Tech Support Forum banner
Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
17 Posts
Discussion Starter · #1 ·
I'm not sure I have a problem. But, Firefox does seem to have slowed a lot.
Thanks!
PS I don't seem to be able to attach the zipped logs...don't have the manage attachments button under add'l options (and can't insert a smiley)...will submit this and then see if I can add it then.

My last Avast scan showed:
4/29/2009 10:40:20 AM 1241030420 Leigh 3208 Sign of "Win32:Small-KMM [Trj]" has been found in "C:\System Volume Information\_restore{11710026-9BFD-4653-B8F8-1D6DE9FA165E}\RP1401\snapshot\_REGISTRY_MACHINE_SOFTWARE" file.

Avast was able to deal with it and subsequent scan of the folder was clean. (If you can help me understand how something can be in a restore point but never anywhere else, especially the fourth to last RP and not the third, second, and last ones I'd appreciate it).

So then I ran Kaspersky free online scan and got:
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Here's the DDS log:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Leigh at 12:58:02.88 on Thu 04/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.383.153 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Leigh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/nwshp?tab=wn
mStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RegistryMechanic]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229675064933
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229674987702
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leigh\applic~1\mozilla\firefox\profiles\1e9fd2dg.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-4 110360]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-23 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-10 78416]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-4 394984]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-10-11 147640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2005-10-24 281856]
R3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-7-29 39376]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-7-29 53840]
R3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-7-29 57424]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-7-29 83024]
S2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-11 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-10-11 348344]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\drivers\comfiltr.sys --> c:\windows\system32\drivers\COMFiltr.sys [?]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-8-4 175376]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-7-29 708688]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-7-29 1309264]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-6 44928]
S4 gupdate1c992479e206f60;Google Update Service (gupdate1c992479e206f60);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]

=============== Created Last 30 ================

2009-04-19 21:39 <DIR> --d----- C:\Work2009

==================== Find3M ====================

2008-01-31 12:50 56,912 a------- c:\documents and settings\leigh\g2mdlhlpx.exe
2006-04-11 21:28 196 a------- c:\docume~1\leigh\applic~1\wklnhst.dat
2005-12-03 18:50 160 a---h--- c:\documents and settings\leigh\hpothb07.dat
2007-08-06 13:17 4,962,336 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-08-06 13:17 499,232 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 12:58:48.54 ===============
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #5 · (Edited)
gmer found rootkit? Please help/logs inside

This is a second attempt with fresh logs because my first post (from 4/30 and then 72hr bump) was overlooked. I marked that thread solved to avoid confusion. Those logs, if helpful, are here:
http://www.techsupportforum.com/f50/possible-infection-dds-and-gmer-info-inside-372085.html

I must mention that gmer ran without a hitch that first time. Today, just as it ended, I saw a quick popup stating it had found a change by a rootkit. There was no other info. But, I don't see it in the logs.

Also obviously different from the first log, is the appearance of an unnamed hidden module. It would be weird if I have picked up something in the meantime....

Most significant changes are that I've updated Java and messed around with Ad-Aware since my 4/30 post.

Background from first post:
I'm not sure I have a problem. But, Firefox does seem to have slowed a lot.
Thanks!
PS I don't seem to be able to attach the zipped logs...don't have the manage attachments button under add'l options (and can't insert a smiley)...will submit this and then see if I can add it then.

My last Avast scan showed:
4/29/2009 10:40:20 AM 1241030420 Leigh 3208 Sign of "Win32:Small-KMM [Trj]" has been found in "C:\System Volume Information\_restore{11710026-9BFD-4653-B8F8-1D6DE9FA165E}\RP1401\snapshot\_REGISTRY_MACHINE_SOFTWARE" file.

Avast was able to deal with it and subsequent scan of the folder was clean. (If you can help me understand how something can be in a restore point but never anywhere else, especially the fourth to last RP and not the third, second, and last ones I'd appreciate it).

So then I ran Kaspersky free online scan and got:
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1


Here's the DDS log:(The one from today 5/7)

DDS (Ver_09-03-16.01) - NTFSx86
Run by Leigh at 8:18:41.87 on Thu 05/07/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.383.162 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Leigh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/nwshp?tab=wn
mStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RegistryMechanic]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Gamma Loader.exe.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\America Online 8.0 Tray Icon.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Google Updater.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\hp psc 2000 Series.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\hpoddt01.exe.lnk.disabled
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229675064933
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229674987702
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leigh\applic~1\mozilla\firefox\profiles\1e9fd2dg.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-8-4 110360]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-23 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-10 78416]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-4 394984]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-20 557056]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-10-11 147640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2005-10-24 281856]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-11 250040]
S2 gupdate1c992479e206f60;Google Update Service (gupdate1c992479e206f60);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-10-11 348344]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\drivers\comfiltr.sys --> c:\windows\system32\drivers\COMFiltr.sys [?]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-7-29 39376]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-7-29 53840]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-7-29 57424]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-7-29 83024]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-8-4 175376]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-7-29 708688]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-7-29 1309264]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-6 44928]

=============== Created Last 30 ================

2009-05-06 14:32 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-06 02:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-02 00:19 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-19 21:39 <DIR> --d----- C:\Work2009

