcNtLmSsp
ERSvcRemoteRegistryAdobeHidServ
EventlogDhcp
EventSystemWZCSVC
lanmanserverWmi
lanmanserverWmiNetDDE
LmHostsAudioSrvRemoteAccess
LmHostsMSIServerRemoteRegistry
MSIServerRemoteRegistry
MSIServerRemoteRegistryRemoteAccess
NetDDEAppMgmt
NetDDEdsdmFastUserSwitchingCompatibility
NetlogonNetDDEdsdm
NetlogonW32Time
PlugPlayThemes
RemoteRegistryAdobeHidServ
RemoteRegistryMSIServer
RpcSsxmlprov
RSVPTermService
RSVPUPSWZCSVC
ScheduleThemes
ScheduleThemesose
SpoolerNetlogonNetDDEdsdm
TapiSrvLmHosts
TermServiceUMWdf


Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AdobeHidServ]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALGlanmanserverWmi]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AudioSrvRemoteAccess]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AudioSrvScheduleThemesose]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AudioSrvUPSWZCSVC]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\avast!lanmanserverWmiNetDDE]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmadminSCardSvr]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmserverBITS]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ERSvcNtLmSsp]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ERSvcRemoteRegistryAdobeHidServ]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EventlogDhcp]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventSystemWZCSVC]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserverWmi]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserverWmiNetDDE]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LmHostsAudioSrvRemoteAccess]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LmHostsMSIServerRemoteRegistry]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSIServerRemoteRegistry]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSIServerRemoteRegistryRemoteAccess]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDEAppMgmt]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDEdsdmFastUserSwitchingCompatibility]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetlogonNetDDEdsdm]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetlogonW32Time]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PlugPlayThemes]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RemoteRegistryAdobeHidServ]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RemoteRegistryMSIServer]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RpcSsxmlprov]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RSVPTermService]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RSVPUPSWZCSVC]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ScheduleThemes]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ScheduleThemesose]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SpoolerNetlogonNetDDEdsdm]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TapiSrvLmHosts]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TermServiceUMWdf]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UPSThemes]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UPSWZCSVC]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UPSWZCSVCWmiApSrvEventlogDhcp]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W32TimeHTTPFilter]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmiApSrvEventlogDhcp]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WZCSVCMSIServer]

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

bir_25 · #22 (**permalink**) 01-07-2009, 04:59 PM

Combofix log
-------------------------------------------------------------------------------------------
ComboFix 09-06-29.04 - Administrator 07/01/2009 13:09.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.22 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\FOUND.000"
"C:\FOUND.049"
"C:\FOUND.050"
"C:\FOUND.051"
"c:\windows\system32\drivers\lhllpn.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Legacy_ADOBEHIDSERV
-------\Legacy_ALGLANMANSERVERWMI
-------\Legacy_AUDIOSRVREMOTEACCESS
-------\Legacy_AUDIOSRVSCHEDULETHEMESOSE
-------\Legacy_AUDIOSRVUPSWZCSVC
-------\Legacy_AVAST!LANMANSERVERWMINETDDE
-------\Legacy_DMADMINSCARDSVR
-------\Legacy_DMSERVERBITS
-------\Legacy_ERSVCNTLMSSP
-------\Legacy_ERSVCREMOTEREGISTRYADOBEHIDSERV
-------\Legacy_EVENTLOGDHCP
-------\Legacy_EVENTSYSTEMWZCSVC
-------\Legacy_LANMANSERVERWMI
-------\Legacy_LANMANSERVERWMINETDDE
-------\Legacy_LMHOSTSAUDIOSRVREMOTEACCESS
-------\Legacy_LMHOSTSMSISERVERREMOTEREGISTRY
-------\Legacy_MSISERVERREMOTEREGISTRY
-------\Legacy_MSISERVERREMOTEREGISTRYREMOTEACCESS
-------\Legacy_NETDDEAPPMGMT
-------\Legacy_NETDDEDSDMFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_NETLOGONNETDDEDSDM
-------\Legacy_NETLOGONW32TIME
-------\Legacy_PLUGPLAYTHEMES
-------\Legacy_REMOTEREGISTRYADOBEHIDSERV
-------\Legacy_REMOTEREGISTRYMSISERVER
-------\Legacy_RPCSSXMLPROV
-------\Legacy_RSVPTERMSERVICE
-------\Legacy_RSVPUPSWZCSVC
-------\Legacy_SCHEDULETHEMES
-------\Legacy_SCHEDULETHEMESOSE
-------\Legacy_SPOOLERNETLOGONNETDDEDSDM
-------\Legacy_TAPISRVLMHOSTS
-------\Legacy_TERMSERVICEUMWDF
-------\Service_abp470n5
-------\Service_EventSystemWZCSVC

