Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Unknown Rootkit??

Register Points Site Spy New Posts Donate Unanswered Posts Search Forum Rules


Reply
 
LinkBack Thread Tools
  #1  
Old 25th Aug 2008, 08:39 AM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
I have AVG 8.0 totally updated and every time that i run it, it tells me that i have a rootkit in c:/windows/system32/drivers/ which i tell the antivirus to remove, it "does" remove it but it ask me to restart the computer.

I pass the av and it finds the rootkit again but this time with a diferent name... can you guys help me out here??

I have also used spybot search and destroy but nothing helps.

the name of the rootkit at the moment is awhjlajx.SYS

I tried google but of course nothing came up cause those names are totally random...
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #2  
Old 25th Aug 2008, 08:54 AM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 08:43 PM
Posts: 5,339
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Unknown Rootkit??
Start here http://www.computer-juice.com/forums...-posting-7476/

Post the SAS, MBAM and HJT logs when complete and we will see what all else needs to be done.
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #3  
Old 25th Aug 2008, 01:51 PM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/25/2008 at 08:13 PM

Application Version : 4.20.1046

Core Rules Database Version : 3546
Trace Rules Database Version: 1535

Scan type : Complete Scan
Total Scan Time : 00:56:51

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 4900
Registry threats detected : 0
File items scanned : 171231
File threats detected : 1

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\SYSINTERNALSBLUESCREEN.SCR


---------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 5.1.2600 Service Pack 2

22:12:53 25-Aug-08
mbam-log-08-25-2008 (22-12-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 118526
Time elapsed: 1 hour(s), 17 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:29, on 25-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Vuze\Azureus.exe
D:\Program Files\procexp.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Tenable\Nessus\nessusd.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "D:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Shortcut to Azureus.lnk = D:\Program Files\Vuze\Azureus.exe
O4 - Startup: Shortcut to procexp.lnk = D:\Program Files\procexp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1218842829796
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Tenable Nessus - Tenable Network Security - D:\Program Files\Tenable\Nessus\nessusd.exe

