hacktool.rootkit problem

jpscloud · 10-03-2009, 03:39 AM

Hi, I'll try not to clutter this up with too much irrelevant stuff but... I'm on a computer borrowed from my Dad while my laptop is in for repair. When I was checking this computer out to borrow, I noticed that my Dad's version of NAV (fully updated, integral to his broadband package) was blocking hacktool.rootkit activity with the message "resolved" but there isn't any deletion or clean up advice. As I do more in the way of things like online banking than my Dad does, I would like to ask advice before risking it!

Reading a bit online and your forum I've seen that it takes quite a bit of effort to remove it so could I ask for your help, as my expertise with this stuff would leave quite a bit of room if written on your average postage stamp?

Is this computer badly compromised? I don't know the level of risk I'm under at the moment. Would NAV be stopping anything getting in/out when it says "blocked"?

I have installed a new copy of NAV 2009, switched off system restore and run a full system scan which only found 1 tracking cookie, nothing to do with hacktool.rootkit though. I've switched system restore back on for now.

Grateful thanks in advance for any help.

tetonbob · 10-05-2009, 09:55 AM

Hello, and welcome to the forums.

While you've tried to provide a detailed assessment of your issue, you've not provided the logs we need to perform an analysis of the machine.

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Also, are you still being notified about hacktool.rootkit ? If so, is a file name, full path to file, or registry location given?

jpscloud · 10-05-2009, 12:00 PM

Hi tetonbob, sorry for being a dimwit there. I've run dds and gmer now, here is the dds log, and I hope I have correctly attached the two zip files. Please note that I do not have a windows install disc or boot cd.

Edit: I haven't seen any more alerts at all.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jean at 18:44:05.01 on 05/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.194 [GMT 1:00]

AV: Norton Internet Security Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\Documents and Settings\Jean\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
mSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S11B.tmp" /EF "HKCU"
uRun: [EPSON Stylus SX200 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S240.tmp" /EF "HKCU"
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171838390625
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = :\windows\syste scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-30 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-30 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-30 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-29 329080]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-9-27 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-9-27 333928]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-30 117640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-9-27 967912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-29 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091004.019\NAVENG.SYS [2009-10-5 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091004.019\NAVEX15.SYS [2009-10-5 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-12 133104]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-11-5 14336]

=============== Created Last 30 ================

2009-10-05 09:11 <DIR> --d----- c:\docume~1\jean\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\program files\Trusteer
2009-10-03 16:44 <DIR> --d----- C:\.jagex_cache_32
2009-10-03 12:26 <DIR> --d----- c:\program files\MSECache
2009-10-03 12:26 <DIR> --d----- C:\3f140d0c1bc7e7a49e4ff00f6af7f03e
2009-10-03 11:49 32,656 a------- c:\windows\system32\msonpmon.dll
2009-10-02 20:11 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-01 23:47 8,192 a------- c:\windows\system32\E_DCINST.DLL
2009-10-01 23:47 86,528 a------- c:\windows\system32\E_FLBEFE.DLL
2009-10-01 23:47 78,848 a------- c:\windows\system32\E_FD4BEFE.DLL
2009-10-01 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-10-01 23:19 <DIR> --d----- c:\docume~1\jean\applic~1\Blitware
2009-10-01 07:31 <DIR> --dsh--- c:\documents and settings\jean\IECompatCache
2009-09-29 22:49 <DIR> --d----- c:\windows\.jagex_cache_32
2009-09-29 22:43 <DIR> --dsh--- c:\documents and settings\jean\PrivacIE
2009-09-29 22:37 <DIR> --dsh--- c:\documents and settings\jean\IETldCache
2009-09-29 22:37 <DIR> --d----- c:\documents and settings\Jean
2009-09-29 22:05 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-29 22:05 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-29 22:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-29 22:05 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-29 22:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-29 22:05 <DIR> --d----- c:\program files\Symantec
2009-09-29 22:04 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-29 22:02 <DIR> --d----- c:\program files\NortonInstaller
2009-09-29 18:37 <DIR> --d----- c:\program files\common files\SupportSoft
2009-09-28 17:10 25 a------- c:\windows\mixerdef.ini
2009-09-28 16:08 135,168 a----r-- c:\windows\cmuninst.dat
2009-09-28 16:08 39,279 a----r-- c:\windows\cmijack.dat
2009-09-28 16:08 23,041 a----r-- c:\windows\cmaudio.dat
2009-09-28 16:08 1,855,488 a----r-- c:\windows\mixer.exe
2009-09-28 16:08 139,264 a----r-- c:\windows\cmuninst.exe
2009-09-28 16:08 32,768 a----r-- c:\windows\system32\cmnprop.dll
2009-09-28 16:08 712,704 a------- c:\windows\system32\a3d.dll
2009-09-28 16:08 377,358 a----r-- c:\windows\system32\drivers\cmaudio.sys
2009-09-28 16:08 141,056 a------- c:\windows\system32\drivers\ks.sys
2009-09-28 16:08 23,552 a------- c:\windows\system32\wdmaud.drv
2009-09-28 16:07 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-09-28 16:07 4,096 a------- c:\windows\system32\ksuser.dll
2009-09-28 16:07 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-09-28 16:07 129,536 a------- c:\windows\system32\ksproxy.ax
2009-09-28 16:07 49,280 a------- c:\windows\system32\drivers\stream.sys
2009-09-07 09:00 <DIR> --d-h--- C:\BJPrinter
2009-09-06 16:26 230,912 a------- c:\windows\system32\CNMLM99.DLL
2009-09-06 16:23 <DIR> --d----- c:\program files\Canon

==================== Find3M ====================

2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2004-08-26 13:57 1,341,964 a------- c:\program files\20040607-049-i32-4.zip
2004-06-22 09:37 5,080,463 a------- c:\program files\20040621-038-i32.exe
2004-06-21 09:24 5,076,601 a------- c:\program files\20040620-009-i32.exe
2004-06-20 09:30 5,075,584 a------- c:\program files\20040619-019-i32.exe
2004-06-19 15:33 5,071,467 a------- c:\program files\20040618-017-i32.exe
2004-06-19 15:09 2,150,574 a------- c:\program files\aaw6181.exe
2004-06-12 15:53 5,046,191 a------- c:\program files\20040611-034-i32.exe
2004-06-11 14:42 5,042,972 a------- c:\program files\20040610-050-i32.exe
2004-06-09 17:22 5,033,123 a------- c:\program files\20040608-017-i32.exe
2004-06-09 11:43 8,083,812 a------- c:\program files\20040608-017-x86.exe
2004-06-09 11:33 1,354,754 a------- c:\program files\20040608-017-i32-3.zip
2004-06-09 11:30 988,187 a------- c:\program files\20040608-017-i32-1.exe
2004-06-08 15:08 1,353,116 a------- c:\program files\20040607-049-i32-3.zip
2004-06-08 15:05 988,194 a------- c:\program files\20040607-049-i32-1.exe
2004-06-08 09:50 8,081,884 a------- c:\program files\20040607-049-x86.exe
2004-06-04 11:28 5,015,520 a------- c:\program files\20040603-023-i32.exe
2004-05-05 09:16 4,269,999 a------- c:\program files\DeepsightExtractorInstaller43.zip
2004-05-04 09:40 4,924,630 a------- c:\program files\20040503-022-i32.exe
2004-03-20 19:21 6,279,168 a------- c:\program files\perf1250_win_5.7f_en.exe
2004-03-14 12:51 156,575 a------- c:\program files\USBAutoConnect.pdf
2004-06-19 14:21 32 a--sh--- c:\windows\{0B06D52B-FFD3-4BC7-BF7B-02A0F929F337}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\{1119D324-D6F4-49A6-877B-2C2DAC3D68F2}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\{95E96DDB-BB3E-4F9B-916B-061AE16D3BF1}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\{EE050C43-B783-4171-94D6-4B5C007E1F79}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\system32\{133B3A97-E375-4100-A474-62929FCEEC73}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\system32\{32933A03-82C1-4B6F-8B0D-BCF1CB9AC277}.dat
2004-06-19 14:21 32 a--sh--- c:\windows\system32\{66547357-FAAF-4F5B-88AC-D1DE88FF3CCE}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\system32\{C6137A5F-FAD2-425A-B645-B3152D53BB0C}.dat
2008-01-16 21:01 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-01-16 21:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat
2007-09-18 09:08 16,384 a--sh--- c:\windows\temp\cookies\index.dat

============= FINISH: 18:44:41.03 ===============

tetonbob · 10-05-2009, 01:55 PM

Hi jpscloud -

It's not a problem, we realize forums are new to many of our members.

