« previous next »
Pages: [1] 2   Go Down

Author Topic: Hacktool.Rootkit refuses to go away  (Read 3462 times)

0 Members and 1 Guest are viewing this topic.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Hacktool.Rootkit refuses to go away
« on: April 11, 2009, 10:37:06 PM »
Hi there,

I started to receive Symantec AV Notifications like this:

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: Hacktool.Rootkit
File:  C:\Windows\system32\drivers\nicsk32.sys
Location:  C:\Windows\system32\drivers
Computer:  FOOPANTS
User:  SYSTEM
Action taken:  Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Saturday, April 11, 2009  3:25:56 PM

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: Hacktool.Rootkit
File:  C:\Windows\system32\drivers\ws2_32sik.sys
Location:  C:\Windows\system32\drivers
Computer:  FOOPANTS
User:  SYSTEM
Action taken:  Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Saturday, April 11, 2009  3:32:29 PM

I downloaded Malwarebytes' AM and Hijack This and my most recent logs are:

Malwarebytes:

alwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 3

4/11/2009 12:16:36 PM
mbam-log-2009-04-11 (12-16-36).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|)
Objects scanned: 155327
Time elapsed: 55 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN54.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN56.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN58.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


HijackThis:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:54 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\HPZipm12.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Genelle Hung] C:\Documents and Settings\Genelle Hung\Genelle Hung.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\Genelle Hung\.exe /i
O4 - HKUS\S-1-5-18\..\Run: [] C:\Documents and Settings\LocalService\.exe /i (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\Documents and Settings\LocalService\.exe /i (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236609706820
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236609695226
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teneros.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 9634 bytes


Prior to this posting I had run Malwarebytes in SafeMode after cleaning up a couple of times, and it would show 0 files infected. Upon restarting in regular mode, the Symantec AV would pop up again. I'd delete all temporary files and re-run and the pasted log above was what I got last.

Any help you can give would be MOST appreciated. FYI I've updated downloaded the latest Malwarebytes and Microsft updates, and am about to get the latest Windows Updates now.

Thank you so much!
Logged

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1376
Re: Hacktool.Rootkit refuses to go away
« Reply #1 on: April 11, 2009, 11:04:29 PM »
Hello,raynestorme  welcome to the forum Can you do this 
Please download ATF Cleaner by Atribune from http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25 .  Save it to your Desktop.

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.
then run malwarebytes Again Please and post the log from that scan ..


Paddy...
Logged
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #2 on: April 11, 2009, 11:07:13 PM »
Hi Paddy,

Thank you for your response. Here is my latest file:

Malwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 3

4/11/2009 12:16:36 PM
mbam-log-2009-04-11 (12-16-36).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|)
Objects scanned: 155327
Time elapsed: 55 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN54.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN56.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN58.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11540
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Hacktool.Rootkit refuses to go away
« Reply #3 on: April 12, 2009, 01:53:34 AM »
Hi, raynestorme.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2
Link 3

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you use AVG, you must also open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar as well as the following:
  • Click on Tools.
  • Select Advanced Settings.
  • In the left hand pane, scroll down to "Resident Shield".
  • In the main pane, deselect the option to "Enable Resident Shield."
  • To re-enable AVG 8, please select "Enable Resident Shield" again.

Now, please run ComboFix:
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #4 on: April 12, 2009, 02:24:30 AM »
Hi Corinne,

Thank you so much for your help.

Here's the ComboFix log:

ComboFix 09-04-04.01 - Genelle Hung 2009-04-11 19:14:05.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.503.157 [GMT -7:00]
Running from: c:\documents and settings\Genelle Hung\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Genelle Hung\Genelle Hung.exe
c:\windows\IE4 Error Log.txt

.
(((((((((((((((((((((((((   Files Created from 2009-03-12 to 2009-04-12  )))))))))))))))))))))))))))))))
.

