Solve : Root kit?

1.	Solve : Root kit?
Answer» Good evening gentlemen, First to the parameters. This is my home computer. Windows XP pro SP2 ( German language ). Avast version 4.8 home edition ( updated daily ), Spybot version 1.5.2 ( updated daily ). Sunbelt firewall currently installed for rasons I'll explain below. Hijackthis log file as follows: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:02:29, on 29.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\avmwlanstick\FRITZWLANMini.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\vVX3000.exe C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Dokumente und Einstellungen\jacko\Eigene Dateien\downloads\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {2F1E71C9-D68C-42C3-9CCD-54719F00C03F} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\FRITZWLANMini.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://jacksstuff41.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.kundenserver.de/app/static/activex/msxml4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: UPnPService - Magix AG - C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 6845 bytes Hijackthis logfile shown is after my "bad file" removal. Here's what I did: I inadvertantly opened a text file ( instead of downloading it, right click and check ) from a Russian website. Contained in the " text file" were three executeables. Avast gave an immediate warning and I immediately deleted all three .exe files albeit, too late. This is my "notice list" from Avast: 27.04.2008 23:42:15jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZKK5GD9N\pxlyzzm[1].htm" file. 27.04.2008 23:42:33jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\mvmeqe.exe" file. 27.04.2008 23:42:38jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\56KJDCYG\pxlyzzm[1].htm" file. 27.04.2008 23:42:42jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\mvmeqe.exe" file. 27.04.2008 23:42:52jacko1632Sign of "Win32:Tiny-II [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\RY8WOCGF\yzznabofpg[1].htm" file. 27.04.2008 23:43:02jacko1632Sign of "Win32:Socks-AD [Wrm]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LJDB3KMX\ddos[1].htm" file. 27.04.2008 23:43:16jacko1632Sign of "Win32:Socks-AD [Wrm]" has been found in "C:\d.exe" file. 27.04.2008 23:43:42jacko1632Sign of "Win32:E404 [Adw]" has been found in "C:\Programme\Helper\1209332599.dll\[UPX]" file. 28.04.2008 09:43:21jacko143316Sign of "Win32:E404 [Adw]" has been found in "C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHOZCJUT\sdferw[1].htm\[UPX]\[Embedded#0eb0]\[UPX]" file. Not to be outdone by a trojan. I ran an offline After thorough scan. The two, win32:socks-ad and win32:tiny-II have been moved to the avast "chest files" indicating they've been removed. The other two: win32.E404[adw] and win32:renos-EE [trj] are apparently still active. Upon re-booting and going back online I noticed the "Avast E-mailer scanner icon" was running in the task bar. What it appears, is my system was sending 10 E-mails every second to either a real or fictional E-mail addresses. Now, I panicked a little and pulled my W-lan out of the USB port..lol...and Considered my options, ran a spybot scan. Found a few "tracking cookies" but nothing major. Cleaned up my registry. Searched for all entries dated April 27th 2008 and promptly deleted all of them. Once again, upon re-booting the "'Avast E-mailer scanner icon" began running once again. Having no viable alternative I downloaded the sunbelt firewall which in the mean time has prevented outgoing connections from the source, which I currently cannot find. My final option was to do a system restore. Which I attempted to do however, all of my system restore points are no longer being shown. Except one: April 27th 2008 and it is damaged. What I'm finding odd is the fact that "whatever" this is, is running with remarkable clockwork. Every single second 10 E-mails are generated and are attemping to be sent. Although the file extensions shown by Avast call them "[adw] and [trj]" or adware and trojan respectively I am not entirely satisfied they are infact adware or trojans. This one something different. It is not being detected by Avast, Spybot and the entry was not shown on the hijackthis logfile. On a personal note. I build personal computers for a living and much of my time is spent helping poor people like myself rid themselves of viruses, trojans and worms. This one has me by the hair. Any help would be appreciated. Thanks in advance! saf-beagle PS: link to my original hijackthis logfile: http://hjt.networktechs.com/parse.php?log=470084 Wow that is pretty nasty. My first suggestion would be to try a different anti-virus. I have complete faith in Avast but if your lucky maybe a different vendors anti virus will pick something up. I would try: http://free.grisoft.com/ww.download?prd=afe AVG is what I normally use. Now if that doesn't work..........well its really up to you. I hope all of yours files are backed up on an external DRIVE. I would try and reinstall avast and see if the problem persists. Also is anything else acting up besides avast? Hi soriano and thank you for your reply! I believe what I have on my pc is something that antivirus programmes cannot detect. It is not "persay" a virus because it is not destructive it's attempting to send E-mails which is very un-nerving. The source of the E-mails addresses is puzzling as well. Ran Avast in safe mode with network connections last evening with no results however, the rootkit didn't start. That opens a few possibilities where it could be hiding. Just last Friday I backed up all of my files to external. Actually, it's the avast "scan outbound mail" that tipped me off. Avast sounded a few warnings of multiple E-mails to the same recipients. Since I installed the firewall the outgoing connections have been blocked although, in the time it took me to write this response I've had over 300 connection attempts. I'm still working on it but could use more suggestions. Thanks! ~saf-b Ok, I nailed it. It was in fact a rootkit and a few trojans. I was on the right track. Have a LOOK: Malwarebytes' Anti-Malware 1.11 Database version: 702 Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 218185 Time elapsed: 1 hour(s), 22 minute(s), 30 second(s) Memory Processes INFECTED: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025331.