Looks like there's a trace element, but no active infection. This next step involves editing the registry. Before editing the registry, it's a good idea to create a backup.

Please download & install - ERUNT (This is a utility that'll replicate a copy of your Registry)

Start ERUNT, confirm the Welcome message.
Next, select the backup options:
- System registry
- Current User Registry
- Other open user registry
Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.)

# Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

==================================

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save the file as "fix.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Let's see if there are any remnants...

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Also post a new set of logs from DDS.

Also...do you know what these exe files are for? Examples....there are several others showing in the logs.They're likely too large to be malware, it's just that Program Files is an odd place to have .exe files loose. They're usually in a sub-folder of the application which created them.

2004-06-22 09:37 5,080,463 a------- c:\program files\20040621-038-i32.exe
2004-06-21 09:24 5,076,601 a------- c:\program files\20040620-009-i32.exe
2004-06-20 09:30 5,075,584 a------- c:\program files\20040619-019-i32.exe

jpscloud · 10-05-2009, 03:09 PM

Hi again, I'm sorry but I don't have any idea about those large .exe files... this is my Dad's computer and he doesn't know either. I'm very grateful for your help cleaning it up.

Here is the mbam log followed by the dds with the other file attached:

Malwarebytes' Anti-Malware 1.41
Database version: 2910
Windows 5.1.2600 Service Pack 3, v.3264

05/10/2009 21:47:03
mbam-log-2009-10-05 (21-47-03).txt

Scan type: Quick Scan
Objects scanned: 115771
Time elapsed: 15 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jean at 21:54:11.93 on 05/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.131 [GMT 1:00]

AV: Norton Internet Security Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jean\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
mSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S11B.tmp" /EF "HKCU"
uRun: [EPSON Stylus SX200 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S240.tmp" /EF "HKCU"
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171838390625
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-30 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-30 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-30 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-29 329080]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-9-27 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-9-27 333928]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-30 117640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-9-27 967912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-29 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.003\NAVENG.SYS [2009-10-5 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.003\NAVEX15.SYS [2009-10-5 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-12 133104]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-11-5 14336]

=============== Created Last 30 ================

2009-10-05 21:24 <DIR> --d----- c:\docume~1\jean\applic~1\Malwarebytes
2009-10-05 21:24 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:24 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 09:11 <DIR> --d----- c:\docume~1\jean\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\program files\Trusteer
2009-10-03 16:44 <DIR> --d----- C:\.jagex_cache_32
2009-10-03 12:26 <DIR> --d----- c:\program files\MSECache
2009-10-03 12:26 <DIR> --d----- C:\3f140d0c1bc7e7a49e4ff00f6af7f03e
2009-10-03 11:49 32,656 a------- c:\windows\system32\msonpmon.dll
2009-10-02 20:11 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-01 23:47 8,192 a------- c:\windows\system32\E_DCINST.DLL
2009-10-01 23:47 86,528 a------- c:\windows\system32\E_FLBEFE.DLL
2009-10-01 23:47 78,848 a------- c:\windows\system32\E_FD4BEFE.DLL
2009-10-01 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-10-01 23:19 <DIR> --d----- c:\docume~1\jean\applic~1\Blitware
2009-10-01 07:31 <DIR> --dsh--- c:\documents and settings\jean\IECompatCache
2009-09-29 22:49 <DIR> --d----- c:\windows\.jagex_cache_32
2009-09-29 22:43 <DIR> --dsh--- c:\documents and settings\jean\PrivacIE
2009-09-29 22:37 <DIR> --dsh--- c:\documents and settings\jean\IETldCache
2009-09-29 22:37 <DIR> --d----- c:\documents and settings\Jean
2009-09-29 22:05 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-29 22:05 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-29 22:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-29 22:05 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-29 22:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-29 22:05 <DIR> --d----- c:\program files\Symantec
2009-09-29 22:04 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-29 22:02 <DIR> --d----- c:\program files\NortonInstaller
2009-09-29 18:37 <DIR> --d----- c:\program files\common files\SupportSoft
2009-09-28 17:10 25 a------- c:\windows\mixerdef.ini
2009-09-28 16:08 135,168 a----r-- c:\windows\cmuninst.dat
2009-09-28 16:08 39,279 a----r-- c:\windows\cmijack.dat
2009-09-28 16:08 23,041 a----r-- c:\windows\cmaudio.dat
2009-09-28 16:08 1,855,488 a----r-- c:\windows\mixer.exe
2009-09-28 16:08 139,264 a----r-- c:\windows\cmuninst.exe
2009-09-28 16:08 32,768 a----r-- c:\windows\system32\cmnprop.dll
2009-09-28 16:08 712,704 a------- c:\windows\system32\a3d.dll
2009-09-28 16:08 377,358 a----r-- c:\windows\system32\drivers\cmaudio.sys
2009-09-28 16:08 141,056 a------- c:\windows\system32\drivers\ks.sys
2009-09-28 16:08 23,552 a------- c:\windows\system32\wdmaud.drv
2009-09-28 16:07 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-09-28 16:07 4,096 a------- c:\windows\system32\ksuser.dll
2009-09-28 16:07 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-09-28 16:07 129,536 a------- c:\windows\system32\ksproxy.ax
2009-09-28 16:07 49,280 a------- c:\windows\system32\drivers\stream.sys
2009-09-07 09:00 <DIR> --d-h--- C:\BJPrinter
2009-09-06 16:26 230,912 a------- c:\windows\system32\CNMLM99.DLL
2009-09-06 16:23 <DIR> --d----- c:\program files\Canon

==================== Find3M ====================

2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2004-08-26 13:57 1,341,964 a------- c:\program files\20040607-049-i32-4.zip
2004-06-22 09:37 5,080,463 a------- c:\program files\20040621-038-i32.exe
2004-06-21 09:24 5,076,601 a------- c:\program files\20040620-009-i32.exe
2004-06-20 09:30 5,075,584 a------- c:\program files\20040619-019-i32.exe
2004-06-19 15:33 5,071,467 a------- c:\program files\20040618-017-i32.exe
2004-06-19 15:09 2,150,574 a------- c:\program files\aaw6181.exe
2004-06-12 15:53 5,046,191 a------- c:\program files\20040611-034-i32.exe
2004-06-11 14:42 5,042,972 a------- c:\program files\20040610-050-i32.exe
2004-06-09 17:22 5,033,123 a------- c:\program files\20040608-017-i32.exe
2004-06-09 11:43 8,083,812 a------- c:\program files\20040608-017-x86.exe
2004-06-09 11:33 1,354,754 a------- c:\program files\20040608-017-i32-3.zip
2004-06-09 11:30 988,187 a------- c:\program files\20040608-017-i32-1.exe
2004-06-08 15:08 1,353,116 a------- c:\program files\20040607-049-i32-3.zip
2004-06-08 15:05 988,194 a------- c:\program files\20040607-049-i32-1.exe
2004-06-08 09:50 8,081,884 a------- c:\program files\20040607-049-x86.exe
2004-06-04 11:28 5,015,520 a------- c:\program files\20040603-023-i32.exe
2004-05-05 09:16 4,269,999 a------- c:\program files\DeepsightExtractorInstaller43.zip
2004-05-04 09:40 4,924,630 a------- c:\program files\20040503-022-i32.exe
2004-03-20 19:21 6,279,168 a------- c:\program files\perf1250_win_5.7f_en.exe
2004-03-14 12:51 156,575 a------- c:\program files\USBAutoConnect.pdf
2004-06-19 14:21 32 a--sh--- c:\windows\{0B06D52B-FFD3-4BC7-BF7B-02A0F929F337}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\{1119D324-D6F4-49A6-877B-2C2DAC3D68F2}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\{95E96DDB-BB3E-4F9B-916B-061AE16D3BF1}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\{EE050C43-B783-4171-94D6-4B5C007E1F79}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\system32\{133B3A97-E375-4100-A474-62929FCEEC73}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\system32\{32933A03-82C1-4B6F-8B0D-BCF1CB9AC277}.dat
2004-06-19 14:21 32 a--sh--- c:\windows\system32\{66547357-FAAF-4F5B-88AC-D1DE88FF3CCE}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\system32\{C6137A5F-FAD2-425A-B645-B3152D53BB0C}.dat
2008-01-16 21:01 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-01-16 21:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat
2007-09-18 09:08 16,384 a--sh--- c:\windows\temp\cookies\index.dat

============= FINISH: 21:55:17.12 ===============

I will be heading for bed soon, as it's getting late here, so I will look for your reply first thing in the morning as long as I'm not called out. If I am called out it will be in the afternoon (your morning!).