--
End of file - 4725 bytes

and still i get this:
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #4  
Old 25th Aug 2008, 01:54 PM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 08:43 PM
Posts: 5,339
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Unknown Rootkit??
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
__________________
.
.
Last edited by evilfantasy : 25th Aug 2008 at 01:54 PM.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #5  
Old 26th Aug 2008, 08:08 AM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
ComboFix 08-08-25.01 - RaptorX 2008-08-26 17:58:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1464 [GMT 2:00]
Running from: C:\Documents and Settings\RaptorX\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 22:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-25 22:29 . 2008-08-25 22:30 <DIR> d-------- C:\Program Files\Java
2008-08-25 22:28 . 2008-08-25 22:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-25 19:25 . 2008-08-25 19:25 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Malwarebytes
2008-08-25 19:25 . 2008-08-25 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 19:10 . 2008-08-25 23:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-25 19:10 . 2008-08-25 23:54 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\SUPERAntiSpyware.com
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 22:11 . 2008-08-24 22:11 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Irssi
2008-08-24 21:08 . 2008-08-24 21:08 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\XemiComputers
2008-08-24 21:08 . 2008-08-24 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-08-23 13:45 . 2008-08-23 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-23 13:44 . 2008-08-23 13:44 1,641,109 --a------ C:\WINDOWS\WANEUninstaller.exe
2008-08-23 13:27 . 2008-08-23 13:29 <DIR> d-------- C:\Program Files\PS2 Rate Adjuster PLUS
2008-08-22 23:26 . 2008-08-22 23:26 381 --a------ C:\WINDOWS\runit.ini
2008-08-22 21:56 . 2008-08-22 21:56 19,562 --a------ C:\lsass.c
2008-08-22 20:53 . 2008-01-03 10:40 234,536 --a------ C:\WINDOWS\system32\psexec.exe
2008-08-22 18:40 . 2008-08-22 18:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\IndigoRose
2008-08-22 18:39 . 2008-08-22 18:39 <DIR> d-------- C:\WINDOWS\Setup Factory 8.0 Trial
2008-08-22 18:39 . 2008-08-22 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IndigoRose
2008-08-22 18:39 . 2008-08-22 18:39 0 --a------ C:\WINDOWS\SUF80Design.INI
2008-08-22 18:29 . 2004-08-03 23:14 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-08-22 17:58 . 2008-08-23 12:22 1,954 --a------ C:\Documents and Settings\RaptorX\Application Data\SAS7_000.DAT
2008-08-22 14:26 . 2008-08-22 14:26 <DIR> d--h----- C:\BJPrinter
2008-08-22 13:03 . 2008-08-26 00:04 30,120 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-08-26 00:04 30,120 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-08-26 00:04 27,408 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-08-26 00:04 27,408 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-08-26 00:04 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 12:34 . 2004-08-03 23:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-08-22 12:32 . 2008-08-22 12:32 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Creative
2008-08-22 12:32 . 2008-08-22 18:26 4,958,588 --a------ C:\WINDOWS\{00000000-00000000-00000008-00001102-00000004-00511102}.CDF
2008-08-22 12:32 . 2008-08-22 12:32 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-22 12:32 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-08-22 12:32 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-08-22 12:32 . 2008-08-22 12:32 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-22 12:32 . 2006-11-14 07:28 86,016 --a------ C:\WINDOWS\system32\cttele.dll
2008-08-22 12:31 . 2008-08-22 12:31 <DIR> d-------- C:\WINDOWS\system32\data
2008-08-22 12:31 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-08-22 12:31 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-08-22 12:28 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-08-22 12:28 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-08-22 12:28 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-08-21 20:41 . 2008-08-22 14:21 24,735 --a------ C:\streamcomplete
2008-08-21 16:46 . 2008-08-26 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-21 16:46 . 2008-08-21 16:46 <DIR> d-------- C:\Program Files\AVG
2008-08-21 16:46 . 2008-08-21 16:46 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-21 16:46 . 2008-08-21 16:46 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-21 16:46 . 2008-08-21 16:46 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-21 16:46 . 2008-08-21 16:46 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-21 12:05 . 2008-08-21 12:07 262 --a------ C:\temp.pgn
2008-08-20 20:59 . 2008-08-20 20:59 <DIR> d-------- C:\Program Files\Web Publish
2008-08-20 20:59 . 2008-08-20 20:59 288 --a------ C:\WINDOWS\ODBC.INI
2008-08-20 20:59 . 2008-08-20 20:59 126 --a------ C:\WINDOWS\mdm.ini
2008-08-20 20:29 . 2008-08-20 20:29 <DIR> d-------- C:\Program Files\Bonjour
2008-08-20 20:23 . 2008-08-20 20:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-20 19:46 . 2008-08-22 21:51 <DIR> d-------- C:\dr
2008-08-20 14:46 . 2008-08-20 14:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-08-20 14:20 . 2008-08-20 19:38 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Samsung
2008-08-20 13:55 . 2008-08-20 13:55 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\PC Suite
2008-08-20 13:55 . 2008-08-20 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-20 13:54 . 2008-08-20 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-20 13:54 . 2007-05-02 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-08-20 01:40 . 2008-08-20 20:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-20 01:40 . 2008-08-20 01:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\AdobeUM
2008-08-20 00:30 . 2008-08-20 00:52 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\.msf3
2008-08-20 00:29 . 2008-08-20 00:30 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\msf3
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\UC.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\RAR.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\LHA.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\ARJ.PIF
2008-08-18 19:09 . 2008-08-18 19:09 63,833 --a------ C:\WINDOWS\system32\BlueScreen.zip
2008-08-18 16:30 . 2008-06-01 09:13 88,696 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-08-18 16:04 . 2008-08-18 16:04 36,928 --a------ C:\WINDOWS\system32\drivers\pssdk41.sys
2008-08-18 04:00 . 2008-08-18 15:58 <DIR> d-------- C:\Documents and Settings\administrator