==================== Find3M ====================

2008-01-31 12:50 56,912 a------- c:\documents and settings\leigh\g2mdlhlpx.exe
2006-04-11 21:28 196 a------- c:\docume~1\leigh\applic~1\wklnhst.dat
2005-12-03 18:50 160 a---h--- c:\documents and settings\leigh\hpothb07.dat
2007-08-06 13:17 4,962,336 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-08-06 13:17 499,232 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 8:20:18.70 ===============
 

Attachments

·
Registered
Joined
·
1,702 Posts
Re: gmer found rootkit? Please help/logs inside

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F7BF1000-F7BF3000 (8192 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 82A5B8E0
Thread System [4:124] 82A5B8E0
Thread System [4:128] 8295D8D0
Thread System [4:132] 8295D8D0
Thread System [4:136] 8295D8D0
Thread System [4:364] 82A5B8E0
Thread System [4:428] 82A5B8E0

---- EOF - GMER 1.0.15 ----
Are those showing every gmer scan ?
 

·
Registered
Joined
·
1,702 Posts
Lets get a RootRepeal log

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop:
  2. Extract RootRepeal.exe from the zip archive.
  3. Open
    on your desktop.
  4. Click the
    tab.
  5. Click the
    button.
  6. Check all six boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

In your next reply, please include the following:
  • RootRepeal Log
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #8 ·
Re: gmer found rootkit? Please help/logs inside

Are those showing every gmer scan ?
No, that's what is so weird and frankly has me a bit freaked out.

I'll run the suggested utility and post ASAP. I'm heading out now so it'll be a few hours. The only other change I made in addition to what I already posted was to undo using msconfig to disable some startup programs because I read that it wasn't the best way to achieve that. I switched to using spybot SD to disable them.

I use Avast and it supposedly helps keep away rootkits. I'm very confused if/how this just cropped up....

Thanks
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #11 ·
Thank-you, Lonny. Here's the log.

I might have done something stupid, though. It went so fast that I thought I didn't execute it the first time so I wound up running it twice. I don't know if that matters.:sigh:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #13 ·
Looks fine
Of the startups you've disabled with Spybot S&d are there any suspicious items ?
Not as far as I know. Just things I think are related to valid progrms/processes but that prolong startup. I exported the log of it and just kept the disabled things if you want to take a look. It's attached.

I wonder if this type of entry, is significant? There are several more.
Warning: if the file is actually larger than 0 bytes, the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



Thanks
 

Attachments

·
Registered
Joined
·
1,702 Posts
Those disabled items are fine, however When possible use a programs options to disable its startup.

This is from Spybot S&D ?
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Not significant no.

We are finished here i believe ;)

Ill leave your thread open for about a week just in case problem or question arises.
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #15 ·
Thanks, Lonny.

Should I delete this file from when I ran the Kaspersky free online scan? We only use AOL for an email account. Otherwise I figure whenever I run Kaspersky it will keep finding it. Or, I can just ignore it in the future.

C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe
Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #17 ·
Hi Lonny,
I just wanted to clarify when you asked if these were in every scan. The threads were in both scans. The noname module was the thing that happened differently in the second scan.

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F7BF1000-F7BF3000 (8192 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 82A5B8E0
Thread System [4:124] 82A5B8E0
Thread System [4:128] 8295D8D0
Thread System [4:132] 8295D8D0
Thread System [4:136] 8295D8D0
Thread System [4:364] 82A5B8E0
Thread System [4:428] 82A5B8E0

---- EOF - GMER 1.0.15 ----

I'll run it again over night and post the log in the morning.


And maybe I'm just being paranoid but something weird happened this evening. I was updating Malwarebyte's Anti-Malware and got a message from Spybot that it detected Fraud.Antivirus2008 in mbam-setup.exe. I just sat there trying to understand what was going on and MB finished the update. I clicked OK in the Spybot notice to terminate it. Spybot's resident log shows this:

5/10/2009 7:48:54 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
5/10/2009 7:48:55 PM Encountered and terminated Fraud.Antivirus2008 in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe!

After the update I ran MB and it showed no problems.
 

·
Registered
Joined
·
1,702 Posts
That was a false possitive.
You do know Spybot's resident will alert to any added startup, even legit items ?

Is your spybot S&D updated ?
Here's a log from the current version, it did this automaticly, no tea timer warnings.

5/11/2009 3:25:41 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
5/11/2009 3:33:27 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #19 ·
OK, thanks Lonny.
Yes, Spybot is up to date. I saw many similar legit entries in Spybot's resident log. It was the popup warning and its entry about Fraud.Antivirus2008 in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe that confused me because Spybot didn't do that last time I updated MB.

I ran gmer again and as it finished got the same warning that I got the second time it was run:
"gmer found system modifications caused by rootkit activity"

I attached the log. That noname module that wasn't in the first log is still there, as well as the threads that were found in the first run. The weird thing is that I hadn't gotten that warning about rootkit activity the first time I ran gmer.



That was a false possitive.
You do know Spybot's resident will alert to any added startup, even legit items ?

Is your spybot S&D updated ?
Here's a log from the current version, it did this automaticly, no tea timer warnings.

5/11/2009 3:25:41 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
5/11/2009 3:33:27 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
 

Attachments

1 - 19 of 19 Posts
Status
Not open for further replies.
Top