2009-04-10 11:18 . 2009-04-10 11:18   <DIR>   d--------   c:\program files\Trend Micro
2009-04-10 02:01 . 2009-04-11 19:10   2,148   --a------   c:\windows\system32\wpa.dbl
2009-04-10 00:52 . 2009-04-10 00:52   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-04-10 00:52 . 2009-04-10 00:52   <DIR>   d--------   c:\documents and settings\Genelle Hung\Application Data\Malwarebytes
2009-04-10 00:52 . 2009-04-10 00:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 00:52 . 2009-04-06 15:32   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 00:52 . 2009-04-06 15:32   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-04-10 00:04 . 2009-04-10 00:08   <DIR>   d--------   c:\program files\Spyware Doctor
2009-04-10 00:04 . 2009-04-10 00:07   <DIR>   d--------   c:\program files\Common Files\PC Tools
2009-04-10 00:04 . 2009-04-10 00:04   <DIR>   d--------   c:\documents and settings\Genelle Hung\Application Data\PC Tools
2009-04-10 00:04 . 2009-04-10 00:51   <DIR>   d-a------   c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 00:04 . 2009-04-10 00:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Tools
2009-04-10 00:04 . 2008-12-11 08:38   159,600   --a------   c:\windows\system32\drivers\pctgntdi.sys
2009-04-10 00:04 . 2009-03-06 16:45   130,424   --a------   c:\windows\system32\drivers\PCTCore.sys
2009-04-10 00:04 . 2008-12-18 12:16   73,840   --a------   c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-10 00:04 . 2008-12-10 12:36   64,392   --a------   c:\windows\system32\drivers\pctplsg.sys
2009-04-09 10:40 . 2009-04-10 00:46   408   --a------   c:\windows\Kpopumuqoboxebod.dat
2009-04-09 10:40 . 2009-04-10 00:00   0   --a------   c:\windows\Dwesaqox.bin
2009-04-09 10:23 . 2009-04-10 00:28   33,280   --a------   c:\windows\system32\truecrypts.123
2009-03-22 10:21 . 2009-03-22 10:22   <DIR>   d--------   c:\program files\iTunes
2009-03-22 10:21 . 2009-03-22 10:21   <DIR>   d--------   c:\program files\iPod
2009-03-22 10:21 . 2009-03-22 10:22   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 10:18 . 2009-03-22 10:18   <DIR>   d--------   c:\program files\Bonjour
2009-03-22 10:16 . 2009-03-22 10:17   <DIR>   d--------   c:\program files\QuickTime
2009-03-16 16:08 . 2009-01-09 12:19   1,089,593   ---------   c:\windows\system32\dllcache\ntprint.cat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 02:10   ---------   d-----w   c:\program files\Symantec AntiVirus
2009-03-22 17:21   ---------   d-----w   c:\program files\Common Files\Apple
2009-03-11 05:18   934,792   ------w   c:\windows\system32\dllcache\WgaTray.exe
2009-03-11 05:18   239,496   ------w   c:\windows\system32\dllcache\wgaLogon.dll
2009-02-23 07:42   ---------   d-----w   c:\program files\MSN Messenger
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\win32k.sys
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-01-17 04:35   3,594,752   ------w   c:\windows\system32\dllcache\mshtml.dll
2008-09-13 04:35   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-06-21 126976]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 81920]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-14 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"PROMon.exe"="PROMon.exe" [2002-03-25 c:\windows\system32\PROMon.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 09:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"=
"c:\\WINDOWS\\system32\\PROMon.exe"=
"c:\\Program Files\\COMPAQ\\Compaq Management Agents\\Chkadmin.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CpqEAKSystemTray.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4\\OpWareSE4.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CPQEADM.exe"=
"c:\\Compaq\\eakdrv\\EAUSBKBD.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\BttnServ.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Windows\\system32\\HPZipm12.exe"=
"c:\\Windows\\system32\\WgaTray.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-10 130424]
R1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2007-02-11 54222]
R2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2007-02-11 24576]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 ati64si;ati64si;c:\windows\system32\drivers\ati64si.sys [2007-02-11 30464]
S2 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys --> c:\windows\system32\drivers\fips32cup.sys [?]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 ksi32sk;ksi32sk;\??\c:\windows\system32\drivers\ksi32sk.sys --> c:\windows\system32\drivers\ksi32sk.sys [?]
S2 netsik;netsik;\??\c:\windows\system32\drivers\netsik.sys --> c:\windows\system32\drivers\netsik.sys [?]
S2 nicsk32;nicsk32;\??\c:\windows\system32\drivers\nicsk32.sys --> c:\windows\system32\drivers\nicsk32.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-04-10 348752]
S4 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\CPQDFWAG.EXE [2007-02-11 212992]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff415b45-b0cc-11dc-b0ef-000802cb7680}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Genelle Hung - c:\documents and settings\Genelle Hung\Genelle Hung.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 19:17:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-11 19:20:32
ComboFix-quarantined-files.txt  2009-04-12 02:20:27

