Thread: Infection: win32:spyware-gen [trj] and win32:Rootkit-gen [rtk]
View Single Post
Old 12-08-2008, 09:26 AM   #4 (permalink)
djtantra
Registered User
 
Join Date: Dec 2008
Posts: 4
OS: XP Pro


Infection: win32:spyware-gen [trj] and win32:Rootkit-gen [rtk]
Hello,

I incorrectly posted my logs earlier. I have followed the first steps guide and hope I have done everything correctly.

Issue: After using a coworkers thumb drive, I noticed immediately that I had a problem. Computer is agonizingly slow and everything is timing out, internet, MS Office, Shutdown, etc. Trend Micro did not catch it as this is a work computer that had not been updated in quite some time. Scanned with Avast, which found win32:spyware-gen [trj] and win32:Rootkit-gen [rtk].

I am currently unable to use my work computer and would greatly appreciate any assistance tat you may have to offer.

Thank you in advance!

Her is my log info:


DDS (Version 1.0) - NTFSx86
Run by installation at 8:51:18.87 on Sun 12/07/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.321 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\LANDesk\Shared Files\proxyhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\installation\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [HPWWANGSAssistant] c:\swsetup\hpqwwan\HPWWanGSAssistant.exe /TrayMode
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [OpenVPN GUI] "c:\program files\openvpn\bin\openvpn-gui-1.0.3.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [WDM_SYSAUDIO] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {a7c7a5b0-5af3-11d1-9ced-00a024bf0407},{9b365890-165f-11d0-a195-0020afd156e4},{a7c7a5b1-5af3-11d1-9ced-00a024bf0407},c:\windows\inf\WDMAUDIO.inf,WDM_SYSAUDIO.Interface.Install
mRunOnce: [WDM_DRMKAUD0] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci,streamingdevicesetup {eec12db6-ad9c-4168-8658-b03daef417fe},{abd61e00-9350-47e2-a632-4438b90c6641},{6994ad04-93ef-11d0-a3cc-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
mRunOnce: [WDM_DRMKAUD1] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci,streamingdevicesetup {eec12db6-ad9c-4168-8658-b03daef417fe},{abd61e00-9350-47e2-a632-4438b90c6641},{2eb07ea0-7e70-11d0-a5d6-28db04c10000},c:\windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
mRunOnce: [WDM_DRMKAUD2] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci,streamingdevicesetup {eec12db6-ad9c-4168-8658-b03daef417fe},{abd61e00-9350-47e2-a632-4438b90c6641},{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e},c:\windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
mRunOnce: [WDM_KMIXER0] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {b7eafdc0-a680-11d0-96d8-00aa0051e51d},{9b365890-165f-11d0-a195-0020afd156e4},{ad809c00-7b88-11d0-a5d6-28db04c10000},c:\windows\inf\WDMAUDIO.inf,WDM_KMIXER.Interface.Install
mRunOnce: [WDM_KMIXER1] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {b7eafdc0-a680-11d0-96d8-00aa0051e51d},{9b365890-165f-11d0-a195-0020afd156e4},{6994ad04-93ef-11d0-a3cc-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_KMIXER.Interface.Install
mRunOnce: [WDM_AEC0] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {4245ff73-1db4-11d2-86e4-98ae20524153},{9b365890-165f-11d0-a195-0020afd156e4},{2eb07ea0-7e70-11d0-a5d6-28db04c10000},c:\windows\inf\WDMAUDIO.inf,WDM_AEC.Interface.Install
mRunOnce: [WDM_AEC1] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {4245ff73-1db4-11d2-86e4-98ae20524153},{9b365890-165f-11d0-a195-0020afd156e4},{6994ad04-93ef-11d0-a3cc-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_AEC.Interface.Install
mRunOnce: [WDM_AEC2] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {4245ff73-1db4-11d2-86e4-98ae20524153},{9b365890-165f-11d0-a195-0020afd156e4},{bf963d80-c559-11d0-8a2b-00a0c9255ac1},c:\windows\inf\WDMAUDIO.inf,WDM_AEC.Interface.Install
mRunOnce: [WDM_SWMIDI0] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {6c1b9f60-c0a9-11d0-96d8-00aa0051e51d},{9b365890-165f-11d0-a195-0020afd156e4},{2eb07ea0-7e70-11d0-a5d6-28db04c10000},c:\windows\inf\WDMAUDIO.inf,WDM_SWMIDI.Interface.Install
mRunOnce: [WDM_SWMIDI1] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {6c1b9f60-c0a9-11d0-96d8-00aa0051e51d},{9b365890-165f-11d0-a195-0020afd156e4},{dff220f3-f70f-11d0-b917-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_SWMIDI.Interface.Install
mRunOnce: [WDM_SWMIDI2] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {6c1b9f60-c0a9-11d0-96d8-00aa0051e51d},{9b365890-165f-11d0-a195-0020afd156e4},{6994ad04-93ef-11d0-a3cc-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_SWMIDI.Interface.Install
mRunOnce: [WDM_WDMAUD] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {cd171de3-69e5-11d2-b56d-0000f8754380},{9b365890-165f-11d0-a195-0020afd156e4},{3e227e76-690d-11d2-8161-0000f8775bf1},c:\windows\inf\WDMAUDIO.inf,WDM_WDMAUD.Interface.Install
mRunOnce: [WDM_SPLITTER0] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c},{9b365890-165f-11d0-a195-0020afd156e4},{9ea331fa-b91b-45f8-9285-bd2bc77afcde},c:\windows\inf\WDMAUDIO.inf,WDM_SPLITTER.Interface.Install
mRunOnce: [WDM_SPLITTER1] "c:\program files\landesk\ldclient\softmon.exe" /r rundll32.exe streamci.dll,streamingdevicesetup {2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c},{9b365890-165f-11d0-a195-0020afd156e4},{6994ad04-93ef-11d0-a3cc-00a0c9223196},c:\windows\inf\WDMAUDIO.inf,WDM_SPLITTER.Interface.Install
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\temp.bat
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-3 111184]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-3 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-12-3 155160]
R2 CBA8;LANDesk(R) Management Agent;"c:\program files\landesk\shared files\residentagent.exe" [2006-11-21 122880]
R2 Softmon;LANDesk(R) Software Monitoring Service;"c:\program files\landesk\ldclient\softmon.exe" [2007-9-18 262144]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\trend micro\officescan client\TmXPFlt.sys [2007-6-12 203024]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\trend micro\officescan client\TmPreFlt.sys [2007-6-12 36112]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-10-22 1489688]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-12-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-12-3 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\IFXTPM.SYS [2007-1-23 36608]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2007-9-18 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2007-9-18 3712]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-7-5 47616]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2007-4-25 25088]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-4-20 307984]
R3 TmPfw;OfficeScan NT Firewall;"c:\program files\trend micro\officescan client\TmPfw.exe" [2007-4-4 943696]
S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2007-9-18 11904]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-4 38496]
S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2008-9-15 169984]
S3 TmProxy;OfficeScan NT Proxy Service;"c:\program files\trend micro\officescan client\TmProxy.exe" [2007-4-27 575064]
S3 TPPWRIF;TPPWRIF;\??\c:\documents and settings\all users\application data\vulscan\TPPWRIF.sys [2006-9-21 4442]

