1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

VirtuMundo+ others, get BSOD on startup

Discussion in 'Malware and Virus Removal Archive' started by sashkashurik, 2007/05/20.

  1. 2007/05/20
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    have removed, as I think succesfully a large set of malware, trojans etc. However, this has generates a series of errors.

    First I would like to make sure that all the bad staff is gone. So here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:53:56 AM, on 5/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\godzilla\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {1F9203F4-FC0C-4165-8D04-BDB2FA6E6721} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Bluetooth Monitor.lnk = ?
    O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177819736218
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 6812 bytes

    NOw, If this looks clean, you may find the following to be most interesting....
    I first got a STOP with 7F code and found that there was areminder of Vundo on the system.
    After cleaning it, I got another error now it is a Stop error on a startup that does not give me the ability to start in normal mode: 0x0000000A error.

    As we can see in the debugger(at least the only thing I can read from it) is that there maybe a problem with xpdt.sys. Isn't it a trojan??? by the way it is NOT present on the system...

    Additional information: for cleaning I have used Kaspersky, SpyBod, VundoFix, VirtuMundoBeGone. Ad-Aware did not work properly: stalling at 8000 objects scanned without detecting anything in the first 8000.

    Here is the debugger log:
    Opened log file 'c:\debuglog.txt'

    Microsoft (R) Windows Debugger Version 6.7.0005.0
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINDOWS\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
    Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 2600.xpsp_sp2_qfe.070227-2300
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
    Debug session time: Sat May 19 04:50:52.515 2007 (GMT-4)
    System Uptime: 0 days 0:00:20.203
    Loading Kernel Symbols
    .....................................................................................................................
    Loading User Symbols

    Loading unloaded module list
    ........................
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck A, {d8bf760, 2, 1, 806ff84a}

    *** ERROR: Module load completed but symbols could not be loaded for xpdt.sys
    *** ERROR: Module load completed but symbols could not be loaded for w39n51.sys
    Probably caused by : xpdt.sys ( xpdt+52f5 )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v;r;kv;lmtn;.logclose;q
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 0d8bf760, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000001, value 0 = read operation, 1 = write operation
    Arg4: 806ff84a, address which referenced memory

    Debugging Details:
    ------------------


    WRITE_ADDRESS: 0d8bf760

    CURRENT_IRQL: 2

    FAULTING_IP:
    hal!KfAcquireSpinLock+1a
    806ff84a f00fba2900 lock bts dword ptr [ecx],0

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0xA

    PROCESS_NAME: System

    TRAP_FRAME: aa154ce8 -- (.trap 0xffffffffaa154ce8)
    .trap 0xffffffffaa154ce8
    ErrCode = 00000002
    eax=00000000 ebx=00000000 ecx=0d8bf760 edx=00000000 esi=863a2008 edi=861dd000
    eip=806ff84a esp=aa154d5c ebp=aa154d88 iopl=0 nv up ei pl zr na pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
    hal!KfAcquireSpinLock+0x1a:
    806ff84a f00fba2900 lock bts dword ptr [ecx],0 ds:0023:0d8bf760=????????
    .trap
    Resetting default scope

    LAST_CONTROL_TRANSFER: from 806ff84a to 804e0aac

    STACK_TEXT:
    aa154ce8 806ff84a badb0d00 00000000 804e80e0 nt!KiTrap0E+0x238
    aa154d58 aa5042f5 863a2008 861dcf70 00000000 hal!KfAcquireSpinLock+0x1a
    WARNING: Stack unwind information not available. Following frames may be wrong.
    aa154d88 aa504c06 863a2008 00000000 8050f950 xpdt+0x52f5
    aa154ddc 804ec791 aa501e48 00000000 00000000 xpdt+0x5c06
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    xpdt+52f5
    aa5042f5 8844240b mov byte ptr [esp+0Bh],al