Pre-Run: 11,269,726,208 bytes free
Post-Run: 12,149,575,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

176


Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:21 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\system32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\system32\HPZipm12.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236609706820
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236609695226
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teneros.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 9077 bytes


Please advise on next steps. Thank you so very much!

Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11540
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Hacktool.Rootkit refuses to go away
« Reply #5 on: April 13, 2009, 12:22:02 PM »
Hi, raynestorme.

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below, being sure to get it all:

Code: [Select]
File::
c:\windows\Kpopumuqoboxebod.dat
c:\windows\Dwesaqox.bin
c:\windows\system32\truecrypts.123
c:\windows\system32\drivers\i386si.sys
c:\windows\system32\drivers\systemntmi.sys
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\drivers\amd64si.sys
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\drivers\nicsk32.sys
c:\windows\system32\drivers\netsik.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\ksi32sk.sys
c:\windows\system32\drivers\fips32cup.sys

Driver::
c:\windows\system32\drivers\i386si.sys
c:\windows\system32\drivers\systemntmi.sys
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\drivers\amd64si.sys
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\drivers\nicsk32.sys
c:\windows\system32\drivers\netsik.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\ksi32sk.sys
c:\windows\system32\drivers\fips32cup.sys

Registry::
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} -
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Note:
  • This scan is best done from IE (Internet Explorer)
  • Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here: http://www.kaspersky.com/kos/eng/partner/default/languages/english/check.html?n=1223851135704
  • Read the Requirements and limitations before you click Accept.
  • Once the database has downloaded, click My Computer in the left pane
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Note: To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=====================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=====================

Logs Required
ComboFix Log
Kaspersky Scan Log
Hijackthis Log
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #6 on: April 13, 2009, 02:04:37 PM »
Hi Corrine,

Thank you so much for your response! ComboFix and HijackThis logs are below:


ComboFix Log:

ComboFix 09-04-13.A2 - Genelle Hung 2009-04-13  6:54.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.503.263 [GMT -7:00]
Running from: c:\documents and settings\Genelle Hung\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Genelle Hung\Desktop\CFScript.txt
FW: Online Armor Firewall *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-03-13 to 2009-04-13  )))))))))))))))))))))))))))))))
.

