TechSpot

Am showing signs of rootkit

By jabberjaw
Aug 29, 2008
Topic Status:
Not open for further replies.
  1. Have been showing bad signs of rootkit on my computer.

    So Far I have followed all the instructions in this thread HERE (http://www.bleepingcomputer.com/forums/tutorial62.html)

    HERE are my two logs, one from aproposfix and one from Highjack this

    Log of AproposFix v1.1
    Running from directory:
    Registry entries found:

    GNU grep version 2.0d

    SYNOPOSIS
    grep [-[[AB] ]<num>] [-[CEFGLSVbchilnqsvwx?]] [-[ef]] <expr> [<files...>]

    DESCRIPTION

    Grep searches the named input files (or standard input if no files are named, or
    the file name - is given) for lines containing a match to the given pattern.
    By default, grep prints the matching lines. There are three major variants of

    grep, controlled by the following options.
    -G Interpret pattern as a basic regular expression (see below). This is
    the default.
    -E Interpret pattern as an extended regular expression (see below).
    -F Interpret pattern as a list of fixed strings, separated by newlines,
    any of which is to be matched.

    In addition, two variant programs egrep and fgrep are available. Egrep is
    similiar (but not identical) to "grep -E", and is compatible with the
    historical Unix egrep. Fgrep is the same as "grep -F".

    All variants of grep understand the following options:

    -num Matches will be printed with num lines of leading and trailing
    context. However, grep will never print any given line more than once.
    -A "num" Print num lines of trailing context after matching lines.
    -B "num" Print num lines of leading context before matching lines.
    -C Equivalent to -2.
    -S Search subdirectories.
    -V Print the version number of grep to standard error. This version
    number should be included in all bug reports (see below).
    -b Print the byte offset within the input file before each line of output.
    -c Suppress normal output; instead print a count of matching lines for
    each input file. With the -v option (see below), count non-matching
    lines.
    -e "pattern" Use pattern as the pattern; useful to protect patterns
    beginning with -.
    -f "file" Obtain the pattern from file.
    -h Suppress the prefixing of filenames on output when multiple files are
    searched.
    -i Ignore case distinctions in both the pattern and the input files.
    -L Suppress normal output; instead print the name of each input file from
    which no output would normally have been printed.
    -l Suppress normal output; instead print the name of each input file from
    which output would normally have been printed.
    -n Prefix each line of output with the line number within its input file.
    -q Quiet; suppress normal output.
    -s Suppress error messages about nonexistent or unreadable files.
    -v Invert the sense of matching, to select non-matching lines.
    -w Select only those lines containing matches that form whole words. The
    test is that the matching substring must either be at the beginning of
    the line, or preceded by a non-word constituent character. Similarly,
    it must be either at the end of the line or followed by a non-word
    constituent character. Word-constituent characters are letters, digits,
    and the underscore.
    -x Select only those matches that exactly match the whole line.
    -? Displays this help.
    ************
    No service found!

    Removing hidden folder:
    No folder found!

    Deleting files

    Backing up files
    Done!

    Removing registry entries

    REGEDIT4

    AND THIS ONE FROM HIGHJACK THIS

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:56:44 AM, on 8/29/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    G:\zz\T31D1AT.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    G:\zz\T31D1AT.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Suitcase 11.0.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
    O17 - HKLM\System\CCS\Services\Tcpip\..\{069095A0-753F-41A4-A062-DF7319F0CB1A}: NameServer = 66.153.128.98,66.153.162.98
    O17 - HKLM\System\CS1\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
    O17 - HKLM\System\CS2\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
    O17 - HKLM\System\CS3\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    Thanks in advance for any help
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.