Chiarne
asked on
Unable to Remove Rootkit in MBR
Hi,
I've been trying to remove a stubborn infection in the MBR on a pc. The OS is Windows XP Home, SP2. I've tried running Gmer and mbr.exe with no success. The mbr log as follows:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4c50135 size 0x1fd !
copy of MBR has been found in sector 62 !
I've tried the following in both normal mode and safe modes, where possible:
- run Eset Smart Security and Malwarebytes scans and nothing detected
- fixmbr in recovery console
- Combofix
- SDFix
- NOD32 DOS scan
ComboFix log:
ComboFix 08-09-28.03 - Lynette 2008-09-30 10:42:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18. 75 [GMT 10:00]
Running from: C:\Documents and Settings\Lynette\Desktop\C omboFix\Co mboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\WINDOWS\dcstds3.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))) )))))
.
2008-09-30 09:20 . 2008-09-30 09:20 <DIR> d-------- C:\Program Files\ESET
2008-09-30 09:04 . 2008-09-30 08:35 66,048 --a------ C:\mbr.exe
2008-09-30 08:35 . 2008-09-30 10:17 250 --a------ C:\WINDOWS\gmer.ini
2008-09-29 21:47 . 2008-09-30 09:08 <DIR> d-------- C:\Program Files\TDS3
2008-09-29 20:39 . 2008-09-30 10:42 <DIR> d-------- C:\WINDOWS\system32\NtmsDa ta
2008-09-29 20:20 . 2008-09-29 20:22 5,251,072 --a------ C:\WINDOWS\sectest.db
2008-09-29 19:49 . 2008-09-29 19:49 <DIR> d-------- C:\Documents and Settings\Administrator\App lication Data\SUPERAntiSpyware.com
2008-09-29 19:49 . 2008-09-29 19:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-29 19:21 . 2008-09-30 09:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-29 19:21 . 2008-09-29 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-29 18:09 . 2008-09-29 18:09 <DIR> d-------- C:\Program Files\PrevxCSI
2008-09-29 18:09 . 2008-09-30 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-29 18:09 . 2008-09-29 18:09 17,408 --a------ C:\WINDOWS\system32\driver s\pxark.sy s
2008-09-29 17:02 . 2008-09-29 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 15:57 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunr ar36.dll
2008-09-29 15:57 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3 .dll
2008-09-29 15:57 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvuna ce26.dll
2008-09-29 15:57 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev 2.dll
2008-09-29 15:57 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcab inet.dll
2008-09-29 15:56 . 2008-09-30 09:14 <DIR> d-------- C:\Program Files\Trojan Remover
2008-09-29 15:26 . 2008-09-29 15:26 <DIR> d-------- C:\Documents and Settings\Lynette\Applicati on Data\ESET
2008-09-29 15:01 . 2008-09-29 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-29 14:59 . 2008-09-29 14:59 2,740 --a------ C:\WINDOWS\system32\tmp.re g
2008-09-29 14:58 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSI D.exe
2008-09-29 14:58 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchST S.exe
2008-09-29 14:58 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXP VSTFix.exe
2008-09-29 14:58 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\system32\VACFix .exe
2008-09-29 14:58 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix .exe
2008-09-29 14:58 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix .C.exe
2008-09-29 14:58 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix .exe
2008-09-29 14:58 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Proces s.exe
2008-09-29 14:58 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphi ve.exe
2008-09-29 14:58 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix .exe.vir
2008-09-29 14:17 . 2008-09-29 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-29 11:38 . 2008-09-29 11:38 <DIR> d-------- C:\Documents and Settings\Lynette\Applicati on Data\Malwarebytes
2008-09-29 11:37 . 2008-09-29 11:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 11:37 . 2008-09-29 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\driver s\mbamswis sarmy.sys
2008-09-29 11:37 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\driver s\mbam.sys
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-09-29 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:08 --------- d-----w C:\Documents and Settings\Lynette\Applicati on Data\MSN6
2008-09-02 02:34 --------- d-----w C:\Documents and Settings\Lynette\Applicati on Data\U3
2008-08-22 23:26 --------- d-----w C:\Documents and Settings\Lynette\Applicati on Data\AdobeUM
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dl l
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuaucl t.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2. dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.d ll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi. dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltu i.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb. dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuauen g.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltu i.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb. dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms. dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\winine t.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsoc k.dll