2009-04-12 05:58 . 2009-04-13 13:51   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\OnlineArmor
2009-04-12 05:58 . 2009-04-12 05:58   --------   d-----w   c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-12 05:57 . 2008-12-13 09:26   30920   ----a-w   c:\windows\system32\drivers\OAmon.sys
2009-04-12 05:57 . 2008-12-13 09:26   28872   ----a-w   c:\windows\system32\drivers\OAnet.sys
2009-04-12 05:57 . 2008-12-13 09:26   178376   ----a-w   c:\windows\system32\drivers\OADriver.sys
2009-04-12 05:57 . 2009-04-12 05:57   --------   d-----w   c:\program files\Tall Emu
2009-04-10 18:18 . 2009-04-10 18:18   --------   d-----w   c:\program files\Trend Micro
2009-04-10 09:01 . 2009-04-12 16:50   2148   ----a-w   c:\windows\system32\wpa.dbl
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\Malwarebytes
2009-04-10 07:52 . 2009-04-06 22:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-10 07:52 . 2009-04-06 22:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-10 07:04 . 2008-12-11 15:38   159600   ----a-w   c:\windows\system32\drivers\pctgntdi.sys
2009-04-10 07:04 . 2009-03-06 23:45   130424   ----a-w   c:\windows\system32\drivers\PCTCore.sys
2009-04-10 07:04 . 2008-12-18 19:16   73840   ----a-w   c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-10 07:04 . 2009-04-10 07:51   --------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 07:04 . 2009-04-10 07:07   --------   d-----w   c:\program files\Common Files\PC Tools
2009-04-10 07:04 . 2008-12-10 19:36   64392   ----a-w   c:\windows\system32\drivers\pctplsg.sys
2009-04-10 07:04 . 2009-04-10 07:08   --------   d-----w   c:\program files\Spyware Doctor
2009-04-10 07:04 . 2009-04-10 07:04   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\PC Tools
2009-04-10 07:04 . 2009-04-10 07:04   --------   d-----w   c:\documents and settings\All Users\Application Data\PC Tools
2009-04-09 17:40 . 2009-04-10 07:00   0   ----a-w   c:\windows\Dwesaqox.bin
2009-04-09 17:40 . 2009-04-09 17:40   --------   d-----w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\{F2A88D63-8D41-4C26-B9C4-1FE3493ECC79}
2009-04-09 17:40 . 2009-04-10 07:46   408   ----a-w   c:\windows\Kpopumuqoboxebod.dat
2009-03-22 17:21 . 2009-03-22 17:21   --------   d-----w   c:\program files\iPod
2009-03-22 17:21 . 2009-03-22 17:22   --------   d-----w   c:\program files\iTunes
2009-03-22 17:21 . 2009-03-22 17:22   --------   d-----w   c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 17:16 . 2009-03-22 17:17   --------   d-----w   c:\program files\QuickTime
2009-03-16 23:08 . 2009-01-09 19:19   1089593   ------w   c:\windows\system32\dllcache\ntprint.cat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 13:49 . 2007-02-11 22:22   --------   d-----w   c:\program files\Symantec AntiVirus
2009-04-12 06:28 . 2008-03-12 21:39   --------   d-----w   c:\program files\DNA
2009-04-12 06:28 . 2007-12-03 05:46   --------   d-----w   c:\program files\DivX
2009-03-22 17:21 . 2007-08-01 03:51   --------   d-----w   c:\program files\Common Files\Apple
2009-03-19 15:31 . 2007-02-12 00:40   64368   ----a-w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-11 05:18 . 2007-02-16 02:01   934792   ------w   c:\windows\system32\dllcache\WgaTray.exe
2009-03-11 05:18 . 2007-02-16 02:00   239496   ------w   c:\windows\system32\dllcache\wgaLogon.dll
2009-02-23 07:49 . 2007-04-02 05:50   244   ---ha-w   C:\sqmnoopt06.sqm
2009-02-23 07:49 . 2007-04-02 05:50   232   ---ha-w   C:\sqmdata06.sqm
2009-02-23 07:42 . 2007-04-02 05:46   244   ---ha-w   C:\sqmnoopt05.sqm
2009-02-23 07:42 . 2007-04-02 05:46   232   ---ha-w   C:\sqmdata05.sqm
2009-02-23 07:42 . 2007-04-01 21:06   --------   d-----w   c:\program files\MSN Messenger
2009-02-09 11:13 . 2008-11-23 22:01   1846784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2001-08-18 06:24   1846784   ------w   c:\windows\system32\win32k.sys
2009-01-17 04:35 . 2006-10-23 15:34   3594752   ------w   c:\windows\system32\dllcache\mshtml.dll
2007-02-12 23:37 . 2007-02-12 23:37   135   ----a-w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\fusioncache.dat
2007-02-11 18:43 . 2007-02-11 18:43   13104   ----a-w   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-03-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-06-21 126976]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-14 185896]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 09:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"=
"c:\\WINDOWS\\system32\\PROMon.exe"=
"c:\\Program Files\\COMPAQ\\Compaq Management Agents\\Chkadmin.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CpqEAKSystemTray.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4\\OpWareSE4.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CPQEADM.exe"=
"c:\\Compaq\\eakdrv\\EAUSBKBD.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\BttnServ.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Windows\\system32\\HPZipm12.exe"=
"c:\\Windows\\system32\\WgaTray.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"=