    SYMBOL_STACK_INDEX: 2

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: xpdt

    IMAGE_NAME: xpdt.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 464a0af7

    SYMBOL_NAME: xpdt+52f5

    FAILURE_BUCKET_ID: 0xA_W_xpdt+52f5

    BUCKET_ID: 0xA_W_xpdt+52f5

    Followup: MachineOwner
    ---------

    eax=f7a5613c ebx=00000002 ecx=00000000 edx=40000000 esi=806ff84a edi=0d8bf760
    eip=804e0aac esp=aa154cd0 ebp=aa154ce8 iopl=0 nv up ei ng nz na pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
    nt!KiTrap0E+0x238:
    804e0aac f7457000000200 test dword ptr [ebp+70h],20000h ss:0010:aa154d58=00010246
    ChildEBP RetAddr Args to Child
    aa154ce8 806ff84a badb0d00 00000000 804e80e0 nt!KiTrap0E+0x238 (FPO: [0,0] TrapFrame @ aa154ce8)
    aa154d58 aa5042f5 863a2008 861dcf70 00000000 hal!KfAcquireSpinLock+0x1a (FPO: [0,0,0])
    WARNING: Stack unwind information not available. Following frames may be wrong.
    aa154d88 aa504c06 863a2008 00000000 8050f950 xpdt+0x52f5
    aa154ddc 804ec791 aa501e48 00000000 00000000 xpdt+0x5c06
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    start end module name
    804d7000 806fd000 nt ntkrnlmp.exe Wed Feb 28 04:52:47 2007 (45E550EF)
    806fd000 8071dc80 hal halmacpi.dll Wed Sep 28 19:35:25 2005 (433B28BD)
    aa265000 aa27c480 dump_atapi dump_atapi.sys Wed Aug 04 01:59:41 2004 (41107B4D)
    aa31d000 aa38ba00 mrxsmb mrxsmb.sys Fri May 05 05:41:42 2006 (445B1DD6)
    aa38c000 aa3b6a00 rdbss rdbss.sys Fri May 05 05:47:55 2006 (445B1F4B)
    aa3b7000 aa3d8d00 afd afd.sys Wed Aug 04 02:14:13 2004 (41107EB5)
    aa3d9000 aa3f9f00 ipnat ipnat.sys Wed Sep 29 18:28:36 2004 (415B3714)
    aa3fa000 aa421c00 netbt netbt.sys Wed Aug 04 02:14:36 2004 (41107ECC)
    aa44a000 aa4a1d80 tcpip tcpip.sys Thu Apr 20 07:51:47 2006 (444775D3)
    aa4a2000 aa4b4400 ipsec ipsec.sys Wed Aug 04 02:14:27 2004 (41107EC3)
    aa4b5000 aa4c5280 Udfs Udfs.SYS Wed Aug 04 02:00:27 2004 (41107B7B)
    aa4c6000 aa4deee0 meiudf meiudf.sys Wed Jun 01 05:33:36 2005 (429D80F0)
    aa4ff000 aa511000 xpdt xpdt.sys Tue May 15 15:33:11 2007 (464A0AF7)
    aa539000 aa64b120 AGRSM AGRSM.sys Mon Nov 14 16:00:19 2005 (4378FAE3)
    aa6ec000 aa70d700 portcls portcls.sys Tue Mar 16 14:58:17 2004 (40574E49)
    aa70e000 aab1b000 RtkHDAud RtkHDAud.sys Fri Dec 09 03:48:37 2005 (439944E5)
    babdb000 bac0e200 update update.sys Wed Aug 04 01:58:32 2004 (41107B08)
    bac0f000 bac1fe00 psched psched.sys Wed Aug 04 02:04:16 2004 (41107C60)
    bac3c000 bac3ec00 TPwSav TPwSav.sys Wed Nov 30 20:50:33 2005 (438E56E9)