2006-12-11 01:56 21,408 ----a-w C:\Documents and Settings\Lynette\Applicati on Data\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((( ((( snapshot@2008-09-29_19.00. 54.07 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2008-09-29 23:44:43 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-09-29 23:44:37 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB93 8127-v2-IE 7\spuninst \spuninst. exe
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\ie7updates\KB93 8127-v2-IE 7\spuninst \updspapi. dll
+ 2007-07-12 23:31:54 765,952 -c----w C:\WINDOWS\ie7updates\KB93 8127-v2-IE 7\vgx.dll
+ 2008-09-29 11:29:41 10,134 ----a-r C:\WINDOWS\Installer\{FBF0 9842-EB7F- 4BC2-BD32- DDE2572B21 95}\callms i.exe
+ 2008-09-29 11:29:41 140,544 ----a-r C:\WINDOWS\Installer\{FBF0 9842-EB7F- 4BC2-BD32- DDE2572B21 95}\egui.e xe
- 2007-08-13 08:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcac he\VGX.dll
+ 2008-05-27 17:23:58 765,952 -c--a-w C:\WINDOWS\system32\dllcac he\vgx.dll
+ 2008-06-30 22:56:22 39,944 ----a-w C:\WINDOWS\system32\driver s\eamon.sy s
+ 2008-06-30 23:04:34 71,688 ----a-w C:\WINDOWS\system32\driver s\epfw.sys
+ 2008-06-30 23:04:38 54,280 ----a-w C:\WINDOWS\system32\driver s\epfwtdi. sys
+ 2008-09-29 23:44:43 85,969 ----a-w C:\WINDOWS\system32\driver s\gmer.sys
- 2008-09-29 03:49:22 125,320 ----a-w C:\WINDOWS\system32\FNTCAC HE.DAT
+ 2008-09-29 10:38:54 125,320 ----a-w C:\WINDOWS\system32\FNTCAC HE.DAT
+ 2003-06-11 08:05:07 32,768 ----a-w C:\WINDOWS\system32\tds3sh l.dll
+ 1999-01-12 05:19:12 195,584 ----a-w C:\WINDOWS\system32\xvoice .dll
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2006-02-23 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [2006-05-03 155648]
"NvCplDaemon"="C:\WINDOWS\ system32\N vCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="C:\WINDOW S\system32 \NvMcTray. dll" [2004-10-29 86016]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.5.0_09\bin \jusched.e xe" [2006-10-12 49263]
"PCSuiteTrayApplication"=" C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe " [2006-09-28 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4 .0\OpwareS E4.exe" [2006-10-11 75304]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-10-29 C:\WINDOWS\system32\nwiz.e xe]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaD etector.ex e" [2007-09-28 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.e xe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire. exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"=
"C:\\Program Files\\iTunes\\iTunes.exe" =
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"C:\\Program Files\\Bonjour\\mDNSRespon der.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e xe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall. exe"=
R0 pxark;pxark;C:\WINDOWS\sys tem32\driv ers\pxark. sys [2008-09-29 17408]
R2 CSIScanner;CSIScanner;C:\P rogram Files\PrevxCSI\prevxcsi.ex e [2008-09-29 618040]
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system3 2\DRIVERS\ usb101et.s ys [2004-08-03 32384]
S3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\ drivers\st ac97na.sys [2002-09-20 296179]
S3 STAC97NH;STAC97NH;C:\WINDO WS\system3 2\drivers\ stac97nh.s ys [2002-09-20 231983]
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{09 af1e79-0b4 2-11dc-8bd a-000129fd 70fc}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O18 -: Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0 000F810575 4} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\cla sses\dajav a.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\cla sses\xmlds o.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 10:46:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2008-09-30 10:55:39
ComboFix-quarantined-files .txt 2008-09-30 00:55:14
ComboFix2.txt 2008-09-29 09:01:48
Pre-Run: 4,947,554,304 bytes free
Post-Run: 5,022,281,728 bytes free
169 --- E O F --- 2008-09-29 17:02:51
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
Is there any way to kill this thing without performing a clean reinstall.
Regards
Chiarne
I've been trying to remove a stubborn infection in the MBR on a pc. The OS is Windows XP Home, SP2. I've tried running Gmer and mbr.exe with no success. The mbr log as follows:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4c50135 size 0x1fd !
copy of MBR has been found in sector 62 !
I've tried the following in both normal mode and safe modes, where possible:
- run Eset Smart Security and Malwarebytes scans and nothing detected
- fixmbr in recovery console
- Combofix
- SDFix
- NOD32 DOS scan
ComboFix log:
ComboFix 08-09-28.03 - Lynette 2008-09-30 10:42:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Lynette\Desktop\C
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((
.
C:\WINDOWS\dcstds3.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))
.