2008-08-18 01:50 . 2008-08-18 01:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-17 23:00 . 2008-08-17 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-17 22:59 . 2008-08-17 22:59 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-08-17 22:39 . 2008-08-19 06:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-17 19:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-17 19:48 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-17 19:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-17 19:47 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-08-17 19:46 . 2008-08-17 19:46 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-17 19:43 . 2008-08-17 19:43 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-17 19:43 . 2008-08-21 02:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 12:28 . 2008-08-17 12:28 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-17 12:09 . 2004-08-30 07:50 209,656 -ra------ C:\WINDOWS\system32\drivers\alcxnt.sys
2008-08-17 12:09 . 2004-08-30 07:50 43,128 -ra------ C:\WINDOWS\system32\alcxnt.dll
2008-08-17 12:05 . 2008-08-17 12:05 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-08-17 00:12 . 2008-08-17 12:07 169 --a------ C:\WINDOWS\RtlRack.ini
2008-08-17 00:01 . 2004-07-01 09:02 584 -r------- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-08-16 23:37 . 2008-08-16 23:37 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\skypePM
2008-08-16 23:37 . 2008-08-16 23:37 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-16 23:34 . 2008-08-16 23:38 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Skype
2008-08-16 19:08 . 2008-08-16 19:31 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\JAM Software
2008-08-16 18:20 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-08-16 17:21 . 2008-08-26 18:00 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Azureus
2008-08-16 17:21 . 2008-08-16 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-08-16 17:20 . 2008-08-25 23:55 <DIR> d-------- C:\Program Files\MSECACHE
2008-08-16 16:29 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-08-16 16:22 . 2008-08-16 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-08-16 16:20 . 2008-08-23 21:46 <DIR> d-------- C:\WINDOWS\speech
2008-08-16 12:11 . 2008-08-25 19:10 172 --a------ C:\WINDOWS\wininit.ini
2008-08-16 02:34 . 2008-08-16 02:34 <DIR> d-------- C:\Program Files\Skype
2008-08-16 02:34 . 2008-08-16 02:34 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-16 02:33 . 2008-08-16 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-16 02:26 . 2008-08-16 11:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Contacts
2008-08-16 02:25 . 2008-08-20 19:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-16 02:22 . 2008-08-18 16:45 <DIR> d-------- C:\Program Files\Windows Live
2008-08-16 02:22 . 2008-08-16 02:24 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-16 02:21 . 2008-08-16 02:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-16 02:21 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-16 02:06 . 2008-08-25 11:28 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-16 02:06 . 2008-08-26 00:03 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-16 01:59 . 2008-08-16 01:59 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-08-16 01:50 . 2008-08-16 02:04 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Winamp
2008-08-16 01:41 . 2008-08-16 11:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-16 01:40 . 2008-08-16 02:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-16 01:34 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-08-16 01:34 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-16 01:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-23 11:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 10:32 155,995 ----a-w C:\WINDOWS\java\Packages\RHZDBDZZ.ZIP
2008-08-19 05:26 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-08-15 18:33 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-01 07:13 88,696 ----a-w C:\WINDOWS\system32\Packet.dll
2008-06-01 07:13 68,224 ----a-w C:\WINDOWS\system32\WanPacket.dll
2008-06-01 07:13 53,299 ----a-w C:\WINDOWS\system32\pthreadVC.dll
2008-06-01 07:13 240,248 ----a-w C:\WINDOWS\system32\wpcap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 14:11 490952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"Bandwidth Monitor Pro"="D:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-16 16:48 225280]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Active Desktop Calendar"="D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-08-13 15:33 3780608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 06:15 15872]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-21 16:46 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\RaptorX\Start Menu\Programs\Startup\
Shortcut to Azureus.lnk - D:\Program Files\Vuze\Azureus.exe [2008-08-16 17:16:37 254976]
Shortcut to procexp.lnk - D:\Program Files\procexp.exe [2008-08-16 17:13:30 3520552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"DNS7reminder"="D:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\IS USPM.exe -startup
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"Windows"=C:\DOCUME~1\RaptorX\LOCALS~1\Temp\Setup_ ver1.1400.0.exe
"CTxfiHlp"=CTXFIHLP.EXE
"CTHelper"=CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"D:\\Program Files\\Ubisoft\\Chessmaster Grandmaster Edition\\game.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\ avgrkx86.sys [2008-08-21 16:46]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-21 16:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-21 16:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-21 16:46]
R2 npf;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2008-06-01 09:13]
R2 Tenable Nessus;Tenable Nessus;D:\Program Files\Tenable\Nessus\nessusd.exe [2008-07-31 16:16]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 05:58]
S3 cpuz129;cpuz129;D:\Program Files\PC Wizard 2008\pcwiz32.sys []
S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00]
S3 PsSdk41;PsSdk41;C:\WINDOWS\system32\Drivers\pssdk4 1.sys [2008-08-18 16:04]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [2007-10-16 05:00]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\sd.job
- C:\Documents and Settings\RaptorX\Desktop\sd.bat []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\RaptorX\Application Data\Mozilla\Firefox\Profiles\6swjvtvd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Documents and Settings\RaptorX\Application Data\Mozilla\Firefox\Profiles\6swjvtvd.default\ext ensions\LogMeInClient@logmein.com\plugins\npRACtrl .dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
FF -: plugin - D:\Program Files\VideoLAN\VLC\npvlc.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 18:00:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E verestDriver]
"ImagePath"="\??\D:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
Completion time: 2008-08-26 18:01:11
ComboFix-quarantined-files.txt 2008-08-26 16:01:07