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025332.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025336.exe (Trojan.DownLoader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025388.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025389.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP120\A0025460.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP120\A0025461.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BN3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BN5.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BN7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BN8.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BNA.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BNC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BNE.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BNF.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WinData.cab (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot. The software "malwarebyte's Antimalware" I found at the Alwil ( www.avast.com ) forums. During the scan Avast sounded three warnings: 30.04.2008 19:28:00SYSTEM1840Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025331.exe\[UPX]" file. 30.04.2008 19:28:41SYSTEM1840Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025332.exe\[UPX]" file. 30.04.2008 19:28:49SYSTEM1840Sign of "Win32:TratBHO [trj]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025388.dll" file. I hope this can help people in the future. ~SAF-BPost a fresh Hijackthis log. Yes, of course: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 21:25:07, on 30.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\avmwlanstick\FRITZWLANMini.exe C:\Programme\Naturalpoint\TrackIR4\TrackIR.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\vVX3000.exe C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\nvraidservice.exe C:\Programme\Java\jre1.6.0_06\bin\jusched.exe C:\Programme\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Internet Explorer\IEXPLORE.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Programme\Windows Live Toolbar\msn_sl.exe C:\Dokumente und Einstellungen\jacko\Eigene Dateien\downloads\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\FRITZWLANMini.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://jacksstuff41.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.kundenserver.de/app/static/activex/msxml4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: UPnPService - Magix AG - C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 6593 bytes ~SAF-B PS- JRE updated before running malwarebytes Open Hijackthis and select Do a system scan only. Place a check mark next to the following entries: (if there) O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing) Important: Close all windows except for Hijackthis and then click Fix checked. Exit Hijackthis. ---------- This is a good time to clear your infected system restore points and establish a new clean restore point: Go to Start > All Programs > Accessories > System Tools > System Restore Select Create a restore point, and click Next. Next, go to Start > Run and type in cleanmgr Select the More options tab Next to System Restore click Clean up... This will remove all restore points except the new one you just created. ---------- . Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . Here are some great tools to help you keep from getting infected again. To prevent unknown applications from being installed on your computer install WinPatrol 2007 Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam. UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. * Help with Windows updates Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? Let us know if anything else comes up.Hi Evil and thanks for your reply, I followed all of your suggestions. Deleted O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing) entry and actually that entry did cause me a certain amount of interest however, I couldn't find any pertinant information regarding the .dll so I left it alone. Upon attempting to use the cleanup command in run, defrag started (), no options tab was shown (Only English commands will work in the German command console,I believe thats the same for every Windows foreign language versions ). Perhaps there is a small difference? A tip from you here would be helpful as the rootkit deleted all of my restore points and set a new one. That alone causes some anxiety. The other info you posted is also usefull. I know for example, exactly how, where and why the rootkit was installed on my pc: My own stupidity! I broke my own rules for downloading or viewing information on the internet and paid for it. Four days of work lost for moment of unattentiveness. This forum is very interesting indeed. Thanks for your help! ~SAF-B If removing the WinNt32.dll caused problems I apologize. Do you mean that system restore no longer works?No, no! No need to apologise. You're right on the money! I removed the entry without any problems. Initially, I found the WinNt32.dll to be interesting because I thought it didn't belong , however, I couldn't find any information on the internet regarding the situation with my pc. So I didn't remove it. I removed the entry with no NEGATIVE or noticeable effects. The system restore is in fact working. Oddly, all of my system restore points before April 27th 2008 are "missing" or are not being shown. Only April 27th 2008 which obviously contains the rootkit. So I'm assuming this "rootkit" hid or deleted my previous system restore points. ( I believe I have this XP pro version running since 2004 ) I followed your instructions this morning: Go to Start > All Programs > Accessories > System Tools > System Restore Select Create a restore point, and click Next. That worked fine and did in fact create a restore point Next, go to Start > Run and type in cleanmgr Select the More options tab Next to System Restore click Clean up... After typing in "cleanmgr", defrag started. No options tab was shown. I started the console ( CMD) typed in cleanmgr and once again defrag started. Am I doing something wrong? ~SAF-B Try putting in cleanmgr.exe and see if it helps.Hmm. Same thing. Defrag starts. Try this. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Cleanup. Pffft. That was a hit. Got it. Thanks for your help!Thats odd though that it isn't working with the run command.