2008-09-30 09:20 . 2008-09-30 09:20 <DIR> d-------- C:\Program Files\ESET
2008-09-30 09:04 . 2008-09-30 08:35 66,048 --a------ C:\mbr.exe
2008-09-30 08:35 . 2008-09-30 10:17 250 --a------ C:\WINDOWS\gmer.ini
2008-09-29 21:47 . 2008-09-30 09:08 <DIR> d-------- C:\Program Files\TDS3
2008-09-29 20:39 . 2008-09-30 10:42 <DIR> d-------- C:\WINDOWS\system32\NtmsDa
2008-09-29 20:20 . 2008-09-29 20:22 5,251,072 --a------ C:\WINDOWS\sectest.db
2008-09-29 19:49 . 2008-09-29 19:49 <DIR> d-------- C:\Documents and Settings\Administrator\App
2008-09-29 19:49 . 2008-09-29 19:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-29 19:21 . 2008-09-30 09:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-29 19:21 . 2008-09-29 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-29 18:09 . 2008-09-29 18:09 <DIR> d-------- C:\Program Files\PrevxCSI
2008-09-29 18:09 . 2008-09-30 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-29 18:09 . 2008-09-29 18:09 17,408 --a------ C:\WINDOWS\system32\driver
2008-09-29 17:02 . 2008-09-29 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 15:57 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunr
2008-09-29 15:57 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3
2008-09-29 15:57 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvuna
2008-09-29 15:57 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev
2008-09-29 15:57 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcab
2008-09-29 15:56 . 2008-09-30 09:14 <DIR> d-------- C:\Program Files\Trojan Remover
2008-09-29 15:26 . 2008-09-29 15:26 <DIR> d-------- C:\Documents and Settings\Lynette\Applicati
2008-09-29 15:01 . 2008-09-29 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-29 14:59 . 2008-09-29 14:59 2,740 --a------ C:\WINDOWS\system32\tmp.re
2008-09-29 14:58 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSI
2008-09-29 14:58 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchST
2008-09-29 14:58 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXP
2008-09-29 14:58 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\system32\VACFix
2008-09-29 14:58 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix
2008-09-29 14:58 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix
2008-09-29 14:58 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix
2008-09-29 14:58 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Proces
2008-09-29 14:58 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphi
2008-09-29 14:58 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix
2008-09-29 14:17 . 2008-09-29 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-29 11:38 . 2008-09-29 11:38 <DIR> d-------- C:\Documents and Settings\Lynette\Applicati
2008-09-29 11:37 . 2008-09-29 11:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 11:37 . 2008-09-29 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\driver
2008-09-29 11:37 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\driver
.
((((((((((((((((((((((((((
.
2008-09-29 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:08 --------- d-----w C:\Documents and Settings\Lynette\Applicati
2008-09-02 02:34 --------- d-----w C:\Documents and Settings\Lynette\Applicati
2008-08-22 23:26 --------- d-----w C:\Documents and Settings\Lynette\Applicati
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dl
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuaucl
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.d
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltu
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuauen
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltu
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\winine
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsoc
2006-12-11 01:56 21,408 ----a-w C:\Documents and Settings\Lynette\Applicati
.
((((((((((((((((((((((((((
.
+ 2008-09-29 23:44:43 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-09-29 23:44:37 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB93
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\ie7updates\KB93
+ 2007-07-12 23:31:54 765,952 -c----w C:\WINDOWS\ie7updates\KB93
+ 2008-09-29 11:29:41 10,134 ----a-r C:\WINDOWS\Installer\{FBF0
+ 2008-09-29 11:29:41 140,544 ----a-r C:\WINDOWS\Installer\{FBF0
- 2007-08-13 08:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcac
+ 2008-05-27 17:23:58 765,952 -c--a-w C:\WINDOWS\system32\dllcac
+ 2008-06-30 22:56:22 39,944 ----a-w C:\WINDOWS\system32\driver
+ 2008-06-30 23:04:34 71,688 ----a-w C:\WINDOWS\system32\driver
+ 2008-06-30 23:04:38 54,280 ----a-w C:\WINDOWS\system32\driver
+ 2008-09-29 23:44:43 85,969 ----a-w C:\WINDOWS\system32\driver
- 2008-09-29 03:49:22 125,320 ----a-w C:\WINDOWS\system32\FNTCAC
+ 2008-09-29 10:38:54 125,320 ----a-w C:\WINDOWS\system32\FNTCAC
+ 2003-06-11 08:05:07 32,768 ----a-w C:\WINDOWS\system32\tds3sh
+ 1999-01-12 05:19:12 195,584 ----a-w C:\WINDOWS\system32\xvoice
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
[HKEY_LOCAL_MACHINE\SOFTWA
"iTunesHelper"="C:\Program
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe
"NvCplDaemon"="C:\WINDOWS\
"NvMediaCenter"="C:\WINDOW
"SunJavaUpdateSched"="C:\P
"PCSuiteTrayApplication"="
"SSBkgdUpdate"="C:\Program
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-10-29 C:\WINDOWS\system32\nwiz.e
[HKEY_USERS\.DEFAULT\Softw
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaD
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"C:\\Program Files\\Messenger\\msmsgs.e
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e
"C:\\Program Files\\iTunes\\iTunes.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Bonjour\\mDNSRespon
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"C:\\Program Files\\Windows Live\\Messenger\\livecall.