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-30 19:11 . 2009-06-30 19:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-30 18:37 . 2009-06-30 18:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-30 18:36 . 2009-03-13 15:05 2567647 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
2009-06-30 18:36 . 2009-06-30 18:36 -------- d-----w- c:\program files\Uniblue
2009-06-30 18:36 . 2008-08-26 16:48 757760 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\2B86F085\6383BC9B\U BVarRB.dll
2009-06-30 18:36 . 2008-08-26 16:48 6676480 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\4E45A1A4\6383BC9B\R egistryBooster.dll
2009-06-30 18:36 . 2008-08-26 16:48 497496 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\AF01B0B\6383BC9B\Xc eedZip.dll
2009-06-30 18:36 . 2008-08-26 16:48 413696 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\52CD59C9\6383BC9B\u pdate.dll
2009-06-30 18:36 . 2008-08-26 16:48 2089256 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7CE1607E\6383BC9B\R egistryBooster.exe
2009-06-30 18:36 . 2008-08-26 16:48 181544 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\65B92A91\6383BC9B\K illRBProcess.exe
2009-06-30 18:36 . 2008-08-26 16:48 169256 ----a-w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7390E4F0\6383BC9B\S tartRegistryBooster.exe
2009-06-30 18:36 . 2009-06-30 18:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-30 17:10 . 2009-06-30 17:14 109 --sha-w- c:\windows\system32\2016862369.dat
2009-06-30 12:06 . 2009-06-30 12:06 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-06-30 12:06 . 2009-06-30 12:06 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-06-30 12:06 . 2009-06-30 12:06 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-06-30 12:06 . 2009-06-30 12:06 -------- d-----w- c:\program files\Folder Lock 6
2009-06-29 17:29 . 2009-06-29 17:29 -------- d-sh--w- C:\FOUND.051
2009-06-29 15:43 . 2009-06-29 15:43 -------- d-sh--w- C:\FOUND.050
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-sh--w- C:\FOUND.049
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-30 11:57 . 2008-01-28 09:56 35363 ----a-w- c:\windows\system32\windrvNT.sys
2009-06-30 11:55 . 2008-01-28 09:57 2154 ----a-w- C:\sccfg.sys
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_06.12.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-01 08:17 . 2009-07-01 08:17 16384 c:\windows\temp\Perflib_Perfdata_1ec.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-02-23 17:17 . 1999-11-10 06:35 163840 c:\windows\unvise32qt.exe
+ 2008-01-09 15:32 . 2002-09-08 18:35 192512 c:\windows\system32\hkcmd.exe
- 2008-06-09 04:54 . 2008-06-09 18:55 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 192512]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"=
"e:\\spybotsd162.exe"=
"c:\\Program Files\\Uniblue\\RegistryBooster\\RegistryBooster.e xe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [6/30/2009 5:36 PM 10752]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
SafeBoot-Gmr30.sys
SafeBoot-Winag17.sys
SafeBoot-Winag28.sys
SafeBoot-Winag40.sys
SafeBoot-Winag51.sys
SafeBoot-Winag62.sys
SafeBoot-Winag84.sys
SafeBoot-Winci05.sys
SafeBoot-Winci84.sys
SafeBoot-Windj30.sys
SafeBoot-Windj51.sys
SafeBoot-Winek17.sys
SafeBoot-Winfl27.sys
SafeBoot-Winfl38.sys
SafeBoot-Winfl40.sys
SafeBoot-Winfl74.sys
SafeBoot-Wingm17.sys
SafeBoot-Wingm38.sys
SafeBoot-Wingm84.sys
SafeBoot-Winhn73.sys
SafeBoot-Winhn84.sys
SafeBoot-Winio84.sys
SafeBoot-Winkq06.sys
SafeBoot-Winkq17.sys
SafeBoot-Winkq62.sys
SafeBoot-Winms05.sys
SafeBoot-Winms16.sys
SafeBoot-Winms27.sys
SafeBoot-Winms28.sys
SafeBoot-Winnt38.sys
SafeBoot-Winnt51.sys
SafeBoot-Winou40.sys
SafeBoot-Winou51.sys
SafeBoot-Winou74.sys
SafeBoot-Winpv73.sys
SafeBoot-Winpw51.sys
SafeBoot-Winqw16.sys
SafeBoot-Winqw62.sys
SafeBoot-Winrx07.sys
SafeBoot-Winrx16.sys
SafeBoot-Winrx17.sys
SafeBoot-Winrx74.sys
SafeBoot-Winsy06.sys
SafeBoot-Winsy16.sys
SafeBoot-Winsy17.sys
SafeBoot-Winsy27.sys
SafeBoot-Winsy38.sys
SafeBoot-Winsy51.sys
SafeBoot-Winsy73.sys
SafeBoot-Winta40.sys
SafeBoot-Winta84.sys
SafeBoot-Winta85.sys
SafeBoot-Wintb17.sys
SafeBoot-Winub73.sys
SafeBoot-Winvc27.sys
SafeBoot-Winvc38.sys
SafeBoot-Winvc63.sys
SafeBoot-Winwd06.sys
SafeBoot-Winwd51.sys
SafeBoot-Winwd62.sys
SafeBoot-Winxe16.sys
SafeBoot-Winxe17.sys
SafeBoot-Winxe30.sys
SafeBoot-Winxe73.sys
SafeBoot-Winxf28.sys
SafeBoot-Winyf16.sys
SafeBoot-Winyf38.sys