Thanks again for all the help you're giving us!

tetonbob · 10-05-2009, 04:01 PM

Cheers, I'm happy to help.

Just out of curiosity, can you zip up one of those exe files, such as this one?

c:\program files\20040620-009-i32.exe

We can do so this way...

Open notepad and copy/paste the text in the codebox below into it:

Code:

@echo off
for %%g in (

"c:\program files\20040620-009-i32.exe"

) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here:

http://www.bleepingcomputer.com/subm...php?channel=28

In the Link to topic where this file was requested: area, copy and paste this :

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/419204-hacktool-rootkit-problem.html

Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Close the site and let me know.

If it's more than 3MB in size, it may not upload, in which case.....we can use this next site so I can get a look at the file. I don't think they are malicious, again, I'm just curious.

Please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, post a link to this thread and upload the requested Files_for_submission.zip archive from your desktop. Please title the topic "File for tetonbob" and copy/paste the link to that new topic back here.

Thanks.

Also...please reboot the machine once...and after it's loaded the desktop again, run DDS once more. All I need to see is that new dds.txt

jpscloud · 10-06-2009, 01:42 AM

Hi, I followed your instructions to create grab.bat, but when I double click that, it flashes up a small black window which immediately disappears, but no file is produced. I checked and there wasn't anything running in processes (I tried three times, the last time with nav and rapport off).

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jean at 8:33:02.42 on 06/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.128 [GMT 1:00]

AV: Norton Internet Security Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jean\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
mSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S11B.tmp" /EF "HKCU"
uRun: [EPSON Stylus SX200 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S240.tmp" /EF "HKCU"
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171838390625
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-30 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-30 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-30 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-29 329080]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-9-27 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-9-27 333928]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-30 117640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-9-27 967912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-29 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.040\NAVENG.SYS [2009-10-6 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.040\NAVEX15.SYS [2009-10-6 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-12 133104]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-11-5 14336]

=============== Created Last 30 ================

2009-10-05 21:24 <DIR> --d----- c:\docume~1\jean\applic~1\Malwarebytes
2009-10-05 21:24 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:24 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 09:11 <DIR> --d----- c:\docume~1\jean\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trusteer
2009-10-05 09:11 <DIR> --d----- c:\program files\Trusteer
2009-10-03 16:44 <DIR> --d----- C:\.jagex_cache_32
2009-10-03 12:26 <DIR> --d----- c:\program files\MSECache
2009-10-03 12:26 <DIR> --d----- C:\3f140d0c1bc7e7a49e4ff00f6af7f03e
2009-10-03 11:49 32,656 a------- c:\windows\system32\msonpmon.dll
2009-10-02 20:11 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-01 23:47 8,192 a------- c:\windows\system32\E_DCINST.DLL
2009-10-01 23:47 86,528 a------- c:\windows\system32\E_FLBEFE.DLL
2009-10-01 23:47 78,848 a------- c:\windows\system32\E_FD4BEFE.DLL
2009-10-01 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-10-01 23:19 <DIR> --d----- c:\docume~1\jean\applic~1\Blitware
2009-10-01 07:31 <DIR> --dsh--- c:\documents and settings\jean\IECompatCache
2009-09-29 22:49 <DIR> --d----- c:\windows\.jagex_cache_32
2009-09-29 22:43 <DIR> --dsh--- c:\documents and settings\jean\PrivacIE
2009-09-29 22:37 <DIR> --dsh--- c:\documents and settings\jean\IETldCache
2009-09-29 22:37 <DIR> --d----- c:\documents and settings\Jean
2009-09-29 22:05 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-29 22:05 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-29 22:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-29 22:05 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-29 22:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-29 22:05 <DIR> --d----- c:\program files\Symantec
2009-09-29 22:04 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-29 22:02 <DIR> --d----- c:\program files\NortonInstaller
2009-09-29 18:37 <DIR> --d----- c:\program files\common files\SupportSoft
2009-09-28 17:10 25 a------- c:\windows\mixerdef.ini
2009-09-28 16:08 135,168 a----r-- c:\windows\cmuninst.dat
2009-09-28 16:08 39,279 a----r-- c:\windows\cmijack.dat
2009-09-28 16:08 23,041 a----r-- c:\windows\cmaudio.dat
2009-09-28 16:08 1,855,488 a----r-- c:\windows\mixer.exe
2009-09-28 16:08 139,264 a----r-- c:\windows\cmuninst.exe
2009-09-28 16:08 32,768 a----r-- c:\windows\system32\cmnprop.dll
2009-09-28 16:08 712,704 a------- c:\windows\system32\a3d.dll
2009-09-28 16:08 377,358 a----r-- c:\windows\system32\drivers\cmaudio.sys
2009-09-28 16:08 141,056 a------- c:\windows\system32\drivers\ks.sys
2009-09-28 16:08 23,552 a------- c:\windows\system32\wdmaud.drv
2009-09-28 16:07 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-09-28 16:07 4,096 a------- c:\windows\system32\ksuser.dll
2009-09-28 16:07 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-09-28 16:07 129,536 a------- c:\windows\system32\ksproxy.ax
2009-09-28 16:07 49,280 a------- c:\windows\system32\drivers\stream.sys
2009-09-07 09:00 <DIR> --d-h--- C:\BJPrinter
2009-09-06 16:26 230,912 a------- c:\windows\system32\CNMLM99.DLL
2009-09-06 16:23 <DIR> --d----- c:\program files\Canon

==================== Find3M ====================

2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2004-08-26 13:57 1,341,964 a------- c:\program files\20040607-049-i32-4.zip
2004-06-22 09:37 5,080,463 a------- c:\program files\20040621-038-i32.exe
2004-06-21 09:24 5,076,601 a------- c:\program files\20040620-009-i32.exe
2004-06-20 09:30 5,075,584 a------- c:\program files\20040619-019-i32.exe
2004-06-19 15:33 5,071,467 a------- c:\program files\20040618-017-i32.exe
2004-06-19 15:09 2,150,574 a------- c:\program files\aaw6181.exe
2004-06-12 15:53 5,046,191 a------- c:\program files\20040611-034-i32.exe
2004-06-11 14:42 5,042,972 a------- c:\program files\20040610-050-i32.exe
2004-06-09 17:22 5,033,123 a------- c:\program files\20040608-017-i32.exe
2004-06-09 11:43 8,083,812 a------- c:\program files\20040608-017-x86.exe
2004-06-09 11:33 1,354,754 a------- c:\program files\20040608-017-i32-3.zip
2004-06-09 11:30 988,187 a------- c:\program files\20040608-017-i32-1.exe
2004-06-08 15:08 1,353,116 a------- c:\program files\20040607-049-i32-3.zip
2004-06-08 15:05 988,194 a------- c:\program files\20040607-049-i32-1.exe
2004-06-08 09:50 8,081,884 a------- c:\program files\20040607-049-x86.exe
2004-06-04 11:28 5,015,520 a------- c:\program files\20040603-023-i32.exe
2004-05-05 09:16 4,269,999 a------- c:\program files\DeepsightExtractorInstaller43.zip
2004-05-04 09:40 4,924,630 a------- c:\program files\20040503-022-i32.exe
2004-03-20 19:21 6,279,168 a------- c:\program files\perf1250_win_5.7f_en.exe
2004-03-14 12:51 156,575 a------- c:\program files\USBAutoConnect.pdf
2004-06-19 14:21 32 a--sh--- c:\windows\{0B06D52B-FFD3-4BC7-BF7B-02A0F929F337}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\{1119D324-D6F4-49A6-877B-2C2DAC3D68F2}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\{95E96DDB-BB3E-4F9B-916B-061AE16D3BF1}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\{EE050C43-B783-4171-94D6-4B5C007E1F79}.dat
2004-06-19 14:33 32 a--sh--- c:\windows\system32\{133B3A97-E375-4100-A474-62929FCEEC73}.dat
2004-06-19 14:29 32 a--sh--- c:\windows\system32\{32933A03-82C1-4B6F-8B0D-BCF1CB9AC277}.dat
2004-06-19 14:21 32 a--sh--- c:\windows\system32\{66547357-FAAF-4F5B-88AC-D1DE88FF3CCE}.dat
2004-06-19 14:25 32 a--sh--- c:\windows\system32\{C6137A5F-FAD2-425A-B645-B3152D53BB0C}.dat
2008-01-16 21:01 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-01-16 21:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat
2007-09-18 09:08 16,384 a--sh--- c:\windows\temp\cookies\index.dat