R0 pxark;pxark;C:\WINDOWS\sys
R2 CSIScanner;CSIScanner;C:\P
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system3
S3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\
S3 STAC97NH;STAC97NH;C:\WINDO
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O18 -: Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\cla
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\cla
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 10:46:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2008-09-30 10:55:39
ComboFix-quarantined-files
ComboFix2.txt 2008-09-29 09:01:48
Pre-Run: 4,947,554,304 bytes free
Post-Run: 5,022,281,728 bytes free
169 --- E O F --- 2008-09-29 17:02:51
--------------------------
Is there any way to kill this thing without performing a clean reinstall.
Regards
Chiarne
ASKER
Hi smittyboom,
The Trojan Remover scan came up empty. HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:28, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\slserv .exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\Java\jre1.5.0_09\bin \jusched.e xe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4 .0\OpwareS E4.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe
C:\Program Files\Common Files\PCSuite\Services\Ser viceLayer. exe
C:\PROGRA~1\COMMON~1\Nokia \MPAPI\MPA PI3s.exe
E:\Spyware\Trojan Remover\TrojanRemover_setu p_v6.7.2.e xe
C:\DOCUME~1\Lynette\LOCALS ~1\Temp\is -J1S87.tmp \TrojanRem over_setup _v6.7.2.tm p
C:\Program Files\Trojan Remover\trupd.exe
E:\Spyware\Hijack This and CW Shredder\HiJackThis_v.2.0. 2.exe
C:\WINDOWS\system32\wuaucl t.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en -us\msntb. dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en -us\msntb. dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D 4A541665E3 5} - C:\WINDOWS\ImageShackToolb ar\ImageSh ackToolbar .dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-1 0AC9BABA46 C} - C:\Program Files\Canon\Easy-WebPrint\ Toolband.d ll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin \jusched.e xe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe " -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4 .0\OpwareS E4.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-A CC66393942 4} - C:\Program Files\Bonjour\ExplorerPlug in.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov au.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C 0A14556272 C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2 D05CB95953 7} (MSN Photo Upload Tool) - http://renee090.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8 BE11976474 1} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9 89993B5D08 B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164140555102
O16 - DPF: {6932D140-ABC4-4073-A44C-D 4A541665E3 5} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4 DFAD1796A8 D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-6 63D1A8D96B F} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{B E9D8CA0-ED 6D-4FFA-A5 BF-7568178 8D335}: Domain = nsw.bigpond.net.au
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\Ser viceLayer. exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv .exe
--
End of file - 8484 bytes
Regards
Chiarne
The Trojan Remover scan came up empty. HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:28, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Bonjour\mDNSResponde
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\slserv
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Java\jre1.5.0_09\bin
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko
C:\Program Files\Common Files\PCSuite\Services\Ser
C:\PROGRA~1\COMMON~1\Nokia
E:\Spyware\Trojan Remover\TrojanRemover_setu
C:\DOCUME~1\Lynette\LOCALS
C:\Program Files\Trojan Remover\trupd.exe
E:\Spyware\Hijack This and CW Shredder\HiJackThis_v.2.0.
C:\WINDOWS\system32\wuaucl
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-A
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O16 - DPF: {00B71CFB-6864-4346-A978-C
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2
O16 - DPF: {55027008-315F-4F45-BBC3-8
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6932D140-ABC4-4073-A44C-D
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-6
O17 - HKLM\System\CCS\Services\T
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\Ser
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv
--
End of file - 8484 bytes
Regards
Chiarne
It looks surprisingly clean.
You may want to remove this line. I went to this website and it doesnt look like you should have this.
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
I would also try this:
http://onecare.live.com/site/en-us/default.htm
You may want to remove this line. I went to this website and it doesnt look like you should have this.
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
I would also try this:
http://onecare.live.com/site/en-us/default.htm
www.dcsresearch.com is a search engine.