=============== Created Last 30 ================

2008-12-04 13:37 <DIR> a-dshr-- C:\cmdcons
2008-12-04 13:36 161,792 a------- c:\windows\SWREG.exe
2008-12-04 13:36 98,816 a------- c:\windows\sed.exe
2008-12-04 03:30 <DIR> --d----- c:\docume~1\instal~1\applic~1\Malwarebytes
2008-12-04 03:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-04 03:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 03:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-04 02:39 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-12-04 02:38 <DIR> --d----- c:\windows\ERUNT
2008-12-04 02:32 <DIR> --d----- C:\SDFix
2008-12-02 11:36 1,904 -------- c:\windows\system32\SetupBD.din

==================== Find3M ====================

2008-09-16 11:03 79,412 a------- c:\windows\hpfins05.dat
2008-09-15 15:34 1,452,592 a------- c:\windows\system32\ncscolib.dll
2008-08-14 06:27 3,125,248 a------- c:\program files\common files\sapxlhelper.dll
2008-08-14 06:27 1,229,312 a------- c:\program files\common files\SAPActiveXL_nosig.xlt
2008-08-14 06:27 1,167,872 a------- c:\program files\common files\SAPActiveXL.xlt
2008-08-14 06:27 626,688 a------- c:\program files\common files\sapconsaccess.dll
2008-08-14 06:27 192,512 a------- c:\program files\common files\sapconsr3.dll
2008-08-14 06:27 40,960 a------- c:\program files\common files\DigitalSignature.ocx
2008-07-21 14:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072120080722\index.dat

============= FINISH: 8:51:47.78 ===============
Attached Files
File Type: zip Attach.zip (4.8 KB, 1 views)
djtantra is offline