Am showing signs of rootkit

Status
Not open for further replies.
Have been showing bad signs of rootkit on my computer.

So Far I have followed all the instructions in this thread HERE (http://www.bleepingcomputer.com/forums/tutorial62.html)

HERE are my two logs, one from aproposfix and one from Highjack this

Log of AproposFix v1.1
Running from directory:
Registry entries found:

GNU grep version 2.0d

SYNOPOSIS
grep [-[[AB] ]<num>] [-[CEFGLSVbchilnqsvwx?]] [-[ef]] <expr> [<files...>]

DESCRIPTION

Grep searches the named input files (or standard input if no files are named, or
the file name - is given) for lines containing a match to the given pattern.
By default, grep prints the matching lines. There are three major variants of

grep, controlled by the following options.
-G Interpret pattern as a basic regular expression (see below). This is
the default.
-E Interpret pattern as an extended regular expression (see below).
-F Interpret pattern as a list of fixed strings, separated by newlines,
any of which is to be matched.

In addition, two variant programs egrep and fgrep are available. Egrep is
similiar (but not identical) to "grep -E", and is compatible with the
historical Unix egrep. Fgrep is the same as "grep -F".

All variants of grep understand the following options:

-num Matches will be printed with num lines of leading and trailing
context. However, grep will never print any given line more than once.
-A "num" Print num lines of trailing context after matching lines.
-B "num" Print num lines of leading context before matching lines.
-C Equivalent to -2.
-S Search subdirectories.
-V Print the version number of grep to standard error. This version
number should be included in all bug reports (see below).
-b Print the byte offset within the input file before each line of output.
-c Suppress normal output; instead print a count of matching lines for
each input file. With the -v option (see below), count non-matching
lines.
-e "pattern" Use pattern as the pattern; useful to protect patterns
beginning with -.
-f "file" Obtain the pattern from file.
-h Suppress the prefixing of filenames on output when multiple files are
searched.
-i Ignore case distinctions in both the pattern and the input files.
-L Suppress normal output; instead print the name of each input file from
which no output would normally have been printed.
-l Suppress normal output; instead print the name of each input file from
which output would normally have been printed.
-n Prefix each line of output with the line number within its input file.
-q Quiet; suppress normal output.
-s Suppress error messages about nonexistent or unreadable files.
-v Invert the sense of matching, to select non-matching lines.
-w Select only those lines containing matches that form whole words. The
test is that the matching substring must either be at the beginning of
the line, or preceded by a non-word constituent character. Similarly,
it must be either at the end of the line or followed by a non-word
constituent character. Word-constituent characters are letters, digits,
and the underscore.
-x Select only those matches that exactly match the whole line.
-? Displays this help.
************
No service found!

Removing hidden folder:
No folder found!

Deleting files

Backing up files
Done!

Removing registry entries

REGEDIT4

AND THIS ONE FROM HIGHJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:44 AM, on 8/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
G:\zz\T31D1AT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
G:\zz\T31D1AT.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase 11.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{069095A0-753F-41A4-A062-DF7319F0CB1A}: NameServer = 66.153.128.98,66.153.162.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
O17 - HKLM\System\CS3\Services\Tcpip\..\{01459C6E-5A58-4181-B145-A5695C1FAD45}: NameServer = 66.153.162.98,66.153.128.98
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

Thanks in advance for any help
 
Status
Not open for further replies.
Back