Thread: Win32.Trojan.RX
View Single Post
Old 05-04-2007, 01:44 AM   #14 (permalink)
ThePaper88
Registered User
 
Join Date: Apr 2007
Posts: 15
OS: Windows XP


Re: Win32.Trojan.RX
Quote:
************************* Rustock.b-fix -- By ejvindh *************************
07-05-04 3:26:59.07

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

Quote:
Logfile of HijackThis v1.99.1
Scan saved at 03:39, on 07-05-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\The Paper (Host)\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Quote:
"The Paper (Host)" - 07-05-04 3:41:33 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\PROGRA~1\MOZILL~1\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 03:33 <DIR> d-------- C:\avenger
2007-05-04 03:26 <DIR> d-------- C:\Rustbfix
2007-04-26 15:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 02:50 <DIR> d-------- C:\DOCUME~1\THEPAP~1\DoctorWeb
2007-04-26 02:48 <DIR> d-------- C:\WINDOWS\CSC
2007-04-25 17:31 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-25 16:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-24 17:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-23 23:31 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-04-23 23:31 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-04-23 23:31 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-04-23 23:31 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-23 06:26 12 --a------ C:\WINDOWS\system32\sl.bin
2007-04-20 11:55 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-04-20 11:55 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-18 09:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-18 09:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-18 09:58 <DIR> d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\Lavasoft
2007-04-09 16:09 <DIR> d-------- C:\DOCUME~1\THEPAP~1\havenROp
2007-04-08 14:18 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-08 14:18 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-08 14:18 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-04-08 14:18 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-04-08 14:18 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-04-08 14:18 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-08 14:18 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-08 14:18 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-08 14:18 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-08 14:18 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-08 14:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-08 13:26 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-04-08 13:18 <DIR> d-------- C:\Program Files\Lineage II


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 14:01 -------- d-------- C:\Program Files\mirc
2007-04-08 13:18 -------- d--h----- C:\Program Files\installshield installation information
2007-04-03 19:24 -------- d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\ventrilo
2007-04-03 19:23 -------- d-------- C:\Program Files\ventrilo
2007-04-03 18:36 -------- d-------- C:\Program Files\silkroad
2007-03-28 00:43 -------- d-------- C:\Program Files\neat image
2007-03-23 17:31 1423 --a------ C:\WINDOWS\mozver.dat
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-08 06:14 -------- d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\vlc
2007-03-08 05:28 -------- d-------- C:\Program Files\videolan


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\Setup]
"Registrando Panda ActiveX"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\as.dll"
"Registrando Panda Almacen"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\pavpz.dll"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 03:43:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-04 3:43:26
C:\ComboFix-quarantined-files.txt ... 07-05-04 03:43
C:\ComboFix2.txt ... 07-04-27 15:26
C:\ComboFix3.txt ... 07-04-26 15:58
ThePaper88 is offline