============= FINISH: 8:34:20.43 ===============

tetonbob · 10-06-2009, 08:42 AM

Hmmm, well, let's do it the old fashioned way.

Please navigate to the Program Files directory, locate one of those files, right click on it, and select Send To Compressed (Zipped) Folder. Submit the zip file created to one of the two sites provided.

Also, we need to fix another registry entry...there's a small bug in malwarebytes' antimalware which leaves a run entry behind. This bug will be addressed in the next version update, but for now, we should remove the Run entry.

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Malwarebytes Anti-Malware (reboot)"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

jpscloud · 10-06-2009, 11:14 AM

Hi tetonbob, I've submitted the zip file - it was more than 3mb but it was successfully submitted on the first link. I've done delete.reg (by the way, your instructions say be sure to save it with the quotation marks, but I take it that means the quotation marks in the notepad, not in the actual filename - it won't let me save with quotation marks in the filename. It worked just fine anyhow).

tetonbob · 10-06-2009, 01:24 PM

Hi jpscloud -

I'm able to save a file with the quotemarks in the name. Reason we do that is so it actually creates a registry file rather than a .txt file. As all things Windows, there are many ways to accomplish the same thing however. If the file you created looked like the image I provided, and you were notified of a successful merge, then it worked just fine.

The file uploaded is a Norton/Symantec AntiVirus file (SARC Intelligent Updater), has something to do with updates. As I believe it refers to an older version, now no longer installed, you can probably delete those files, or move them off the disk to storage, in case an application does really need them. At any rate, I don't believe any of those files to be malicious in nature, and are just taking up space

All seems well from my end. How is the machine behaving?

jpscloud · 10-06-2009, 01:30 PM

Aha! I think that throws some light on where they came from. Dad's broadband provider lobs NAV in with the package, and it'll be something to do with that. I put a new copy of NAV 2009 on the computer while I borrowed it, because my broadband provider doesn't also provide NAV! If they're not doing any harm I'll leave them where they are.

There haven't been any more alerts since those I first saw - the machine is behaving fine. Is the infection cleaned up? You are a true hero!

tetonbob · 10-06-2009, 01:36 PM

Cheers!

It would be a good idea to run an online scan to help ensure there is nothing lingering....

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

jpscloud · 10-07-2009, 10:35 AM

Hi, just to let you know I'm getting the scan done as soon as I can - was halfway through this morning when we had a power cut!

tetonbob · 10-07-2009, 11:25 AM

Sorry to hear that, and thanks for letting me know.

jpscloud · 10-07-2009, 11:33 AM

Hi, here is the log. It says it found a trojan

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=604341203df5b34189e83a6261003783
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-07 08:13:59
# local_time=2009-10-07 09:13:59 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3, v.3264
# compatibility_mode=3588 21 100 96 6103121406250
# compatibility_mode=5889 61 66 100 923248838437500
# scanned=30503
# found=2
# cleaned=0
# scan_time=1332
C:\backups\backup-20080108-173828-327.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\backups\backup-20080108-173828-726.dll Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=604341203df5b34189e83a6261003783
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-07 05:27:44
# local_time=2009-10-07 06:27:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3, v.3264
# compatibility_mode=3588 21 100 96 6435366875000
# compatibility_mode=5889 61 66 100 923581083906250
# scanned=57971
# found=3
# cleaned=0
# scan_time=2947
C:\backups\backup-20080108-173828-327.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\backups\backup-20080108-173828-726.dll Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
C:\WINDOWS\system32\resetservice.exe Win32/VB.NUB trojan 00000000000000000000000000000000 I

tetonbob · 10-07-2009, 11:34 AM

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

C:\WINDOWS\system32\resetservice.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the results in your next reply.

jpscloud · 10-07-2009, 12:08 PM

Hi tetonbob, it wouldn't let me paste or type in the box so I used the "Browse" button and navigated to the file instead. After I sent the last message to you, I was browsing a news service on a webpage, went to close it and the machine restarted unexpectedly. I haven't spent a great deal of time on this machine as I'm working on my laptop again at the moment, so I'm not sure if that is typical behaviour at the moment or not.

File resetservice.exe received on 2009.10.07 18:02:12 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 10/41 (24.4%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.07 -
AhnLab-V3 5.0.0.2 2009.10.07 -
AntiVir 7.9.1.33 2009.10.07 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.07 -
Avast 4.8.1351.0 2009.10.07 -
AVG 8.5.0.420 2009.10.04 HackTool.HDE
BitDefender 7.2 2009.10.07 -
CAT-QuickHeal 10.00 2009.10.07 Trojan.Agent.IRC
ClamAV 0.94.1 2009.10.07 -
Comodo 2527 2009.10.07 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.07 -
eSafe 7.0.17.0 2009.10.06 Suspicious File
eTrust-Vet 35.1.7055 2009.10.07 -
F-Prot 4.5.1.85 2009.10.07 -
F-Secure 8.0.14470.0 2009.10.07 -
Fortinet 3.120.0.0 2009.10.07 -
GData 19 2009.10.07 -
Ikarus T3.1.1.72.0 2009.10.07 -
Jiangmin 11.0.800 2009.10.07 -
K7AntiVirus 7.10.864 2009.10.07 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.07 -
McAfee 5764 2009.10.07 Generic.dx!zz
McAfee+Artemis 5764 2009.10.07 Generic.dx!zz
McAfee-GW-Edition 6.8.5 2009.10.07 -
Microsoft 1.5101 2009.10.07 -
NOD32 4488 2009.10.07 Win32/VB.NUB
Norman 6.01.09 2009.10.07 -
nProtect 2009.1.8.0 2009.10.07 -
Panda 10.0.2.2 2009.10.06 -
PCTools 4.4.2.0 2009.10.07 -
Prevx 3.0 2009.10.07 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.07 WPA Reset
Sunbelt 3.2.1858.2 2009.10.07 -
Symantec 1.4.4.12 2009.10.07 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.07 -
VBA32 3.12.10.11 2009.10.07 -
ViRobot 2009.10.7.1974 2009.10.07 Trojan.Win32.Agent.5632.J
VirusBuster 4.6.5.0 2009.10.07 -
Additional information
File size: 5632 bytes
MD5...: 72486adeb3cd979787129aea8c18cb60
SHA1..: 7d7cf52f6d8b8766c5f5fa662fced1835f076d8d
SHA256: 4a4cc54fb60b7fe0ffe1084e5e18b20babde51542c6bdacc7855a60ecc3183c8
ssdeep: 96:DHg6QQ4+AGrrQGH/qq0hshpwoLBpQW3bWD0RAcd:UQ4EEGiDszwkp1LO0ucd

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3200
timedatestamp.....: 0x3e8c0000 (Thu Apr 03 09:33:52 2003)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
pec1 0x1000 0x2000 0x600 7.11 0e81cc427b1c00ae44ce761f033b2107
.rsrc 0x3000 0x5000 0x800 5.64 898367cf160830bc6e54d15e9846e139
.rsrc 0x8000 0x1000 0x400 4.31 16773a6734632dee7291af91cf0a3c7f

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree, ExitProcess, GetModuleHandleA
> MSVBVM60.DLL: _CIcos

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 EXE PECompact compressed (generic) (73.7%)
Win32 Executable Generic (15.1%)
Win32 Executable MS Visual FoxPro 7 (3.9%)
Generic Win/DOS Executable (3.5%)
DOS Executable Generic (3.5%)
packers (Kaspersky): PECompact
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

packers (F-Prot): PECompact

tetonbob · 10-07-2009, 12:17 PM

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\WINDOWS\system32\resetservice.exe"

As to the sudden restart, that's never usual, but I can't explain it. Use the machine normally for a little while, and report back on it's behavior.