Pre-Run: 3,759,722,496 bytes free
Post-Run: 4,028,432,384 bytes free

248 --- E O F --- 2008-08-23 22:52:44
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #6  
Old 26th Aug 2008, 08:51 AM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
about combofix....

When it was making the scan it gave me a blue screen... and now im passing my antivirus and I got another blue screen... it seems to be that it "touched" something.... I will try to open the memory dump later....

and it also deleted mdm.exe which i thought it was the windows debugger machine but i still see the mdm.exe in process explorer... from system32 directory so maybe i did have somthing but the av didnt see that....

and i still have the rootkit in system32/drivers, with another random name.... every time i restart the computer it has a different name....

guess im screwed.. :D

even though it is not causing any obvious damage i just want to know what is that...and how i got it...
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #7  
Old 26th Aug 2008, 09:58 AM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 08:43 PM
Posts: 5,339
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Unknown Rootkit??
Not screwed yet. Rootkits are among the toughest ones to find and eliminate.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

File::
C:\WINDOWS\system32\jview.exe
C:\WINDOWS\system32\clspack.exe
C:\temp.pgn

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #8  
Old 3rd Sep 2008, 05:54 AM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
Sorry that i took too long but i didnt see that you answered me.


here the log:

ComboFix 08-09-01.05 - RaptorX 2008-09-03 15:44:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1668 [GMT 2:00]
Running from: C:\Documents and Settings\RaptorX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RaptorX\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clspack.exe
C:\WINDOWS\system32\jview.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-31 12:58 . 2008-08-31 12:58 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Caphyon
2008-08-30 17:03 . 2008-08-30 17:04 32,930 --a------ C:\WINDOWS\scunin.dat
2008-08-30 17:02 . 2008-08-30 17:04 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-08-30 17:02 . 2008-08-30 17:04 967 --a------ C:\WINDOWS\ScUnin.pif
2008-08-30 15:50 . 2008-08-30 15:50 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Corel
2008-08-30 15:48 . 2008-08-30 15:48 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-08-30 13:29 . 2007-05-07 08:41 1,128,128 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
2008-08-30 13:29 . 2008-08-30 13:29 20 --a------ C:\WINDOWS\system32\cdmstp
2008-08-28 01:18 . 2008-08-28 01:18 <DIR> d-------- C:\Documents and Settings\administrator\Application Data\ChessBase
2008-08-28 00:20 . 2008-08-28 00:20 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Windows Search
2008-08-28 00:13 . 2008-08-28 00:13 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-28 00:11 . 2008-08-28 00:11 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-28 00:10 . 2008-03-07 18:56 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-28 00:10 . 2008-03-07 18:56 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-28 00:10 . 2008-03-07 18:56 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-27 00:16 . 2008-08-27 00:16 <DIR> d-------- C:\Program Files\Common Files\ChessBase
2008-08-26 22:16 . 2008-08-27 00:16 <DIR> d-------- C:\Program Files\ChessBase
2008-08-26 20:36 . 2008-08-26 21:47 122 --a------ C:\WINDOWS\WA.INI
2008-08-26 19:40 . 2008-08-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ChessBase
2008-08-26 19:36 . 2008-09-03 07:23 150 --a------ C:\WINDOWS\ChssBase.ini
2008-08-26 19:23 . 2008-09-03 07:24 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\ChessBase
2008-08-25 22:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-25 22:29 . 2008-08-25 22:30 <DIR> d-------- C:\Program Files\Java
2008-08-25 22:28 . 2008-08-25 22:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-25 19:25 . 2008-08-25 19:25 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Malwarebytes
2008-08-25 19:25 . 2008-08-25 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 19:10 . 2008-08-25 23:54 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\SUPERAntiSpyware.com
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 21:08 . 2008-08-24 21:08 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\XemiComputers
2008-08-24 21:08 . 2008-08-24 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-08-23 13:45 . 2008-08-23 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-23 13:44 . 2008-08-23 13:44 1,641,109 --a------ C:\WINDOWS\WANEUninstaller.exe
2008-08-23 13:27 . 2008-08-23 13:29 <DIR> d-------- C:\Program Files\PS2 Rate Adjuster PLUS
2008-08-22 23:26 . 2008-08-22 23:26 381 --a------ C:\WINDOWS\runit.ini
2008-08-22 20:53 . 2008-01-03 10:40 234,536 --a------ C:\WINDOWS\system32\psexec.exe
2008-08-22 18:40 . 2008-08-22 18:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\IndigoRose
2008-08-22 18:39 . 2008-08-22 18:39 <DIR> d-------- C:\WINDOWS\Setup Factory 8.0 Trial
2008-08-22 18:39 . 2008-08-22 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IndigoRose
2008-08-22 18:39 . 2008-08-22 18:39 0 --a------ C:\WINDOWS\SUF80Design.INI
2008-08-22 18:29 . 2004-08-03 23:14 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-08-22 17:58 . 2008-08-23 12:22 1,954 --a------ C:\Documents and Settings\RaptorX\Application Data\SAS7_000.DAT
2008-08-22 14:26 . 2008-08-22 14:26 <DIR> d--h----- C:\BJPrinter
2008-08-22 13:03 . 2008-09-03 15:46 30,120 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-09-03 15:46 30,120 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-09-03 15:46 27,408 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-09-03 15:46 27,408 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 13:03 . 2008-09-03 15:46 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
2008-08-22 12:34 . 2004-08-03 23:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-08-22 12:32 . 2008-08-22 12:32 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Creative