.
------- Supplementary Scan -------
.
uStart Page = nnnnnhxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-01 13:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\sys_drv.dat 8192 bytes
c:\windows\system32\sys_drv_2.dat 8192 bytes
c:\documents and settings\Administrator\Application Data\systemfl.$dk 8192 bytes

scan completed successfully
hidden files: 3

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1700)
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-07-01 13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 08:20
ComboFix2.txt 2009-06-30 16:54
ComboFix3.txt 2009-06-30 06:19
ComboFix4.txt 2009-06-28 18:42

Pre-Run: 3,656,482,816 bytes free
Post-Run: 3,661,594,624 bytes free

304
-------------------------------------------------------------------------------------------
HJTlog after cfix operation
-------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:04 PM, on 7/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nnnnnhttp://www.orissalinks.com/archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3160 bytes

broni · #23 (**permalink**) 01-07-2009, 11:36 PM

It looks much better. So far, I doubt, we're dealing here with Virut, but let's make sure.

Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32

================================================== ===========

Please, uninstall Uniblue Registry Booster. Playing with registry means nothing more, but troubles.

================================================== ==========

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\FOUND.051
C:\FOUND.050
C:\FOUND.049
c:\windows\system32\sys_drv.dat
c:\windows\system32\sys_drv_2.dat
c:\documents and settings\Administrator\Application Data\systemfl.$dk

Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

bir_25 · #24 (**permalink**) 02-07-2009, 03:57 PM

http://superkan619.110mb.com/files.zip

If possible, please get them scanned because the malware isn't letting me to open virustotal.com
Due to unavoidable circumstances I am also unable to get into a cyber cafe.

broni · #25 (**permalink**) 02-07-2009, 11:12 PM

I uploaded your files, and the report is clean, so this is good news

Proceed to next steps.

bir_25 · #26 (**permalink**) 03-07-2009, 05:56 AM

Thank you very much, sir.

broni · #27 (**permalink**) 03-07-2009, 06:01 AM

You're welcome

bir_25 · #28 (**permalink**) 03-07-2009, 11:15 AM

Uninstalled Registrybooster
=========================================

Cfix log
__________________________________________________ ___

ComboFix 09-06-29.04 - Administrator 07/03/2009 10:35.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.35 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Administrator\Application Data\systemfl.$dk"
"C:\FOUND.049"
"C:\FOUND.050"
"C:\FOUND.051"
"c:\windows\system32\sys_drv.dat"
"c:\windows\system32\sys_drv_2.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\systemfl.$dk
c:\windows\clofghls.dll
c:\windows\system32\sys_drv.dat
c:\windows\system32\sys_drv_2.dat