Also, let's have a look using one more tool..

Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\rsit\info.txt
Click Upload.

---------------------------------------------------------------------------------------------

jpscloud · 10-07-2009, 12:24 PM

Hi, thanks... would that have been an active trojan? I ran the command - it flashed up a small black window for a moment and disappeared, is that what it was meant to do? I didn't have any other notification.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Jean at 2009-10-07 19:20:22
Microsoft Windows XP Home Edition Service Pack 3, v.3264
System drive C: has 59 GB (77%) free of 76 GB
Total RAM: 511 MB (15% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21:00, on 07/10/2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jean\Local Settings\Temporary Internet Files\Content.IE5\6XM4MIYI\RSIT[1].exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Jean.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S11B.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S240.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171838390625
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 7543 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Driver Robot.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\Norton Internet Security Online - Run Full System Scan - User.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll [2009-08-26 378736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL [2009-08-26 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll [2009-08-26 378736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2002-07-12 106496]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-04-02 4616192]
"nwiz"=nwiz.exe /install []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2007-06-11 901120]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2008-03-11 689488]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2008-03-18 1848648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe [2005-09-03 94208]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2007-12-01 15360]
"EPSON Stylus SX200 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE [2007-12-13 188928]
"EPSON Stylus SX200 Series (Copy 1)"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE [2007-12-13 188928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2007-12-01 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
C:\PROGRA~1\SAGEM\SAGEMF~1\dslmon.exe [2003-07-08 962663]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Disabled:Skype"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-07 19:20:31 ----D---- C:\Program Files\trend micro
2009-10-07 19:20:22 ----D---- C:\rsit
2009-10-07 08:02:04 ----D---- C:\Program Files\ESET
2009-10-05 21:24:46 ----D---- C:\Documents and Settings\Jean\Application Data\Malwarebytes
2009-10-05 21:24:24 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-05 21:24:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-05 21:18:10 ----D---- C:\WINDOWS\ERDNT
2009-10-05 21:16:45 ----D---- C:\Program Files\ERUNT
2009-10-05 09:11:26 ----D---- C:\Documents and Settings\Jean\Application Data\Trusteer
2009-10-05 09:11:24 ----D---- C:\Documents and Settings\All Users\Application Data\Trusteer
2009-10-05 09:11:05 ----D---- C:\Program Files\Trusteer
2009-10-03 16:44:25 ----D---- C:\.jagex_cache_32
2009-10-03 12:26:58 ----D---- C:\Program Files\MSECache
2009-10-03 12:26:45 ----D---- C:\3f140d0c1bc7e7a49e4ff00f6af7f03e
2009-10-03 11:49:32 ----A---- C:\WINDOWS\system32\msonpmon.dll
2009-10-03 11:44:04 ----D---- C:\Program Files\Microsoft Works
2009-10-03 11:40:52 ----D---- C:\Program Files\Microsoft.NET
2009-10-03 11:34:29 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-10-03 11:31:41 ----RHD---- C:\MSOCache
2009-10-03 09:40:40 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-10-02 20:11:05 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2009-10-01 23:51:49 ----A---- C:\WINDOWS\system32\PICSDK2.dll
2009-10-01 23:51:49 ----A---- C:\WINDOWS\system32\PICSDK.ini
2009-10-01 23:51:49 ----A---- C:\WINDOWS\system32\PICSDK.dll
2009-10-01 23:51:49 ----A---- C:\WINDOWS\system32\PICEntry.dll
2009-10-01 23:51:49 ----A---- C:\WINDOWS\system32\EpPicPrt.dll
2009-10-01 23:51:48 ----A---- C:\WINDOWS\system32\EPPicMgr.dll
2009-10-01 23:51:31 ----D---- C:\Documents and Settings\Jean\Application Data\InstallShield
2009-10-01 23:47:11 ----A---- C:\WINDOWS\system32\E_DCINST.DLL
2009-10-01 23:47:03 ----A---- C:\WINDOWS\system32\E_FLBEFE.DLL
2009-10-01 23:47:03 ----A---- C:\WINDOWS\system32\E_FD4BEFE.DLL
2009-10-01 23:28:10 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-10-01 23:27:39 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2009-10-01 23:19:27 ----D---- C:\Documents and Settings\Jean\Application Data\Blitware
2009-09-30 08:10:42 ----D---- C:\Documents and Settings\Jean\Application Data\Macromedia
2009-09-30 08:08:55 ----D---- C:\Documents and Settings\Jean\Application Data\Adobe
2009-09-29 22:49:53 ----D---- C:\WINDOWS\.jagex_cache_32
2009-09-29 22:38:01 ----D---- C:\Documents and Settings\Jean\Application Data\Identities
2009-09-29 22:37:26 ----ASH---- C:\Documents and Settings\Jean\Application Data\desktop.ini
2009-09-29 22:37:24 ----SD---- C:\Documents and Settings\Jean\Application Data\Microsoft
2009-09-29 22:05:36 ----D---- C:\Program Files\Symantec
2009-09-29 22:05:36 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2009-09-29 22:04:41 ----D---- C:\Program Files\Windows Sidebar
2009-09-29 22:02:17 ----D---- C:\Program Files\NortonInstaller
2009-09-29 18:37:50 ----D---- C:\Program Files\Common Files\SupportSoft
2009-09-28 17:10:26 ----A---- C:\WINDOWS\mixerdef.ini
2009-09-28 16:08:10 ----RA---- C:\WINDOWS\mixer.exe
2009-09-28 16:08:10 ----RA---- C:\WINDOWS\cmuninst.exe
2009-09-28 16:08:08 ----RA---- C:\WINDOWS\system32\cmnprop.dll
2009-09-28 16:08:06 ----A---- C:\WINDOWS\system32\a3d.dll
2009-09-28 16:07:55 ----A---- C:\WINDOWS\system32\ksuser.dll

======List of files/folders modified in the last 1 months======

2009-10-07 19:20:31 ----D---- C:\Program Files
2009-10-07 19:20:29 ----D---- C:\WINDOWS\Temp
2009-10-07 19:19:52 ----D---- C:\WINDOWS\Prefetch
2009-10-07 19:19:02 ----D---- C:\WINDOWS\system32
2009-10-07 18:52:01 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-07 18:40:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-07 18:38:36 ----D---- C:\WINDOWS\Minidump
2009-10-07 18:38:36 ----D---- C:\WINDOWS
2009-10-07 08:50:50 ----SD---- C:\WINDOWS\Tasks
2009-10-07 08:02:08 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-05 21:24:29 ----D---- C:\WINDOWS\system32\drivers
2009-10-05 15:05:33 ----HD---- C:\WINDOWS\inf
2009-10-05 09:12:23 ----SHD---- C:\WINDOWS\Installer
2009-10-05 09:12:11 ----D---- C:\Config.Msi
2009-10-03 16:32:18 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-03 14:34:00 ----RSD---- C:\WINDOWS\assembly
2009-10-03 12:39:30 ----D---- C:\WINDOWS\Help
2009-10-03 12:25:41 ----RSD---- C:\WINDOWS\Fonts
2009-10-03 12:25:07 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-03 11:54:07 ----D---- C:\WINDOWS\ShellNew
2009-10-03 11:46:52 ----D---- C:\WINDOWS\system32\config
2009-10-03 11:43:06 ----D---- C:\WINDOWS\WinSxS
2009-10-03 11:42:09 ----D---- C:\Program Files\Microsoft Office
2009-10-03 11:40:52 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-10-03 11:39:55 ----D---- C:\WINDOWS\Media
2009-10-03 10:03:53 ----SHD---- C:\System Volume Information
2009-10-03 10:03:53 ----D---- C:\WINDOWS\system32\Restore
2009-10-03 09:57:43 ----D---- C:\Program Files\Common Files
2009-10-02 21:27:08 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-10-01 23:25:49 ----D---- C:\WINDOWS\twain_32
2009-10-01 23:25:49 ----D---- C:\Program Files\EPSON
2009-09-30 15:42:03 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-09-30 09:43:30 ----D---- C:\WINDOWS\network diagnostic
2009-09-30 08

09 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-09-30 08

07 ----D---- C:\Program Files\NOS
2009-09-30 07:53:56 ----A---- C:\WINDOWS\ODBC.INI
2009-09-29 22:50:59 ----D---- C:\WINDOWS\java
2009-09-29 22:40:39 ----SHD---- C:\RECYCLER
2009-09-29 22:38:08 ----A---- C:\WINDOWS\OEWABLog.txt
2009-09-29 22:37:23 ----D---- C:\Documents and Settings
2009-09-29 22:31:47 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-09-29 22:04:41 ----D---- C:\Program Files\Norton Internet Security
2009-09-29 22:04:41 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2009-09-29 22:02:45 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-09-29 15:47:08 ----A---- C:\WINDOWS\NeroDigital.ini
2009-09-29 12:21:14 ----D---- C:\WINDOWS\system
2009-09-28 16:07:50 ----D---- C:\WINDOWS\system32\CatRoot
2009-09-27 17:04:54 ----A---- C:\WINDOWS\WININIT.INI
2009-09-27 16:57:17 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-26 10:15:15 ----D---- C:\Program Files\Google
2009-09-21 14:15:01 ----A---- C:\WINDOWS\imsins.BAK
2009-09-21 14:14:54 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2007-11-30 37760]
R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys [2009-08-26 259632]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\ccHPx86.sys [2009-09-30 482432]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090916.003\IDSxpx86.sys []
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2007-11-30 14592]
R1 RapportKELL;RapportKELL; \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys []
R1 RapportPG;RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\NIS\1007020.00B\SRTSPX.SYS [2009-08-26 43696]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS [2009-08-26 217136]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2006-11-10 18688]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2007-11-30 10368]
R3 Intels51;Intel(R) 536EP Modem; C:\WINDOWS\System32\DRIVERS\Intels51.sys [2004-12-10 1903338]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091007.002\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091007.002\NAVEX15.SYS []
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-04-02 1265130]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2002-07-10 32256]
R3 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SRTSP.SYS [2009-08-26 308272]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMFW.SYS [2009-08-26 89904]
R3 SYMIDS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS [2009-08-26 33072]
R3 SYMNDIS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS [2009-08-26 36400]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2007-11-30 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2007-11-30 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2007-11-30 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2007-11-30 17152]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2007-11-30 20608]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S2 ADILOADER;General Purpose USB Driver (adildr.sys); C:\WINDOWS\System32\Drivers\adildr.sys [2003-07-17 46167]
S3 adiusbaw;USB ADSL WAN Adapter; C:\WINDOWS\System32\DRIVERS\adiusbaw.sys [2003-03-27 127145]
S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
S3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2007-11-30 17024]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2006-06-09 1373120]
S3 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
S3 KMWDFILTER;HIDUASDesc; C:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys [2008-10-09 17408]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2007-11-30 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2007-11-30 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2007-11-30 10880]
S3 ovt519;PB-WC100 USB Camera; C:\WINDOWS\System32\Drivers\ov519vid.sys []
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2007-08-14 47360]
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-10-02 9856]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2007-11-30 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2007-11-30 15232]
S3 SYMDNS;SYMDNS; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMDNS.SYS []
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2009-08-26 36400]
S3 SYMREDRV;SYMREDRV; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMREDRV.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2007-11-30 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2007-11-30 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2007-11-30 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2007-11-30 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2007-11-30 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Norton Internet Security;Norton Internet Security; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [2009-08-26 117640]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-04-02 69632]
R2 RapportMgmtService;Rapport Management Service; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-09-27 967912]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-12 133104]
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2007-12-01 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2007-12-01 14336]
S4 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 Reset 5;Reset 5; C:\WINDOWS\system32\srvany.exe []

-----------------EOF-----------------

tetonbob · 10-07-2009, 12:45 PM

The file was not an active trojan. With no loading point, it was just sitting there.

The command box opening and closing quickly is expected.

Go to Start>Run then copy and paste, or type the following, then press Enter:

sc stop "Reset 5"

A window will open and close quickly, this is normal.

Go to Start>Run then copy and paste, or type the following, then press Enter:

sc delete "Reset 5"

A window will open and close quickly, this is normal.

---------------------------------------------------------------------------------------------

Do you know the history of this machine of your father's? Was it purchased locally, or from a large manufacturer?

Reason I ask is, these last deletions, the file and the service, are typically associated with Windows Activation bypass efforts, and may indicate an illegal Operating System. Sometimes, this is done without the purchaser's knowledge, by less than scrupulous builders. It can, however, also indicate a legit OS, whose owner simply wanted to be rid of the nags.

http://www.systemlookup.com/O23/2713-srvany_exe.html

10-03-2009, 03:39 AM	#1 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	hacktool.rootkit problem Hi, I'll try not to clutter this up with too much irrelevant stuff but... I'm on a computer borrowed from my Dad while my laptop is in for repair. When I was checking this computer out to borrow, I noticed that my Dad's version of NAV (fully updated, integral to his broadband package) was blocking hacktool.rootkit activity with the message "resolved" but there isn't any deletion or clean up advice. As I do more in the way of things like online banking than my Dad does, I would like to ask advice before risking it! Reading a bit online and your forum I've seen that it takes quite a bit of effort to remove it so could I ask for your help, as my expertise with this stuff would leave quite a bit of room if written on your average postage stamp? Is this computer badly compromised? I don't know the level of risk I'm under at the moment. Would NAV be stopping anything getting in/out when it says "blocked"? I have installed a new copy of NAV 2009, switched off system restore and run a full system scan which only found 1 tracking cookie, nothing to do with hacktool.rootkit though. I've switched system restore back on for now. Grateful thanks in advance for any help.