    bac48000 bac5e680 ndiswan ndiswan.sys Wed Aug 04 02:14:30 2004 (41107EC6)
    bac5f000 bac81680 ks ks.sys Wed Aug 04 02:15:20 2004 (41107EF8)
    bac82000 bac9a200 Apfiltr Apfiltr.sys Mon Nov 15 02:22:08 2004 (41985920)
    bac9b000 bacc2e00 e100b325 e100b325.sys Mon Oct 10 18:31:40 2005 (434AEBCC)
    bacc3000 bacd3800 sdbus sdbus.sys Wed Aug 04 02:07:47 2004 (41107D33)
    bacd4000 bacfbb00 tifm21 tifm21.sys Wed Nov 30 11:13:04 2005 (438DCF90)
    bacfc000 bad1ee80 USBPORT USBPORT.SYS Wed Aug 04 02:08:34 2004 (41107D62)
    bad1f000 bae7ba80 w39n51 w39n51.sys Mon Dec 05 03:55:28 2005 (43940080)
    bae7c000 baea1000 HDAudBus HDAudBus.sys Fri Jan 07 20:07:15 2005 (41DF3243)
    baea1000 baeb4780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 02:07:04 2004 (41107D08)
    baeb5000 bafff7e0 ialmnt5 ialmnt5.sys Mon Nov 28 17:20:19 2005 (438B82A3)
    bf800000 bf9c2180 win32k win32k.sys Thu Mar 08 08:47:34 2007 (45F013F6)
    bf9c3000 bf9d4580 dxg dxg.sys Wed Aug 04 02:00:51 2004 (41107B93)
    bf9d5000 bf9e3000 ialmrnt5 ialmrnt5.dll Mon Nov 28 17:12:06 2005 (438B80B6)
    bf9e3000 bfa05000 ialmdnt5 ialmdnt5.dll Mon Nov 28 17:12:00 2005 (438B80B0)
    bfa05000 bfa39660 ialmdev5 ialmdev5.DLL Mon Nov 28 17:11:49 2005 (438B80A5)
    bfa3a000 bfb1c000 ialmdd5 ialmdd5.DLL Mon Nov 28 17:19:19 2005 (438B8267)
    bffa0000 bffe5c00 ATMFD ATMFD.DLL Wed Aug 04 03:56:56 2004 (411096C8)
    f75af000 f75b1900 Dxapi Dxapi.sys Fri Aug 17 16:53:19 2001 (3B7D843F)
    f75eb000 f7605580 Mup Mup.sys Wed Aug 04 02:15:20 2004 (41107EF8)
    f7606000 f7632a80 NDIS NDIS.sys Wed Aug 04 02:14:27 2004 (41107EC3)
    f7633000 f76bf400 Ntfs Ntfs.sys Fri Feb 09 06:10:31 2007 (45CC56A7)
    f76c0000 f76d6780 KSecDD KSecDD.sys Wed Aug 04 01:59:45 2004 (41107B51)
    f76d7000 f76e8f00 sr sr.sys Wed Aug 04 02:06:22 2004 (41107CDE)
    f76e9000 f7708780 fltMgr fltMgr.sys Mon Aug 21 05:14:57 2006 (44E97991)
    f7709000 f7720480 atapi atapi.sys Wed Aug 04 01:59:41 2004 (41107B4D)
    f7721000 f773f880 ftdisk ftdisk.sys Fri Aug 17 16:52:41 2001 (3B7D8419)
    f7740000 f775d480 pcmcia pcmcia.sys Wed Aug 04 02:07:45 2004 (41107D31)
    f775e000 f776ea80 pci pci.sys Wed Aug 04 02:07:45 2004 (41107D31)
    f776f000 f779cd80 ACPI ACPI.sys Wed Aug 04 02:07:35 2004 (41107D27)
    f77be000 f77c6c00 isapnp isapnp.sys Fri Aug 17 16:58:01 2001 (3B7D8559)
    f77ce000 f77dce80 ohci1394 ohci1394.sys Wed Aug 04 02:10:05 2004 (41107DBD)
    f77de000 f77eb000 1394BUS 1394BUS.SYS Wed Aug 04 02:10:03 2004 (41107DBB)