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 10:50 . 1996-08-19 13:43 41472 ----a-w- c:\windows\system32\RashProp.dll
2009-07-02 10:50 . 1996-08-19 13:43 132096 ----a-w- c:\windows\system32\RashIcon.dll
2009-07-02 10:50 . 1995-06-01 01:41 28672 ----a-w- c:\windows\system32\AWEMan32.dll
2009-07-01 20:13 . 2009-07-01 20:13 -------- d-sh--w- C:\FOUND.001
2009-07-01 12:52 . 2009-07-01 12:52 -------- d-sh--w- C:\FOUND.000
2009-06-30 19:11 . 2009-06-30 19:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-30 18:37 . 2009-06-30 18:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-30 17:10 . 2009-06-30 17:14 109 --sha-w- c:\windows\system32\2016862369.dat
2009-06-30 12:06 . 2009-06-30 12:06 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-06-30 12:06 . 2009-06-30 12:06 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-06-30 12:06 . 2009-06-30 12:06 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-06-30 12:06 . 2009-06-30 12:06 -------- d-----w- c:\program files\Folder Lock 6
2009-06-29 17:29 . 2009-06-29 17:29 -------- d-sh--w- C:\FOUND.051
2009-06-29 15:43 . 2009-06-29 15:43 -------- d-sh--w- C:\FOUND.050
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-sh--w- C:\FOUND.049
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-30 11:57 . 2008-01-28 09:56 35363 ----a-w- c:\windows\system32\windrvNT.sys
2009-06-30 11:55 . 2008-01-28 09:57 2154 ----a-w- C:\sccfg.sys
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_06.12.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-03 15:39 . 2009-01-03 15:54 89102 c:\windows\system32\Macromed\Flash\uninstall_activ eX.exe
+ 2009-07-02 15:41 . 2009-07-02 15:41 89102 c:\windows\system32\Macromed\Flash\uninstall_activ eX.exe
+ 2008-06-09 04:54 . 2009-06-30 17:15 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-02-23 17:17 . 1999-11-10 06:35 163840 c:\windows\unvise32qt.exe
+ 2008-01-15 04:41 . 2008-01-15 04:41 437255 c:\windows\system32\mioengine.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.ex e
+ 2008-01-09 15:32 . 2002-09-08 18:35 192512 c:\windows\system32\hkcmd.exe
+ 2008-06-09 04:54 . 2009-06-30 17:15 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-02 12:37 . 2009-02-02 12:37 1988168 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 192512]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"=
"e:\\spybotsd162.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\ComboFix.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\DRIVERS\PhSerUsb.sys [2006-06-29 48896]
R3 regguard;regguard;c:\windows\system32\Drivers\regg uard.sys [2009-05-30 29584]
S2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-06-30 10752]
S3 abp470n5;abp470n5;c:\windows\system32\drivers\lhll pn.sys [x]
S3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\DRIVERS\slnt.sys [2003-11-20 18004]

.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = nnnnnhxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-03 10:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2009-07-03 11:05
ComboFix-quarantined-files.txt 2009-07-03 05:35
ComboFix2.txt 2009-07-01 19:56
ComboFix3.txt 2009-07-01 08:20
ComboFix4.txt 2009-06-30 16:54
ComboFix5.txt 2009-07-03 05:04

Pre-Run: 3,049,357,312 bytes free
Post-Run: 3,146,489,856 bytes free

180

--------------------------------------------------------------------------
HJT log
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:51 AM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nnnnnhttp://www.orissalinks.com/archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3004 bytes
------------------------------------------------------------------------------

taskmanager and regedit are enabled just after c'fix operation but a short time afterwards they again become disabled. Error messages still continue to popup.

broni · #29 (**permalink**) 03-07-2009, 04:43 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\RashProp.dll
c:\windows\system32\RashIcon.dll
C:\FOUND.001
C:\FOUND.000
c:\windows\system32\WinFLsrv.exe
c:\windows\system32\WinFLdrv.sys
C:\FOUND.051
C:\FOUND.050
C:\FOUND.049
c:\windows\system32\windrvNT.sys
c:\windows\system32\drivers\lhllpn.sys

Folder::
c:\documents and settings\Administrator\ApplicationData\Uniblue

Driver::
abp470n5

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

bir_25 · #30 (**permalink**) 03-07-2009, 07:05 PM

c:\windows\system32\RashProp.dll
c:\windows\system32\RashIcon.dll

These are the files associated with the game ROADRASH [my only dose of recreation besides music b'coz everything else leads to a crash]. I've installed it just before the previous CFscan. Below are log results after removing these two from the script file because I think CF will delete them. To save time I think it right to proceed without asking you. If u wish, then I'll include them in the next scan, no problem at all.