We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Root Kit Zero Access / Win32 Patched HN Trojan
Options
Comments
-
do you need these?
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Consumer Input\dca-bho.dll
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O19 - User stylesheet: C:\Users\Ruth\AppData\Roaming\eBay Adblocker\NBT_ConfigurationFile.css
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (Emsisoft Web Malware Scan) - http://ax.emsisoft.com/emsisoft_webscan.cab
Unless you use media sharing across the network, disable it in media player, library, media sharing, or options media sharing, untick find and share media
disable handwriting personlization unless you use it control panel, mobile pc, tablet pc settings, disable handwrtiing personalization
IE is out of date
avast is better than mse imo, but none are perfect.
!!
> . !!!! ----> .0 -
avast won't run on vista, had all sorts of problems a few months ago and after in depth research found an avast update clashes with a vista one.
I ran combo fix again and this time it ran in full. it found the hidden trojan backup in open office
here is the new combo fix log, I then ran hijack this and this time it ran in full so combo fix did something. A strange icon I thought was windows security has now gone from my tray icons
ComboFix 11-07-15.01 - Ruth 17/07/2011 0:55.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.1190 [GMT 1:00]
Running from: c:\users\Ruth\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\stlport_vc7145.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-17 to 2011-07-17 )))))))))))))))))))))))))))))))
.
.
2011-07-17 00:04 . 2011-07-17 00:05
d
w- c:\users\Ruth\AppData\Local\temp
2011-07-17 00:04 . 2011-07-17 00:04
d
w- c:\users\Default\AppData\Local\temp
2011-07-16 22:05 . 2011-07-16 22:05 388096 ----a-r- c:\users\Ruth\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-16 22:05 . 2011-07-16 22:05
d
w- c:\program files\Trend Micro
2011-07-15 19:34 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8C1A5EE-AE26-4B6F-8B39-21DE12DF8B8E}\mpengine.dll
2011-07-15 16:53 . 2011-07-15 16:53
d
w- c:\users\Ruth\DoctorWeb
2011-07-15 13:22 . 2011-07-15 20:03
d
w- c:\program files\SUPERAntiSpyware
2011-07-15 12:22 . 2008-10-22 15:10 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 12:22 . 2008-10-22 15:10 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-15 12:22 . 2011-07-15 12:22
d
w- c:\program files\Malwarebytes' Anti-Malware
2011-07-14 22:20 . 2011-07-14 22:20
d
w- c:\program files\Common Files\Wise Installation Wizard
2011-07-14 22:11 . 2011-07-15 12:07
d
w- c:\program files\Spybot - Search & Destroy
2011-07-14 22:11 . 2011-07-15 11:46
d
w- c:\programdata\Spybot - Search & Destroy
2011-07-14 21:13 . 2010-01-10 18:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-07-11 18:24 . 2011-07-11 19:07
d
w- C:\bd_logs
2011-07-09 21:17 . 2011-07-09 21:17
d--h--w- c:\users\Ruth\AppData\Local\Sophos
2011-07-09 21:12 . 2011-07-09 21:12
d
w- C:\stdtsa
2011-07-09 21:06 . 2011-07-09 21:06
d
w- c:\users\Ruth\AppData\Roaming\QuickScan
2011-07-09 21:05 . 2011-07-10 19:41
d
w- c:\program files\windows check
2011-07-08 21:34 . 2011-07-16 22:15 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-08 21:33 . 2011-07-08 21:33
d
w- c:\programdata\Hitman Pro
2011-07-08 16:44 . 2011-07-08 16:44
d
w- c:\program files\EMCO
2011-07-08 15:23 . 2011-06-07 15:55 7074640
w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3AA2B6CC-1367-4BB8-957E-42C1D12C5419}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-14 21:47 . 2006-11-02 08:58 270336 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-07 15:55 . 2011-06-07 18:27 7074640
w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-24 18:14 . 2009-10-02 17:22 222080
w- c:\windows\system32\MpSigStub.exe
2011-04-26 21:19 . 2011-04-26 21:19 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2008-05-29 20:46 . 2008-05-29 20:46 4372992 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2007-07-26 192512]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Ruth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Ruth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-10 12:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-10-08 17:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Update]
2011-02-21 19:40 175800 ----a-w- c:\program files\Consumer Input\dca-ua.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3109353111-1278261798-599452624-1000Core.job
- c:\users\Ruth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 13:50]
.
2011-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3109353111-1278261798-599452624-1000UA.job
- c:\users\Ruth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 13:50]
.
2011-07-17 c:\windows\Tasks\User_Feed_Synchronization-{E79D4AEF-B559-4776-B742-4E3CD720952A}.job
- c:\windows\system32\msfeedssync.exe [2010-04-05 04:54]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
File Associations
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-kdx - c:\program files\Kontiki\KHost.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-17 01:04
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-07-17 01:11:16
ComboFix-quarantined-files.txt 2011-07-17 00:11
ComboFix2.txt 2011-07-15 13:06
ComboFix3.txt 2011-07-15 12:15
ComboFix4.txt 2009-02-04 19:13
.
Pre-Run: 28,182,016,000 bytes free
Post-Run: 28,049,924,096 bytes free
.
- - End Of File - - 9AA5176B18C87B51EE22BA36A166DE700 -
Hijack this log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:13:15, on 17/07/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Consumer Input\dca-bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (Emsisoft Web Malware Scan) - http://ax.emsisoft.com/emsisoft_webscan.cab
O19 - User stylesheet: C:\Users\Ruth\AppData\Roaming\eBay Adblocker\NBT_ConfigurationFile.css
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 3692 bytes0 -
any idea what this could be ?
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:000000000 -
microsoft security essentials still won't switch on0
-
Might be an idea to upload that deletion to virustotal, seems a strange deletion. It'll be in c:\qoobox\quarantine
e.g. something like c:\qoobox\quarantine\c\program files\OpenOffice.org 3\Basis\program\shlxthdl\stlport_vc7145.dll.vir
You'll have to fix the permissions on security programs such as MSE as per the youtube video. Part of how the rootkit works is to
1) shut down any processes that try to scan it
2) alter the permissions of the programs so they can't be run
Alternatively uninstall > reinstall them.0 -
any idea on locked registry items? is this normal as not seen it before0
-
Silver-Cat wrote: »any idea on locked registry items? is this normal as not seen it before
The CLSID relates to modems. I'll see if Alienrik will take a look at your logs later.
Get some sleep
0 -
modems might make sense as I have wireless broadband connecting to router and then modem
microsoft security reinstalled and now seems okay0 -
What did virustotal think of that combofix deletion?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards