Thread: Rootkit and Multiple problems
View Single Post
Old 06-25-2009, 06:34 AM   #1 (permalink)
brian14
Registered User
 
Join Date: Jun 2009
Posts: 9
OS: Win Xp SP2


Rootkit and Multiple problems
Hello All,

Firstly I really appreciate all the folks who help us fix our computers. I badly need help with this thing going on my PC. My PC was infected with the Systems Security spyware, I got rid of it by running Malwarebytes' AntiMalware. After that my PC started showing the dreaded blue screen right after booting and logging in. It would then restart automatically and am not able to boot in normal mode. I can however boot in Safe mode. In safe mode I ran McAfee that found ntoksrnl-hook but could not delete it. Please help me here...Also all my google searches are being redirected to useless websites...

I have attached the needed logs(Attach.zip). The GMER scan said it found rootkit. Here is how my DDS log looks like


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Administrator at 20:56:57.34 on Wed 06/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2586 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.yahoo.com/
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/spyware-doctor/purchase/?src=b13/?product=Spyware%20Doctor&subproduct=NRM&version=6%2E0%2E1%2E445&code=0%2D0%2D0%2D0&suversion=6%2E1%2E0%2E48&osversion=5%2E1%2E2600%2E2&osspack=Service%20Pack%202&sulang=en&platform=32
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\javajre\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\javajre\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\javajre\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] c:\program files\common files\ahead\lib\NMFirstStart.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [V0330Mon.exe] c:\windows\V0330Mon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\javajre\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209857538140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2A25946B-1BBA-4584-B0EC-DB1802D4378C} = 208.67.220.220,208.67.222.222
TCP: {74C6452B-2DE4-488B-99D5-5AA0DAFDA6C1} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\go333c~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\893h0tpe.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\javajre\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\javajre\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: i:\picasa\google\picasa3\npPicasa2.dll
FF - plugin: i:\picasa\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-3-15 40464]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-3 214024]
S2 gupdate1c98d81f432108;Google Update Service (gupdate1c98d81f432108);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 jsr468ijdfghfjsw3rw3i6tjag80;jsr468ijdfghfjsw3rw3i6tjag80;c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe [2009-6-20 12288]
S2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-9 210216]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-9 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-9 144704]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2008-7-10 1106968]
S3 ABIT-IO;ABIT-IO;c:\program files\u-abit\abiteq\ABIT-IO.sys [2008-5-25 4608]
S3 ALLOW-IO;ALLOW-IO;\??\d:\allow-io.sys --> d:\ALLOW-IO.sys [?]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-9 606736]
S3 Memctl;Memctl;c:\program files\u-abit\flashmenu\MEMCTL.SYS [2008-5-25 4047]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-3 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-3 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-3 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-3 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 V0330VID;WebCam Vista/Live! Cam Chat;c:\windows\system32\drivers\V0330Vid.sys [2008-5-24 185183]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-14 30192]
S4 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;i:\microsoft visual studio\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 Tomcat6;Apache Tomcat;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2008-7-21 57344]

=============== Created Last 30 ================

2009-06-23 22:11 <DIR> --d----- C:\HijackThis
2009-06-23 07:42 0 a------- c:\windows\system32\cd.dat
2009-06-20 23:54 <DIR> --d----- c:\windows\IIS Temporary Compressed Files
2009-06-20 23:52 <DIR> --d----- C:\Inetpub
2009-06-20 23:44 1,089,601 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-20 20:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Subversion
2009-06-20 20:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-20 20:20 <DIR> --d----- c:\documents and settings\Administrator
2009-06-20 19:35 <DIR> --d----- c:\windows\pss
2009-06-20 19:03 12,288 a------- c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
2009-06-20 19:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99516866
2009-06-20 19:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19506874
2009-06-19 23:06 <DIR> --d----- c:\program files\Hotspot Shield
2009-06-14 22:06 50,200 a------- c:\windows\system32\perf-ReportServer-rsctr.dll
2009-06-14 22:03 50,200 a------- c:\windows\system32\perf-SQLSERVERAGENT-sqlagtctr10.0.1600.22.dll
2009-06-14 22:03 79,896 a------- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2009-06-14 21:48 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2009-06-14 21:47 <DIR> --d----- c:\program files\Microsoft Analysis Services
2009-06-14 21:44 <DIR> --d----- c:\windows\system32\RsFx
2009-06-14 21:42 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-06-14 17:25 16,374 a------- c:\windows\system32\nmesrvc_core_2009_6_14_17_25_44.dmp
2009-06-14 17:11 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-14 17:10 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 17:10 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 17:10 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 17:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-14 17:10 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-14 17:10 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 17:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-14 17:10 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-14 17:07 <DIR> --d----- c:\program files\MSXML 6.0
2009-06-10 21:30 <DIR> --d----- c:\program files\iPod
2009-06-10 21:30 <DIR> --d----- c:\program files\iTunes
2009-06-06 23:24 24 a------- c:\windows\AM_D7.PRF
2009-06-06 17:31 <DIR> --d----- C:\spoolerlogs
2009-06-06 12:57 364,641,934 a------- C:\Vishwas Nangare Patil.avi
2009-05-29 18:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-26 14:38 0 a------- C:\csc
2009-05-26 14:37 186 a------- C:\Hello.cs
2009-05-26 13:42 <DIR> --d----- C:\such

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-10 12:04 286,720 -------- c:\windows\Setup1.exe
2009-05-10 12:03 73,216 a------- c:\windows\ST6UNST.EXE
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-01 13:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-01-05 22:24 56 a--sh--- c:\docume~1\alluse~1\applic~1\dc64vg9.sys
2008-10-23 13:44 76,502,424 a------- c:\program files\jdk-6u10-windows-i586-p.exe
2008-10-23 13:18 16,156,056 a------- c:\program files\jre-6u10-windows-i586-p.exe
2007-12-21 14:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2008-10-26 00:03 900 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-14 18:23 1,004 a--sh--- c:\windows\system32\sys_drv.dat

============= FINISH: 21:00:32.39 ===============
Attached Files
File Type: zip Attach.zip (6.4 KB, 4 views)
Last edited by brian14; 06-25-2009 at 06:42 AM.
brian14 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here