    f77ee000 f77f8500 MountMgr MountMgr.sys Wed Aug 04 01:58:29 2004 (41107B05)
    f77fe000 f780ac80 VolSnap VolSnap.sys Wed Aug 04 02:00:14 2004 (41107B6E)
    f780e000 f7816e00 disk disk.sys Wed Aug 04 01:59:53 2004 (41107B59)
    f781e000 f782a200 CLASSPNP CLASSPNP.SYS Wed Aug 04 02:14:26 2004 (41107EC2)
    f782e000 f783d180 nic1394 nic1394.sys Wed Aug 04 01:58:28 2004 (41107B04)
    f783e000 f7846d00 intelppm intelppm.sys Wed Aug 04 01:59:19 2004 (41107B37)
    f784e000 f785ae00 i8042prt i8042prt.sys Wed Aug 04 02:14:36 2004 (41107ECC)
    f785e000 f7868380 imapi imapi.sys Wed Aug 04 02:00:12 2004 (41107B6C)
    f786e000 f787a180 cdrom cdrom.sys Wed Aug 04 01:59:52 2004 (41107B58)
    f787e000 f788c080 redbook redbook.sys Wed Aug 04 01:59:34 2004 (41107B46)
    f788e000 f7896880 Fips Fips.SYS Fri Aug 17 21:31:49 2001 (3B7DC585)
    f792e000 f793a880 rasl2tp rasl2tp.sys Wed Aug 04 02:14:21 2004 (41107EBD)
    f793e000 f7948200 raspppoe raspppoe.sys Wed Aug 04 02:05:06 2004 (41107C92)
    f794e000 f7959d00 raspptp raspptp.sys Wed Aug 04 02:14:26 2004 (41107EC2)
    f795e000 f7966900 msgpc msgpc.sys Wed Aug 04 02:04:11 2004 (41107C5B)
    f796e000 f7977f00 termdd termdd.sys Wed Aug 04 01:58:52 2004 (41107B1C)
    f797e000 f7987480 NDProxy NDProxy.SYS Fri Aug 17 16:55:30 2001 (3B7D84C2)
    f799e000 f79acb80 drmk drmk.sys Wed Aug 04 02:07:54 2004 (41107D3A)
    f79ae000 f79b8980 Tvs Tvs.sys Tue Nov 29 21:01:01 2005 (438D07DD)
    f79be000 f79c6f80 csiidecoder_kern_i386 csiidecoder_kern_i386.sys Tue Oct 25 20:33:04 2005 (435ECEC0)
    f79de000 f79ec100 usbhub usbhub.sys Wed Aug 04 02:08:40 2004 (41107D68)
    f7a0e000 f7a16700 wanarp wanarp.sys Wed Aug 04 02:04:57 2004 (41107C89)
    f7a1e000 f7a2cd80 arp1394 arp1394.sys Wed Aug 04 01:58:28 2004 (41107B04)
    f7a2e000 f7a36700 netbios netbios.sys Wed Aug 04 02:03:19 2004 (41107C27)
    f7a3e000 f7a44200 PCIIDEX PCIIDEX.SYS Wed Aug 04 01:59:40 2004 (41107B4C)
    f7a46000 f7a4a900 PartMgr PartMgr.sys Fri Aug 17 21:32:23 2001 (3B7DC5A7)
    f7a4e000 f7a52e20 PxHelp20 PxHelp20.sys Mon Apr 25 15:48:02 2005 (426D4972)
    f7a8e000 f7a93000 usbuhci usbuhci.sys Wed Aug 04 02:08:34 2004 (41107D62)
    f7a96000 f7a9c800 usbehci usbehci.sys Wed Aug 04 02:08:34 2004 (41107D62)
    f7aa6000 f7aac000 kbdclass kbdclass.sys Wed Aug 04 01:58:32 2004 (41107B08)
    f7aae000 f7ab3a00 mouclass mouclass.sys Wed Aug 04 01:58:32 2004 (41107B08)
    f7abe000 f7ac3200 iviaspi iviaspi.sys Thu Sep 11 02:36:53 2003 (3F601805)
    f7ac6000 f7acb200 vga vga.sys Wed Aug 04 02:07:06 2004 (41107D0A)