10-05-2009, 09:55 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Hello, and welcome to the forums. While you've tried to provide a detailed assessment of your issue, you've not provided the logs we need to perform an analysis of the machine. Please follow our pre-posting process outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help After running through *all* the steps, please post the requested logs. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply. Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. Also, are you still being notified about hacktool.rootkit ? If so, is a file name, full path to file, or registry location given? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-06-2009, 01:42 AM	#7 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Hi, I followed your instructions to create grab.bat, but when I double click that, it flashes up a small black window which immediately disappears, but no file is produced. I checked and there wasn't anything running in processes (I tried three times, the last time with nav and rapport off). DDS (Ver_09-09-29.01) - NTFSx86 Run by Jean at 8:33:02.42 on 06/10/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.128 [GMT 1:00] AV: Norton Internet Security Online On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security Online enabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jean\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://news.bbc.co.uk/ mSearch Bar = BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\IPSBHO.DLL TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\coIEPlg.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S11B.tmp" /EF "HKCU" uRun: [EPSON Stylus SX200 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S240.tmp" /EF "HKCU" mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171838390625 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.7.2.11\CoIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-30 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-30 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-30 482432] R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-29 329080] R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-9-27 58856] R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-9-27 333928] R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-30 117640] R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-9-27 967912] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-29 102448] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.040\NAVENG.SYS [2009-10-6 84912] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091005.040\NAVEX15.SYS [2009-10-6 1323568] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-12 133104] S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-11-5 14336] =============== Created Last 30 ================ 2009-10-05 21:24 <DIR> --d----- c:\docume~1\jean\applic~1\Malwarebytes 2009-10-05 21:24 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-05 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-05 21:24 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-05 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-05 09:11 <DIR> --d----- c:\docume~1\jean\applic~1\Trusteer 2009-10-05 09:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trusteer 2009-10-05 09:11 <DIR> --d----- c:\program files\Trusteer 2009-10-03 16:44 <DIR> --d----- C:\.jagex_cache_32 2009-10-03 12:26 <DIR> --d----- c:\program files\MSECache 2009-10-03 12:26 <DIR> --d----- C:\3f140d0c1bc7e7a49e4ff00f6af7f03e 2009-10-03 11:49 32,656 a------- c:\windows\system32\msonpmon.dll 2009-10-02 20:11 195,440 -------- c:\windows\system32\MpSigStub.exe 2009-10-01 23:47 8,192 a------- c:\windows\system32\E_DCINST.DLL 2009-10-01 23:47 86,528 a------- c:\windows\system32\E_FLBEFE.DLL 2009-10-01 23:47 78,848 a------- c:\windows\system32\E_FD4BEFE.DLL 2009-10-01 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON 2009-10-01 23:19 <DIR> --d----- c:\docume~1\jean\applic~1\Blitware 2009-10-01 07:31 <DIR> --dsh--- c:\documents and settings\jean\IECompatCache 2009-09-29 22:49 <DIR> --d----- c:\windows\.jagex_cache_32 2009-09-29 22:43 <DIR> --dsh--- c:\documents and settings\jean\PrivacIE 2009-09-29 22:37 <DIR> --dsh--- c:\documents and settings\jean\IETldCache 2009-09-29 22:37 <DIR> --d----- c:\documents and settings\Jean 2009-09-29 22:05 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys 2009-09-29 22:05 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-09-29 22:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2009-09-29 22:05 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-09-29 22:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-09-29 22:05 <DIR> --d----- c:\program files\Symantec 2009-09-29 22:04 <DIR> --d----- c:\windows\system32\drivers\NIS 2009-09-29 22:02 <DIR> --d----- c:\program files\NortonInstaller 2009-09-29 18:37 <DIR> --d----- c:\program files\common files\SupportSoft 2009-09-28 17:10 25 a------- c:\windows\mixerdef.ini 2009-09-28 16:08 135,168 a----r-- c:\windows\cmuninst.dat 2009-09-28 16:08 39,279 a----r-- c:\windows\cmijack.dat 2009-09-28 16:08 23,041 a----r-- c:\windows\cmaudio.dat 2009-09-28 16:08 1,855,488 a----r-- c:\windows\mixer.exe 2009-09-28 16:08 139,264 a----r-- c:\windows\cmuninst.exe 2009-09-28 16:08 32,768 a----r-- c:\windows\system32\cmnprop.dll 2009-09-28 16:08 712,704 a------- c:\windows\system32\a3d.dll 2009-09-28 16:08 377,358 a----r-- c:\windows\system32\drivers\cmaudio.sys 2009-09-28 16:08 141,056 a------- c:\windows\system32\drivers\ks.sys 2009-09-28 16:08 23,552 a------- c:\windows\system32\wdmaud.drv 2009-09-28 16:07 146,048 a------- c:\windows\system32\drivers\portcls.sys 2009-09-28 16:07 4,096 a------- c:\windows\system32\ksuser.dll 2009-09-28 16:07 60,160 a------- c:\windows\system32\drivers\drmk.sys 2009-09-28 16:07 129,536 a------- c:\windows\system32\ksproxy.ax 2009-09-28 16:07 49,280 a------- c:\windows\system32\drivers\stream.sys 2009-09-07 09:00 <DIR> --d-h--- C:\BJPrinter 2009-09-06 16:26 230,912 a------- c:\windows\system32\CNMLM99.DLL 2009-09-06 16:23 <DIR> --d----- c:\program files\Canon ==================== Find3M ==================== 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2004-08-26 13:57 1,341,964 a------- c:\program files\20040607-049-i32-4.zip 2004-06-22 09:37 5,080,463 a------- c:\program files\20040621-038-i32.exe 2004-06-21 09:24 5,076,601 a------- c:\program files\20040620-009-i32.exe 2004-06-20 09:30 5,075,584 a------- c:\program files\20040619-019-i32.exe 2004-06-19 15:33 5,071,467 a------- c:\program files\20040618-017-i32.exe 2004-06-19 15:09 2,150,574 a------- c:\program files\aaw6181.exe 2004-06-12 15:53 5,046,191 a------- c:\program files\20040611-034-i32.exe 2004-06-11 14:42 5,042,972 a------- c:\program files\20040610-050-i32.exe 2004-06-09 17:22 5,033,123 a------- c:\program files\20040608-017-i32.exe 2004-06-09 11:43 8,083,812 a------- c:\program files\20040608-017-x86.exe 2004-06-09 11:33 1,354,754 a------- c:\program files\20040608-017-i32-3.zip 2004-06-09 11:30 988,187 a------- c:\program files\20040608-017-i32-1.exe 2004-06-08 15:08 1,353,116 a------- c:\program files\20040607-049-i32-3.zip 2004-06-08 15:05 988,194 a------- c:\program files\20040607-049-i32-1.exe 2004-06-08 09:50 8,081,884 a------- c:\program files\20040607-049-x86.exe 2004-06-04 11:28 5,015,520 a------- c:\program files\20040603-023-i32.exe 2004-05-05 09:16 4,269,999 a------- c:\program files\DeepsightExtractorInstaller43.zip 2004-05-04 09:40 4,924,630 a------- c:\program files\20040503-022-i32.exe 2004-03-20 19:21 6,279,168 a------- c:\program files\perf1250_win_5.7f_en.exe 2004-03-14 12:51 156,575 a------- c:\program files\USBAutoConnect.pdf 2004-06-19 14:21 32 a--sh--- c:\windows\{0B06D52B-FFD3-4BC7-BF7B-02A0F929F337}.dat 2004-06-19 14:33 32 a--sh--- c:\windows\{1119D324-D6F4-49A6-877B-2C2DAC3D68F2}.dat 2004-06-19 14:25 32 a--sh--- c:\windows\{95E96DDB-BB3E-4F9B-916B-061AE16D3BF1}.dat 2004-06-19 14:29 32 a--sh--- c:\windows\{EE050C43-B783-4171-94D6-4B5C007E1F79}.dat 2004-06-19 14:33 32 a--sh--- c:\windows\system32\{133B3A97-E375-4100-A474-62929FCEEC73}.dat 2004-06-19 14:29 32 a--sh--- c:\windows\system32\{32933A03-82C1-4B6F-8B0D-BCF1CB9AC277}.dat 2004-06-19 14:21 32 a--sh--- c:\windows\system32\{66547357-FAAF-4F5B-88AC-D1DE88FF3CCE}.dat 2004-06-19 14:25 32 a--sh--- c:\windows\system32\{C6137A5F-FAD2-425A-B645-B3152D53BB0C}.dat 2008-01-16 21:01 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat 2008-01-16 21:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011620080117\index.dat 2007-09-18 09:08 16,384 a--sh--- c:\windows\temp\cookies\index.dat ============= FINISH: 8:34:20.43 ===============

10-06-2009, 11:14 AM	#9 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Hi tetonbob, I've submitted the zip file - it was more than 3mb but it was successfully submitted on the first link. I've done delete.reg (by the way, your instructions say be sure to save it with the quotation marks, but I take it that means the quotation marks in the notepad, not in the actual filename - it won't let me save with quotation marks in the filename. It worked just fine anyhow).