R2 amd64si;amd64si;

R2 port135sik;port135sik;

R2 securentm;securentm;

R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-13 3321032]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R4 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-10-25 212992]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2002-01-16 54222]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-12-13 178376]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-12-13 30920]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-12-13 28872]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2002-01-24 24576]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2008-12-13 1402568]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff415b45-b0cc-11dc-b0ef-000802cb7680}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 06:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-13  7:00
ComboFix-quarantined-files.txt  2009-04-13 14:00
ComboFix2.txt  2009-04-12 04:58
ComboFix3.txt  2009-04-12 04:43
ComboFix4.txt  2009-04-12 02:20

Pre-Run: 12,109,053,952 bytes free
Post-Run: 12,101,627,904 bytes free

171


Unfortunately I was unable to open the link to the Kapersky Online Scanner. The page says "404 not found". Do you happen to have another link I can try?


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:13 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Windows\system32\HPZipm12.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236609706820
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236609695226
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - http://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teneros.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 8371 bytes
Logged

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1611
  • Would somebody please pass me a beer!
Re: Hacktool.Rootkit refuses to go away
« Reply #7 on: April 14, 2009, 12:50:54 PM »
Kaspersky scanner

Try this link, click on the "Scan Now" button on the page

http://www.kaspersky.co.uk/kos_trialpay_offer
Logged
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11540
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Hacktool.Rootkit refuses to go away
« Reply #8 on: April 15, 2009, 12:46:04 AM »
Thanks, ETR.  Sorry for the delay.  Between the Holiday and taxes, I've been tied up and am in the process of catching up.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #9 on: April 15, 2009, 03:39:45 AM »
Hi Eric and Corrinne,

Thank you so much for your help, I really appreciate the time and effort you have both put in.
I had already pasted my ComboFix and HijackThis logs in my previous post. Please find the Kapersky scanner log below. I really appreciate your responses and am waiting on advice on next steps to get rid of the threats and infected objects!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Tuesday, April 14, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Tuesday, April 14, 2009 16:09:43
 Records in database: 2043433
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   F:\

Scan statistics:
   Files scanned: 62687
   Threat name: 5
   Infected objects: 240
   Suspicious objects: 0
   Duration of the scan: 02:17:35


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40000.VBN   Infected: Backdoor.Win32.KeyStart.cb   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40011.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40012.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40013.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40014.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40015.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40016.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40017.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40018.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40019.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D4001F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40020.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40021.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40022.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40023.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40024.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40025.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40026.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01D40027.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02040000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02040001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0011.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0012.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0013.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0014.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0015.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0016.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0017.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0018.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0019.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C001F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0020.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0021.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0022.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0023.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0024.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0025.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0026.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0027.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000C.VBN   Infected: Trojan.Win32.Pakes.njc   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0490000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04900010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80000.VBN   Infected: Backdoor.Win32.KeyStart.cb   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80011.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80012.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80013.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80014.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80015.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80016.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80017.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80018.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80019.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8001F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80020.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80021.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80022.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80023.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80024.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80025.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80026.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80027.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80028.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980011.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980012.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980013.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980014.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980015.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980016.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980017.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980018.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980019.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0898001F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980020.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980021.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980022.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980023.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980024.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80001.VBN   Infected: Backdoor.Win32.KeyStart.cb   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80052.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC8005E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC8005F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80060.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80062.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80064.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80068.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80069.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC8006A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040001.VBN   Infected: Trojan-Downloader.Win32.Agent.bqus   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040003.VBN   Infected: Trojan-Downloader.Win32.Agent.bqus   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0000.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0001.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0002.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0003.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0004.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0005.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0006.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0007.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0008.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0009.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C000F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0010.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0011.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0012.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0013.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0014.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0015.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0016.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0017.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0018.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0019.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001A.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001B.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001C.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001D.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001E.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C001F.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0020.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0021.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0022.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0023.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0024.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0025.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0026.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0027.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C4C0028.VBN   Infected: Rootkit.Win32.Agent.ikz   1
C:\Qoobox\Quarantine\C\Documents and Settings\Genelle Hung\Genelle Hung.exe.vir   Infected: Trojan.Win32.Agent.caqf   1

The selected area was scanned.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11540
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Hacktool.Rootkit refuses to go away
« Reply #10 on: April 16, 2009, 12:31:00 AM »
Hi, raynestorme.