    f7ad6000 f7add000 GEARAspiWDM GEARAspiWDM.sys Mon Aug 07 13:11:27 2006 (44D7743F)
    f7ae6000 f7aeaa80 Msfs Msfs.SYS Wed Aug 04 02:00:37 2004 (41107B85)
    f7aee000 f7af5880 Npfs Npfs.SYS Wed Aug 04 02:00:38 2004 (41107B86)
    f7b46000 f7b4a500 watchdog watchdog.sys Wed Aug 04 02:07:32 2004 (41107D24)
    f7b6e000 f7b72880 TDI TDI.SYS Wed Aug 04 02:07:47 2004 (41107D33)
    f7b7e000 f7b82580 ptilink ptilink.sys Fri Aug 17 16:49:53 2001 (3B7D8371)
    f7b8e000 f7b92080 raspti raspti.sys Fri Aug 17 16:55:32 2001 (3B7D84C4)
    f7b9e000 f7ba5200 tsxt_kern_i386 tsxt_kern_i386.sys Tue Jan 25 17:35:24 2005 (41F6C9AC)
    f7bae000 f7bb4900 wowhd_kern_i386 wowhd_kern_i386.sys Thu Aug 18 12:45:49 2005 (4304BB3D)
    f7bbe000 f7bc5580 Modem Modem.SYS Wed Aug 04 02:08:04 2004 (41107D44)
    f7bce000 f7bd1000 BOOTVID BOOTVID.dll Fri Aug 17 16:49:09 2001 (3B7D8345)
    f7bd2000 f7bd4480 compbatt compbatt.sys Fri Aug 17 16:57:58 2001 (3B7D8556)
    f7bd6000 f7bd9700 BATTC BATTC.SYS Fri Aug 17 16:57:52 2001 (3B7D8550)
    f7bda000 f7bdcd80 ACPIEC ACPIEC.sys Fri Aug 17 16:57:55 2001 (3B7D8553)
    f7c6e000 f7c71700 CmBatt CmBatt.sys Wed Aug 04 02:07:39 2004 (41107D2B)
    f7c7a000 f7c7c880 pfc pfc.sys Fri Sep 19 19:47:22 2003 (3F6B958A)
    f7c92000 f7c94280 rasacd rasacd.sys Fri Aug 17 16:55:39 2001 (3B7D84CB)
    f7ca2000 f7ca4580 ndistapi ndistapi.sys Fri Aug 17 16:55:29 2001 (3B7D84C1)
    f7cb6000 f7cb9c80 mssmbios mssmbios.sys Wed Aug 04 02:07:47 2004 (41107D33)
    f7cbe000 f7cbfb80 kdcom kdcom.dll Fri Aug 17 16:49:10 2001 (3B7D8346)
    f7cc0000 f7cc1100 WMILIB WMILIB.SYS Fri Aug 17 17:07:23 2001 (3B7D878B)
    f7cc8000 f7cc9100 swenum swenum.sys Wed Aug 04 01:58:41 2004 (41107B11)
    f7cd4000 f7cd5280 USBD USBD.SYS Fri Aug 17 17:02:58 2001 (3B7D8682)
    f7cd8000 f7cd9f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 16:49:37 2001 (3B7D8361)
    f7cdc000 f7cdd080 Beep Beep.SYS Fri Aug 17 16:47:33 2001 (3B7D82E5)
    f7ce0000 f7ce1080 mnmdd mnmdd.SYS Fri Aug 17 16:57:28 2001 (3B7D8538)
    f7ce4000 f7ce5080 RDPCDD RDPCDD.sys Fri Aug 17 16:46:56 2001 (3B7D82C0)
    f7cea000 f7ceb100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 17:07:23 2001 (3B7D878B)
    f7d86000 f7d86d00 pciide pciide.sys Fri Aug 17 16:51:49 2001 (3B7D83E5)
    f7d87000 f7d87d80 OPRGHDLR OPRGHDLR.SYS Fri Aug 17 16:57:55 2001 (3B7D8553)
    f7e08000 f7e08d00 dxgthk dxgthk.sys Fri Aug 17 16:53:12 2001 (3B7D8438)
    f7e69000 f7e69c00 audstub audstub.sys Fri Aug 17 16:59:40 2001 (3B7D85BC)
    f7ece000 f7eceb80 Null Null.SYS Fri Aug 17 16:47:39 2001 (3B7D82EB)

    Unloaded modules:
    f7ab6000 f7abb000 Cdaudio.SYS
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7c7e000 f7c81000 Sfloppy.SYS
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7a86000 f7a8b000 Flpydisk.SYS
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7a7e000 f7a85000 Fdc.SYS
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f791e000 f7927000 csiidecoder_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b4e000 f7b55000 wowhd_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b3e000 f7b46000 tsxt_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f790e000 f7919000 Tvs.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78fe000 f7907000 csiidecoder_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b36000 f7b3d000 wowhd_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b26000 f7b2e000 tsxt_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78ee000 f78f9000 Tvs.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78de000 f78e7000 csiidecoder_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b1e000 f7b25000 wowhd_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b0e000 f7b16000 tsxt_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78ce000 f78d9000 Tvs.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78be000 f78c7000 csiidecoder_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7b06000 f7b0d000 wowhd_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7af6000 f7afe000 tsxt_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f78ae000 f78b9000 Tvs.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f789e000 f78a7000 csiidecoder_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7aee000 f7af5000 wowhd_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f7ade000 f7ae6000 tsxt_kern_i386.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    f788e000 f7899000 Tvs.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    Closing open log file c:\debuglog.txt
     
    sashkashurik,
    #1
  2. 2007/05/21
    bbbobins

    bbbobins Banned

    Joined:
    2007/02/01
    Messages:
    129
    Likes Received:
    0
    You have a RootKit.

    Do the following in the order presented.

    Download and install
    EndItAll http://www.compu-docs.com/Downloads/enditall.exe

    Run Enditall click enditall bottom left corner
    close enditall

    Download and install KillProcess 241
    http://orangelampsoftware.com/products_killprocess.shtml

    Then on the download page is a "Download Kill lists" select the ones that says "Clean Windows XP" and Clean Windows 2000 and download 1 at a time.

    You may have to rt click this and do Save As.
    When you have these and have installed KillProcess move these files to inside the KillProcess folder. Which should be C:\Program Files\Killprocess.

    Instructions for use.
    Run KillProcess then click File-Load Kill List, browse to the KillProcess folder and choose "Clean XP.lst ".

    Then back to File, then Execute Kill list.

    Answer yes to all.

    Then again click File-Load Kill List, browse to the KillProcess folder and choose "Clean Windows 2000.lst ".

    Then back to File, then Execute Kill list.

    Answer yes to all.

    Exit Kill process

    Download Catcheme
    http://www.gmer.net/catchme.exe

    run it and post back the log.

    Finally
    Download Rustbfix http://www.uploads.ejvindh.net/rustbfix.exe

    run Rustbfix
    If a Rustock is found, you will be asked to reboot the computer.
    The reboot will take a while, perhaps 2 reboots will be needed. It will do this automatically.

    After the reboot 2 logfiles will open post the contents of these logfiles along with a new HijackThis log.

    Bob
     
    bbbobins,
    #2


  3. to hide this advert.

  4. 2007/05/21
    bbbobins

    bbbobins Banned

    Joined:
    2007/02/01
    Messages:
    129
    Likes Received:
    0
    Ok I posted this seperately as the above is more important.

    In HJT reomve
    O2 - BHO: (no name) - {1F9203F4-FC0C-4165-8D04-BDB2FA6E6721} - (no file)

    and
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    This one will come back if you have another Bluescreen Dump.

    The process should fix the BSOD.

    When the above is complete do the Enditall and Killprocess exactly as directed above with killlists then

    do this online scan, it has 4 different scans do them all 1 at a time but do the My Computer scan last.
    http://usa.kaspersky.com/services/free-virus-scanner.php

    then new HJT LOG

    Bob
     
    bbbobins,
    #3
  5. 2007/05/21
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    Rootkit?????

