Tech Support Forum - View Single Post - persistent rootkit and messenger service pop-ups

dbstone · 02-18-2007, 01:07 PM

Hello,

ok. here are the logs I have. Unfortunately, i can't find a log for bfu. I've searched files and folders for c:\bfu\log.txt and found nothing. I also don't have a log for avg- it said there were no reports although it did find something that had backdoor in the name...and it deleted what it found rather than quaranteening them, even though my chosen action was to quaranteen per your instructions. Here's the logs I do have and hope their helpful.

SDFix: Version 1.66

Run by deborah stone - Sun 02/18/2007 @ 14:04:15.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_57320.exe - Deleted
C:\WINDOWS\system32\TFTP2036 - Deleted
C:\WINDOWS\system32\TFTP3052 - Deleted
C:\WINDOWS\system32\TFTP3568 - Deleted
C:\WINDOWS\system32\TFTP3792 - Deleted
C:\WINDOWS\system32\TFTP396 - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\qirewt.exe
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2D.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT1D.tmp

Add/Remove Programs List:

ATI Display Driver
AVG Anti-Spyware 7.5
EarthLink Software
hp instant support
HP Photo and Imaging 2.0 - hp officejet 6100 series
Lavasoft VX2 Cleaner
Mozilla Firefox (2.0.0.1)
Panda ActiveScan
Intel(R) PRO Ethernet Adapter and Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Trend Micro PC-cillin Internet Security 2007
hp officejet 6100 series
EarthLink Spyware Blocker
ELNBonus
EarthLink Setup
EarthLink Redistributed
EarthLink FastLane
EarthLink Common
EarthLink Toolbar
HP Photo and Imaging 2.0 - All-in-One Drivers
Ad-Aware SE Personal
EarthLink Update Manager
EarthLink MailBox
HP Photo and Imaging 2.0 - All-in-One
EarthLink TaskPanel
HP Memories Disc
Microsoft XML Parser
Trend Micro PC-cillin Internet Security 2007
Dell ResourceCD
EarthLink IM
EarthLink Webspace
Deal Info
SoundMAX
EarthLink Accelerator

Finished

Logfile of HijackThis v1.99.1
Scan saved at 2:29:33 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

thanks. I'll be staying offline as much as possible until I hear from you that I am cleared.

db

02-18-2007, 01:07 PM	#7 (permalink)
dbstone Registered User Join Date: Oct 2006 Posts: 79 OS: winxp	Hello, ok. here are the logs I have. Unfortunately, i can't find a log for bfu. I've searched files and folders for c:\bfu\log.txt and found nothing. I also don't have a log for avg- it said there were no reports although it did find something that had backdoor in the name...and it deleted what it found rather than quaranteening them, even though my chosen action was to quaranteen per your instructions. Here's the logs I do have and hope their helpful. SDFix: Version 1.66 Run by deborah stone - Sun 02/18/2007 @ 14:04:15.39 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: Client IP-IPX Path: "C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144 Client IP-IPX Deleted Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\setup_57320.exe - Deleted C:\WINDOWS\system32\TFTP2036 - Deleted C:\WINDOWS\system32\TFTP3052 - Deleted C:\WINDOWS\system32\TFTP3568 - Deleted C:\WINDOWS\system32\TFTP3792 - Deleted C:\WINDOWS\system32\TFTP396 - Deleted ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : C:\WINDOWS\system32\qirewt.exe C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1.tmp C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2D.tmp C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E.tmp C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT1D.tmp Add/Remove Programs List: ATI Display Driver AVG Anti-Spyware 7.5 EarthLink Software hp instant support HP Photo and Imaging 2.0 - hp officejet 6100 series Lavasoft VX2 Cleaner Mozilla Firefox (2.0.0.1) Panda ActiveScan Intel(R) PRO Ethernet Adapter and Software Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 SpywareGuard v2.2 Trend Micro PC-cillin Internet Security 2007 hp officejet 6100 series EarthLink Spyware Blocker ELNBonus EarthLink Setup EarthLink Redistributed EarthLink FastLane EarthLink Common EarthLink Toolbar HP Photo and Imaging 2.0 - All-in-One Drivers Ad-Aware SE Personal EarthLink Update Manager EarthLink MailBox HP Photo and Imaging 2.0 - All-in-One EarthLink TaskPanel HP Memories Disc Microsoft XML Parser Trend Micro PC-cillin Internet Security 2007 Dell ResourceCD EarthLink IM EarthLink Webspace Deal Info SoundMAX EarthLink Accelerator Finished Logfile of HijackThis v1.99.1 Scan saved at 2:29:33 PM, on 2/18/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: officejet 6100.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe thanks. I'll be staying offline as much as possible until I hear from you that I am cleared. db