The KAV online scan only picked up on the Symantec and ComboFix quarantine logs.  However, there is something strange with the current Combofix log.  I see that you ran Combofix 3 times since the initial run, many of the files I placed in the script are missing and there are a couple of unusual entries.

Please post the Combofix log from the previous run.



Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #11 on: April 16, 2009, 05:01:35 AM »
Hi Corrine,

I'm so sorry for the confusion, I think maybe I ran ComboFix previously with an incomplete version of your script?

I've run it again, following your instructions. I got a popup saying that some of the line items were not compatible with WinXP but it ran fine afterwards.

Below is the ComboFix log from this most recent scan using your script. I am running KAV online now and after that will run HijackThis again, and post both logs.

Thank you so much again for your help!

ComboFix 09-04-15.08 - Genelle Hung 04/15/2009 19:59.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.503.198 [GMT -7:00]
Running from: c:\documents and settings\Genelle Hung\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Genelle Hung\Desktop\CFScript.txt
FW: Online Armor Firewall *enabled*
 * Created a new restore point

FILE ::
c:\windows\Dwesaqox.bin
c:\windows\Kpopumuqoboxebod.dat
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\drivers\amd64si.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\fips32cup.sys
c:\windows\system32\drivers\i386si.sys
c:\windows\system32\drivers\ksi32sk.sys
c:\windows\system32\drivers\netsik.sys
c:\windows\system32\drivers\nicsk32.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys
c:\windows\system32\drivers\systemntmi.sys
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\truecrypts.123
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Dwesaqox.bin
c:\windows\Kpopumuqoboxebod.dat

.
(((((((((((((((((((((((((   Files Created from 2009-03-16 to 2009-04-16  )))))))))))))))))))))))))))))))
.

2009-04-14 14:03 . 2009-04-14 14:03   --------   d-----w   c:\windows\Sun
2009-04-14 14:02 . 2009-04-14 14:01   73728   ----a-w   c:\windows\system32\javacpl.cpl
2009-04-14 14:02 . 2009-04-14 14:01   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-14 14:01 . 2009-04-14 14:01   --------   d-----w   c:\program files\Java
2009-04-12 05:58 . 2009-04-15 13:49   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\OnlineArmor
2009-04-12 05:58 . 2009-04-12 05:58   --------   d-----w   c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-12 05:57 . 2008-12-13 09:26   30920   ----a-w   c:\windows\system32\drivers\OAmon.sys
2009-04-12 05:57 . 2008-12-13 09:26   28872   ----a-w   c:\windows\system32\drivers\OAnet.sys
2009-04-12 05:57 . 2008-12-13 09:26   178376   ----a-w   c:\windows\system32\drivers\OADriver.sys
2009-04-12 05:57 . 2009-04-12 05:57   --------   d-----w   c:\program files\Tall Emu
2009-04-10 18:18 . 2009-04-10 18:18   --------   d-----w   c:\program files\Trend Micro
2009-04-10 09:01 . 2009-04-15 13:51   2148   ----a-w   c:\windows\system32\wpa.dbl
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\Malwarebytes
2009-04-10 07:52 . 2009-04-06 22:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-10 07:52 . 2009-04-06 22:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 07:52 . 2009-04-10 07:52   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-10 07:04 . 2008-12-11 15:38   159600   ----a-w   c:\windows\system32\drivers\pctgntdi.sys
2009-04-10 07:04 . 2009-03-06 23:45   130424   ----a-w   c:\windows\system32\drivers\PCTCore.sys
2009-04-10 07:04 . 2008-12-18 19:16   73840   ----a-w   c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-10 07:04 . 2009-04-10 07:51   --------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 07:04 . 2009-04-10 07:07   --------   d-----w   c:\program files\Common Files\PC Tools
2009-04-10 07:04 . 2008-12-10 19:36   64392   ----a-w   c:\windows\system32\drivers\pctplsg.sys
2009-04-10 07:04 . 2009-04-10 07:08   --------   d-----w   c:\program files\Spyware Doctor
2009-04-10 07:04 . 2009-04-10 07:04   --------   d-----w   c:\documents and settings\Genelle Hung\Application Data\PC Tools
2009-04-10 07:04 . 2009-04-10 07:04   --------   d-----w   c:\documents and settings\All Users\Application Data\PC Tools
2009-04-09 17:40 . 2009-04-09 17:40   --------   d-----w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\{F2A88D63-8D41-4C26-B9C4-1FE3493ECC79}
2009-03-22 17:21 . 2009-03-22 17:21   --------   d-----w   c:\program files\iPod
2009-03-22 17:21 . 2009-03-22 17:22   --------   d-----w   c:\program files\iTunes
2009-03-22 17:21 . 2009-03-22 17:22   --------   d-----w   c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 17:16 . 2009-03-22 17:17   --------   d-----w   c:\program files\QuickTime