    Note: BSOD was fixed by disabling audio, nework and DVDRam drivers.

    So here are the logs for the operations:

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    -------------------------------------


    Rustock.b-ADS attached to the System32-folder:
    Attempting to remove ADS...

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system:
    YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Rustock.b-ADS attached to the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
    Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
    Gmer rootkit-scanner may be found here: http://www.gmer.net


    ******************************* End of Logfile ********************************


    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\ipivoidl

    *******************

    Script file located at: \??\C:\Documents and Settings\juowejtf.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Driver xpdt unloaded successfully.
    Program G:\Rustbfix\2run.bat successfully set up to run once on reboot.

    Completed script processing.

    *******************

    Finished! Terminate.


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 3:36:35 PM, on 5/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\KillProcess\KillProcess.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\godzilla\Desktop\HiJackThis_v2.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Bluetooth Monitor.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177819736218
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 6273 bytes


    Since I disabled Network adapters to be able to run in Normal mode, I was not able to run the proposed online scan...
     
    sashkashurik,
    #4
  6. 2007/05/21
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    Have also run gmer rootkit scanner and it found a file called xpdt in system folder... removed it.

    Now Enabled drivers for wireless and runnign proposed kaspersky scans
     
    sashkashurik,
    #5
  7. 2007/05/21
    bbbobins

    bbbobins Banned

    Joined:
    2007/02/01
    Messages:
    129
    Likes Received:
    0
    Good that is exactly what I was going to tell you to do.

    But Use the Enditall and KillProcess proceedures before running them.

    After the online scans reboot and run my first process entirely again (except downloads of course)

    Post results and a new HJT log.

    Bob
     
    bbbobins,
    #6
  8. 2007/05/21
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    I have done as proposed: run the process few times with killing processes and checking for rootkits.
    Meanwhile I have also installed Kaspersky IS 6.0 and run all three scans twice.
    Initial runs have shown some adaware and trojans(VirtuMundo mostly inside restore point files). Latest scan still finds some staff inside restore points only although I have said to remove the infected files....

    I have also enabled all the drivers and they seem to work just fine.

    Am I done?

    Here is the latest log from HT:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 7:25:24 PM, on 5/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TDispVol.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\godzilla\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe "
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Bluetooth Monitor.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177819736218
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 8491 bytes
     
    Last edited: 2007/05/21
    sashkashurik,
    #7
  9. 2007/05/21
    bbbobins

    bbbobins Banned

    Joined:
    2007/02/01
    Messages:
    129
    Likes Received:
    0
    You do good work!!

    Looks good!

    If you feel good and stable I would clear System restore and immediately make a new restore point.

    But before we quit.

    Do the Rustb once more without the enditall and Killprocess and post that back to us.

    Bob
     
    bbbobins,
    #8
  10. 2007/05/21
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    Done that already :)

    Kasprsky was able finally to clean the restore points, but to be on a safe side I have cleared all restore points by dsable->enable operation and created a new one :)

    here are the logs:
    ************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
    Mon 05/21/2007 14:19:34.31

    No Rustock.b-rootkits found

    ******************************* End of Logfile ********************************

    Rustock.b-ADS attached to the System32-folder:
    No streams found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************************* End of Logfile ********************************
     
    sashkashurik,
    #9
  11. 2007/05/21
    sashkashurik

    sashkashurik Inactive Thread Starter

    Joined:
    2007/05/20
    Messages:
    11
    Likes Received:
    0
    thank you alot :)
    the system is back to normal and runs even better then before I got it... :)

    you saved my ass: this computer was landed to me by a friend. I do not know who infected it, but it is better to avoid such things and make sure that the system returned clean :)

    thank you again
     
    sashkashurik,
    #10
  12. 2007/05/21
    bbbobins

    bbbobins Banned

    Joined:
    2007/02/01
    Messages:
    129
    Likes Received:
    0
    bbbobins,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...