2008-08-22 12:32 . 2008-08-22 18:26 4,958,588 --a------ C:\WINDOWS\{00000000-00000000-00000008-00001102-00000004-00511102}.CDF
2008-08-22 12:32 . 2008-08-22 12:32 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-22 12:32 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-08-22 12:32 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-08-22 12:32 . 2008-08-22 12:32 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-22 12:32 . 2006-11-14 07:28 86,016 --a------ C:\WINDOWS\system32\cttele.dll
2008-08-22 12:31 . 2008-08-22 12:31 <DIR> d-------- C:\WINDOWS\system32\data
2008-08-22 12:28 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-08-22 12:28 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-08-22 12:28 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-08-21 16:46 . 2008-09-03 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-21 16:46 . 2008-08-21 16:46 <DIR> d-------- C:\Program Files\AVG
2008-08-21 16:46 . 2008-08-21 16:46 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-21 16:46 . 2008-08-21 16:46 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-21 16:46 . 2008-08-21 16:46 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-21 16:46 . 2008-08-21 16:46 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-20 21:06 . 2008-06-23 17:38 3,059,712 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-20 20:59 . 2008-08-20 20:59 <DIR> d-------- C:\Program Files\Web Publish
2008-08-20 20:59 . 2003-08-29 21:57 288 --a------ C:\WINDOWS\ODBC.INI
2008-08-20 20:59 . 2008-08-20 20:59 126 --a------ C:\WINDOWS\mdm.ini
2008-08-20 19:46 . 2008-09-02 17:29 <DIR> d-------- C:\hk
2008-08-20 14:46 . 2008-08-20 14:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-08-20 14:20 . 2008-08-20 19:38 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Samsung
2008-08-20 13:55 . 2008-08-20 13:55 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\PC Suite
2008-08-20 13:55 . 2008-08-20 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-20 13:54 . 2008-08-20 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-20 13:54 . 2007-05-02 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-08-20 01:40 . 2008-08-30 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-20 01:40 . 2008-08-20 01:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\AdobeUM
2008-08-20 00:30 . 2008-08-20 00:52 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\.msf3
2008-08-20 00:29 . 2008-08-20 00:30 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\msf3
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\UC.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\RAR.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\LHA.PIF
2008-08-19 23:28 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\ARJ.PIF
2008-08-18 19:09 . 2008-08-18 19:09 63,833 --a------ C:\WINDOWS\system32\BlueScreen.zip
2008-08-18 16:30 . 2008-06-01 09:13 88,696 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-08-18 16:04 . 2008-08-18 16:04 36,928 --a------ C:\WINDOWS\system32\drivers\pssdk41.sys
2008-08-18 04:00 . 2008-08-18 15:58 <DIR> d-------- C:\Documents and Settings\administrator
2008-08-18 01:50 . 2008-08-18 01:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-17 23:00 . 2008-08-17 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-17 22:39 . 2008-08-19 06:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-17 19:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-17 19:48 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-17 19:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-17 19:47 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-08-17 19:46 . 2008-08-17 19:46 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-17 19:43 . 2008-08-17 19:43 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-17 19:43 . 2008-08-21 02:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 12:28 . 2008-08-17 12:28 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-17 12:09 . 2004-08-30 07:50 209,656 -ra------ C:\WINDOWS\system32\drivers\alcxnt.sys
2008-08-17 12:09 . 2004-08-30 07:50 43,128 -ra------ C:\WINDOWS\system32\alcxnt.dll
2008-08-17 12:05 . 2008-08-17 12:05 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-08-17 00:12 . 2008-08-17 12:07 169 --a------ C:\WINDOWS\RtlRack.ini
2008-08-17 00:01 . 2004-07-01 09:02 584 -r------- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-08-16 23:37 . 2008-08-16 23:37 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\skypePM
2008-08-16 23:37 . 2008-08-16 23:37 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-16 23:34 . 2008-08-30 17:37 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Skype
2008-08-16 19:08 . 2008-08-16 19:31 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\JAM Software
2008-08-16 18:20 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-08-16 17:21 . 2008-09-03 15:42 <DIR> d-------- C:\Documents and Settings\RaptorX\Application Data\Azureus
2008-08-16 17:21 . 2008-08-16 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-08-16 16:29 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-08-16 16:22 . 2008-08-16 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-08-16 16:20 . 2008-08-23 21:46 <DIR> d-------- C:\WINDOWS\speech
2008-08-16 12:11 . 2008-08-25 19:10 172 --a------ C:\WINDOWS\wininit.ini
2008-08-16 02:34 . 2008-08-16 02:34 <DIR> d-------- C:\Program Files\Skype
2008-08-16 02:34 . 2008-08-16 02:34 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-16 02:33 . 2008-08-16 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-16 02:26 . 2008-08-16 11:40 <DIR> d-------- C:\Documents and Settings\RaptorX\Contacts
2008-08-16 02:25 . 2008-08-20 19:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-03 13:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 10:32 155,995 ----a-w C:\WINDOWS\java\Packages\RHZDBDZZ.ZIP
2008-08-19 05:26 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-08-15 18:33 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Bandwidth Monitor Pro"="D:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-16 225280]
"Active Desktop Calendar"="D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-08-13 3780608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-21 1235736]