You can look at the google search if you desire.
http://www.google.com/search?hl=en&q=www.dcsresearch.com&aq=f&oq=
You can look at the google search if you desire.
http://www.google.com/search?hl=en&q=www.dcsresearch.com&aq=f&oq=
smittyboom,
From what I know (too damned little), that line is harmless - and based on what the Asker has already run (and posted) the problem is going to be much deeper than an HJT fix.
I am more concerned about your recommendation (Make sure Windows is up to date except for service pack 3.) that you made and wonder why you would tell someone not to load SP3?
From what I know (too damned little), that line is harmless - and based on what the Asker has already run (and posted) the problem is going to be much deeper than an HJT fix.
I am more concerned about your recommendation (Make sure Windows is up to date except for service pack 3.) that you made and wonder why you would tell someone not to load SP3?
If you would like to handle this problem then i will leave this question alone.
You are right it is a harmless line so there is no problem with deleting it. The reason that i stated the SP3 comment is because i do not know anything else about the users system and if i was to make the comment of adding SP3 and the user has a AMD processor or SP3 caused any other issues (they are all over this website as well as every other technical website) then i will not be held responsible. I am not going to tell the user to put SP3 on this machine and then explain to the user why it is caught in an endless reboot or goes to a BSOD. The comments i made will have no adverse effects on the PC and that was my intentions. If you would like to suggest the SP3 then feel free to.
You are right it is a harmless line so there is no problem with deleting it. The reason that i stated the SP3 comment is because i do not know anything else about the users system and if i was to make the comment of adding SP3 and the user has a AMD processor or SP3 caused any other issues (they are all over this website as well as every other technical website) then i will not be held responsible. I am not going to tell the user to put SP3 on this machine and then explain to the user why it is caught in an endless reboot or goes to a BSOD. The comments i made will have no adverse effects on the PC and that was my intentions. If you would like to suggest the SP3 then feel free to.
smittyboom,
I think you misunderstood my question.
I learn a lot more on this site (from other Experts) than I teach every day.
You've only been posting in earnest for a couple of weeks, but Experts 'cross-post' all the time around here - trying to learn from each other.
My personal attitude toward SP's is to never be in the first wave of those who install it, but I've been running it regularly for the past couple of months and haven't found any conflicts/problems yet.
(Also - you should never feel 'run-off' from a question on EE. This site is all about collaboration and all of us helping each other.)
I think you misunderstood my question.
I learn a lot more on this site (from other Experts) than I teach every day.
You've only been posting in earnest for a couple of weeks, but Experts 'cross-post' all the time around here - trying to learn from each other.
My personal attitude toward SP's is to never be in the first wave of those who install it, but I've been running it regularly for the past couple of months and haven't found any conflicts/problems yet.
(Also - you should never feel 'run-off' from a question on EE. This site is all about collaboration and all of us helping each other.)
Copy MBR.exe to C:\Windows folder
Click Start>Run
Type in mbr.exe -f
Click Start>Run
Type in mbr.exe -f
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi rpggamergirl,
Since my last posting I have run ESET Mebroot Remover and it has not detected any infection. This confirms your statement that the MBR rootkit is gone.
This was my first close encounter with a rootkit infection and probably not my last. The line "malicious code at sector..." in the GMER report raised a few flags of concern. Being a newbie at this I jumped to the conclusion that the infection was not totally cleaned and/or still active. Since this is a customer's computer I needed confirmation that the infection was no longer active.
Thanks for your detailed answer. Problem solved.
Regards
Chiarne
Since my last posting I have run ESET Mebroot Remover and it has not detected any infection. This confirms your statement that the MBR rootkit is gone.
This was my first close encounter with a rootkit infection and probably not my last. The line "malicious code at sector..." in the GMER report raised a few flags of concern. Being a newbie at this I jumped to the conclusion that the infection was not totally cleaned and/or still active. Since this is a customer's computer I needed confirmation that the infection was no longer active.
Thanks for your detailed answer. Problem solved.
Regards
Chiarne
>>> The line "malicious code at sector..." in the GMER report raised a few flags of concern. <<<
That's understandable. It's only natural for anyone to be concerned when they see that line in Gmer's log.
If you still have that pc, you might like to uninstall combofix.
Go to Start > Run and copy and paste next command in the field:
ComboFix /u
The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.
Thanks!
That's understandable. It's only natural for anyone to be concerned when they see that line in Gmer's log.
If you still have that pc, you might like to uninstall combofix.
Go to Start > Run and copy and paste next command in the field:
ComboFix /u
The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.
Thanks!
Also use HiJackThis and post the logfile in a reply.
Make sure Windows is up to date except for service pack 3.