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 02:56 . 2007-02-11 22:22   --------   d-----w   c:\program files\Symantec AntiVirus
2009-04-14 01:22 . 2007-02-12 00:44   --------   d-----w   c:\program files\Common Files\Adobe
2009-04-12 06:28 . 2008-03-12 21:39   --------   d-----w   c:\program files\DNA
2009-04-12 06:28 . 2007-12-03 05:46   --------   d-----w   c:\program files\DivX
2009-03-22 17:21 . 2007-08-01 03:51   --------   d-----w   c:\program files\Common Files\Apple
2009-03-19 15:31 . 2007-02-12 00:40   64368   ----a-w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-11 05:18 . 2007-02-16 02:01   934792   ------w   c:\windows\system32\dllcache\WgaTray.exe
2009-03-11 05:18 . 2007-02-16 02:00   239496   ------w   c:\windows\system32\dllcache\wgaLogon.dll
2009-02-23 07:49 . 2007-04-02 05:50   244   ---ha-w   C:\sqmnoopt06.sqm
2009-02-23 07:49 . 2007-04-02 05:50   232   ---ha-w   C:\sqmdata06.sqm
2009-02-23 07:42 . 2007-04-02 05:46   244   ---ha-w   C:\sqmnoopt05.sqm
2009-02-23 07:42 . 2007-04-02 05:46   232   ---ha-w   C:\sqmdata05.sqm
2009-02-23 07:42 . 2007-04-01 21:06   --------   d-----w   c:\program files\MSN Messenger
2009-02-09 11:13 . 2008-11-23 22:01   1846784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2001-08-18 06:24   1846784   ------w   c:\windows\system32\win32k.sys
2009-01-17 04:35 . 2006-10-23 15:34   3594752   ------w   c:\windows\system32\dllcache\mshtml.dll
2007-02-12 23:37 . 2007-02-12 23:37   135   ----a-w   c:\documents and settings\Genelle Hung\Local Settings\Application Data\fusioncache.dat
2007-02-11 18:43 . 2007-02-11 18:43   13104   ----a-w   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-13_ 6.58.36.53   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 14:02 . 2009-04-14 14:01   148888              c:\windows\system32\javaws.exe
+ 2009-04-14 14:02 . 2009-04-14 14:01   144792              c:\windows\system32\javaw.exe
+ 2009-04-14 14:02 . 2009-04-14 14:01   144792              c:\windows\system32\java.exe
+ 2009-04-14 14:02 . 2009-04-14 14:01   410984              c:\windows\system32\deploytk.dll
+ 2009-04-14 01:23 . 2009-04-14 01:23   295606              c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"= "c:\windows\system32\ieframe.dll" [2008-12-20 6066688]