10-06-2009, 01:24 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Hi jpscloud - I'm able to save a file with the quotemarks in the name. Reason we do that is so it actually creates a registry file rather than a .txt file. As all things Windows, there are many ways to accomplish the same thing however. If the file you created looked like the image I provided, and you were notified of a successful merge, then it worked just fine. The file uploaded is a Norton/Symantec AntiVirus file (SARC Intelligent Updater), has something to do with updates. As I believe it refers to an older version, now no longer installed, you can probably delete those files, or move them off the disk to storage, in case an application does really need them. At any rate, I don't believe any of those files to be malicious in nature, and are just taking up space All seems well from my end. How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-06-2009, 01:30 PM	#11 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Aha! I think that throws some light on where they came from. Dad's broadband provider lobs NAV in with the package, and it'll be something to do with that. I put a new copy of NAV 2009 on the computer while I borrowed it, because my broadband provider doesn't also provide NAV! If they're not doing any harm I'll leave them where they are. There haven't been any more alerts since those I first saw - the machine is behaving fine. Is the infection cleaned up? You are a true hero!

10-06-2009, 01:36 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Cheers! It would be a good idea to run an online scan to help ensure there is nothing lingering.... Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-07-2009, 10:35 AM	#13 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Hi, just to let you know I'm getting the scan done as soon as I can - was halfway through this morning when we had a power cut!

10-07-2009, 11:25 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Sorry to hear that, and thanks for letting me know. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-07-2009, 11:33 AM	#15 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Hi, here is the log. It says it found a trojan ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK esets_scanner_update returned -1 esets_gle=53251 esets_scanner_update returned -1 esets_gle=53251 # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=604341203df5b34189e83a6261003783 # end=stopped # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-07 08:13:59 # local_time=2009-10-07 09:13:59 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3, v.3264 # compatibility_mode=3588 21 100 96 6103121406250 # compatibility_mode=5889 61 66 100 923248838437500 # scanned=30503 # found=2 # cleaned=0 # scan_time=1332 C:\backups\backup-20080108-173828-327.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I C:\backups\backup-20080108-173828-726.dll Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=604341203df5b34189e83a6261003783 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-10-07 05:27:44 # local_time=2009-10-07 06:27:44 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3, v.3264 # compatibility_mode=3588 21 100 96 6435366875000 # compatibility_mode=5889 61 66 100 923581083906250 # scanned=57971 # found=3 # cleaned=0 # scan_time=2947 C:\backups\backup-20080108-173828-327.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I C:\backups\backup-20080108-173828-726.dll Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I C:\WINDOWS\system32\resetservice.exe Win32/VB.NUB trojan 00000000000000000000000000000000 I

10-07-2009, 11:34 AM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: C:\WINDOWS\system32\resetservice.exe Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the results in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-07-2009, 12:08 PM	#17 (permalink)
jpscloud Registered User Join Date: Oct 2009 Location: Cheshire Posts: 18 OS: Windows XP Service Pack 3 v.3264	Re: hacktool.rootkit problem Hi tetonbob, it wouldn't let me paste or type in the box so I used the "Browse" button and navigated to the file instead. After I sent the last message to you, I was browsing a news service on a webpage, went to close it and the machine restarted unexpectedly. I haven't spent a great deal of time on this machine as I'm working on my laptop again at the moment, so I'm not sure if that is typical behaviour at the moment or not. File resetservice.exe received on 2009.10.07 18:02:12 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 10/41 (24.4%) Loading server information... Your file is queued in position: 1. Estimated start time is between 40 and 57 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.07 - AhnLab-V3 5.0.0.2 2009.10.07 - AntiVir 7.9.1.33 2009.10.07 - Antiy-AVL 2.0.3.7 2009.10.05 - Authentium 5.1.2.4 2009.10.07 - Avast 4.8.1351.0 2009.10.07 - AVG 8.5.0.420 2009.10.04 HackTool.HDE BitDefender 7.2 2009.10.07 - CAT-QuickHeal 10.00 2009.10.07 Trojan.Agent.IRC ClamAV 0.94.1 2009.10.07 - Comodo 2527 2009.10.07 UnclassifiedMalware DrWeb 5.0.0.12182 2009.10.07 - eSafe 7.0.17.0 2009.10.06 Suspicious File eTrust-Vet 35.1.7055 2009.10.07 - F-Prot 4.5.1.85 2009.10.07 - F-Secure 8.0.14470.0 2009.10.07 - Fortinet 3.120.0.0 2009.10.07 - GData 19 2009.10.07 - Ikarus T3.1.1.72.0 2009.10.07 - Jiangmin 11.0.800 2009.10.07 - K7AntiVirus 7.10.864 2009.10.07 Trojan.Win32.Malware.1 Kaspersky 7.0.0.125 2009.10.07 - McAfee 5764 2009.10.07 Generic.dx!zz McAfee+Artemis 5764 2009.10.07 Generic.dx!zz McAfee-GW-Edition 6.8.5 2009.10.07 - Microsoft 1.5101 2009.10.07 - NOD32 4488 2009.10.07 Win32/VB.NUB Norman 6.01.09 2009.10.07 - nProtect 2009.1.8.0 2009.10.07 - Panda 10.0.2.2 2009.10.06 - PCTools 4.4.2.0 2009.10.07 - Prevx 3.0 2009.10.07 - Rising 21.49.22.00 2009.09.30 - Sophos 4.45.0 2009.10.07 WPA Reset Sunbelt 3.2.1858.2 2009.10.07 - Symantec 1.4.4.12 2009.10.07 - TheHacker 6.5.0.2.033 2009.10.07 - TrendMicro 8.950.0.1094 2009.10.07 - VBA32 3.12.10.11 2009.10.07 - ViRobot 2009.10.7.1974 2009.10.07 Trojan.Win32.Agent.5632.J VirusBuster 4.6.5.0 2009.10.07 - Additional information File size: 5632 bytes MD5...: 72486adeb3cd979787129aea8c18cb60 SHA1..: 7d7cf52f6d8b8766c5f5fa662fced1835f076d8d SHA256: 4a4cc54fb60b7fe0ffe1084e5e18b20babde51542c6bdacc7855a60ecc3183c8 ssdeep: 96:DHg6QQ4+AGrrQGH/qq0hshpwoLBpQW3bWD0RAcd:UQ4EEGiDszwkp1LO0ucd PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3200 timedatestamp.....: 0x3e8c0000 (Thu Apr 03 09:33:52 2003) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 pec1 0x1000 0x2000 0x600 7.11 0e81cc427b1c00ae44ce761f033b2107 .rsrc 0x3000 0x5000 0x800 5.64 898367cf160830bc6e54d15e9846e139 .rsrc 0x8000 0x1000 0x400 4.31 16773a6734632dee7291af91cf0a3c7f ( 2 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree, ExitProcess, GetModuleHandleA > MSVBVM60.DLL: _CIcos ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 EXE PECompact compressed (generic) (73.7%) Win32 Executable Generic (15.1%) Win32 Executable MS Visual FoxPro 7 (3.9%) Generic Win/DOS Executable (3.5%) DOS Executable Generic (3.5%) packers (Kaspersky): PECompact sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned packers (F-Prot): PECompact

10-07-2009, 12:17 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem Go Start > Run and copy/paste the following single-line command into the Run box and click OK: cmd /c del /f/a/q "C:\WINDOWS\system32\resetservice.exe" As to the sudden restart, that's never usual, but I can't explain it. Use the machine normally for a little while, and report back on it's behavior. Also, let's have a look using one more tool.. Download RSIT by random/random and save it to your desktop. Double click RSIT.exe to start the tool and click Continue at the disclaimer. When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here. Please attach info.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\rsit\info.txt Click Upload. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-07-2009, 12:45 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: hacktool.rootkit problem The file was not an active trojan. With no loading point, it was just sitting there. The command box opening and closing quickly is expected. Go to Start>Run then copy and paste, or type the following, then press Enter: sc stop "Reset 5" A window will open and close quickly, this is normal. Go to Start>Run then copy and paste, or type the following, then press Enter: sc delete "Reset 5" A window will open and close quickly, this is normal. --------------------------------------------------------------------------------------------- Do you know the history of this machine of your father's? Was it purchased locally, or from a large manufacturer? Reason I ask is, these last deletions, the file and the service, are typically associated with Windows Activation bypass efforts, and may indicate an illegal Operating System. Sometimes, this is done without the purchaser's knowledge, by less than scrupulous builders. It can, however, also indicate a legit OS, whose owner simply wanted to be rid of the nags. http://www.systemlookup.com/O23/2713-srvany_exe.html __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009