C:\Documents and Settings\RaptorX\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - D:\Program Files\procexp.exe [2008-08-16 3520552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"DNS7reminder"="D:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\IS USPM.exe -startup
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"CTxfiHlp"=CTXFIHLP.EXE
"CTHelper"=CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\WINDOWS\\system32\\nc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"D:\\Program Files\\Starcraft\\StarCraft.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\ avgrkx86.sys [2008-08-21 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-21 97928]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-21 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-21 76040]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 42496]
S3 cpuz129;cpuz129;D:\Program Files\PC Wizard 2008\pcwiz32.sys [ ]
S3 PsSdk41;PsSdk41;C:\WINDOWS\system32\Drivers\pssdk4 1.sys [2008-08-18 36928]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [2007-10-16 208384]
.
Contents of the 'Scheduled Tasks' folder
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 15:46:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Completion time: 2008-09-03 15:49:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 13:49:03

Pre-Run: 3,528,142,848 bytes free
Post-Run: 3,572,998,144 bytes free

229 --- E O F --- 2008-08-23 22:52:44
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #9  
Old 3rd Sep 2008, 08:00 AM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 08:43 PM
Posts: 5,339
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Unknown Rootkit??
The log looks OK now and I don't see any evidence of a rootkit. How is the computer now?
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #10  
Old 3rd Sep 2008, 08:37 AM
Nikronius's Avatar
Member Group
Intel Nvidia
Nikronius is offline
Send a message via MSN to Nikronius Send a message via Yahoo to Nikronius Send a message via Skype™ to Nikronius
  
Join Date: 8th Dec 2007
Last Online: 3rd Sep 2008 08:37 AM
Posts: 67
iTrader: (0)
Nikronius is on a distinguished road
Default Unknown Rootkit??
still having that hidden driver, but i give up, i think is a windows shity thingy in there that the antivirus thinks is a rootkit, because the name changes very often and in to a random value...

I will try submitting it to the avg to see what do they say, thanks anyway.
Digg this post