[HKEY_CLASSES_ROOT\clsid\{cfbfae00-17a6-11d0-99cb-00c04fd64497}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-23 06:08   62080   ----a-w   c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
2008-07-14 22:06   308856   ----a-w   c:\program files\Real\RealPlayer\rpbrowserrecordplugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-04-14 14:01   35840   ----a-w   c:\program files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-04-14 14:01   73728   ----a-w   c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-06-22 126976]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-31 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-03-01 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-14 185896]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-12-13 886984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-12-20 233472]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-19 133632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-01 16:35   49152   ----a-w   c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"=
"c:\\WINDOWS\\system32\\PROMon.exe"=
"c:\\Program Files\\COMPAQ\\Compaq Management Agents\\Chkadmin.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CpqEAKSystemTray.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4\\OpWareSE4.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\CPQEADM.exe"=
"c:\\Compaq\\eakdrv\\EAUSBKBD.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\BttnServ.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Windows\\system32\\HPZipm12.exe"=
"c:\\Windows\\system32\\WgaTray.exe"=
"c:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R4 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-10-26 212992]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2002-01-16 54222]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-12-13 178376]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-12-13 30920]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-12-13 28872]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2002-01-25 24576]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2008-12-13 1402568]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-13 3321032]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff415b45-b0cc-11dc-b0ef-000802cb7680}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
WebBrowser-{0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll
SharedTaskScheduler-{438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\System32\browseui.dll
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\System32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-PostBootReminder-{7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
SSODL-SysTray-{35CEC8A3-2BE6-11D2-8773-92E220524153} - %systemroot%\system32\stobject.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MICROS~2\OFFICE11\REFIEBAR.DLL
Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - c:\windows\system32\urlmon.dll
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} -
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
Handler: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - c:\windows\system32\urlmon.dll
Handler: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - c:\windows\system32\msvidctl.dll
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - c:\windows\system32\msvidctl.dll
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\MSNMES~1\MSGRAP~1.DLL
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} -
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\MSNMES~1\MSGRAP~1.DLL
Handler: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
Handler: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} -
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Handler: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - c:\windows\system32\wiascr.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://teneros.webex.com/client/T26L/webex/ieatgpc.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-16 20:18
ComboFix-quarantined-files.txt  2009-04-16 03:18
ComboFix2.txt  2009-04-16 02:16
ComboFix3.txt  2009-04-13 14:00
ComboFix4.txt  2009-04-12 04:58
ComboFix5.txt  2009-04-16 02:57

Pre-Run: 12,202,582,016 bytes free
Post-Run: 12,191,985,664 bytes free

274
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11540
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Hacktool.Rootkit refuses to go away
« Reply #12 on: April 16, 2009, 10:56:17 AM »
Hi, raynestorme.

That is much better and what I was expecting to see.  How is your computer now?
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline raynestorme

  • Newbie
  • *
  • Posts: 9
Re: Hacktool.Rootkit refuses to go away
« Reply #13 on: April 16, 2009, 01:57:50 PM »
Hi Corrine,

So far it APPEARS to be doing ok - no more Symantec pop-ups and all that. *fingers crossed* :) :) THANK YOU :)

However, here are my latest KAV and HijackThis logs, and there's something in quarantine that refuses to go away:


KAV Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Thursday, April 16, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Thursday, April 16, 2009 05:26:54
 Records in database: 2049617
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   F:\

Scan statistics:
   Files scanned: 59931
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 02:24:27


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Genelle Hung\Genelle Hung.exe.vir   Infected: Trojan.Win32.Agent.caqf   1

The selected area was scanned.


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:31 AM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Windows\system32\HPZipm12.exe
C:\Windows\System32\svchost.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\System32\alg.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Genelle Hung\Local Settings\temp\jkos-Genelle Hung\binaries\ScanningProcess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236609706820
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236609695226
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239717533365&h=de40a589c1f7b698f22f50e50ca46c30/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - http://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teneros.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 9338 bytes
Logged

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1376
Re: Hacktool.Rootkit refuses to go away
« Reply #14 on: April 16, 2009, 02:05:18 PM »
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Genelle Hung\Genelle Hung.exe.vir   Infected: Trojan.Win32.Agent.caqf   1

That file is nothing to worry about its being held in Qoobox\Quarantine .   which  relates to combo fix , it will be removed when Corrine gives you the final cleanup instructions .


Paddy...  :thumbsup:
Logged
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.
Pages: [1] 2   Go Up
« previous next »