Answer»

Good evening gentlemen,

First to the parameters. This is my home computer. Windows XP pro SP2 ( German language ). Avast version 4.8 home edition ( updated daily ), Spybot version 1.5.2 ( updated daily ). Sunbelt firewall currently installed for rasons I'll explain below.

Hijackthis log file as follows:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:02:29, on 29.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\avmwlanstick\FRITZWLANMini.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Dokumente und Einstellungen\jacko\Eigene Dateien\downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {2F1E71C9-D68C-42C3-9CCD-54719F00C03F} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\FRITZWLANMini.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://jacksstuff41.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.kundenserver.de/app/static/activex/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: UPnPService - Magix AG - C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6845 bytes

Hijackthis logfile shown is after my "bad file" removal.

Here's what I did: I inadvertantly opened a text file ( instead of downloading it, right click and check ) from a Russian website. Contained in the " text file" were three executeables. Avast gave an immediate warning and I immediately deleted all three .exe files albeit, too late.

This is my "notice list" from Avast:

27.04.2008 23:42:15jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZKK5GD9N\pxlyzzm[1].htm" file.
27.04.2008 23:42:33jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\mvmeqe.exe" file.
27.04.2008 23:42:38jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\56KJDCYG\pxlyzzm[1].htm" file.
27.04.2008 23:42:42jacko1632Sign of "Win32:Renos-EE [trj]" has been found in "C:\mvmeqe.exe" file.
27.04.2008 23:42:52jacko1632Sign of "Win32:Tiny-II [trj]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\RY8WOCGF\yzznabofpg[1].htm" file.
27.04.2008 23:43:02jacko1632Sign of "Win32:Socks-AD [Wrm]" has been found in "C:\Dokumente und Einstellungen\jacko\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LJDB3KMX\ddos[1].htm" file.
27.04.2008 23:43:16jacko1632Sign of "Win32:Socks-AD [Wrm]" has been found in "C:\d.exe" file.
27.04.2008 23:43:42jacko1632Sign of "Win32:E404 [Adw]" has been found in "C:\Programme\Helper\1209332599.dll\[UPX]" file.
28.04.2008 09:43:21jacko143316Sign of "Win32:E404 [Adw]" has been found in "C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHOZCJUT\sdferw[1].htm\[UPX]\[Embedded#0eb0]\[UPX]" file.

Not to be outdone by a trojan. I ran an offline After thorough scan. The two, win32:socks-ad and win32:tiny-II have been moved to the avast "chest files" indicating they've been removed. The other two: win32.E404[adw] and win32:renos-EE [trj] are apparently still active.

Upon re-booting and going back online I noticed the "Avast E-mailer scanner icon" was running in the task bar. What it appears, is my system was sending 10 E-mails every second to either a real or fictional E-mail addresses. Now, I panicked a little and pulled my W-lan out of the USB port..lol...and Considered my options, ran a spybot scan. Found a few "tracking cookies" but nothing major. Cleaned up my registry. Searched for all entries dated April 27th 2008 and promptly deleted all of them.

Once again, upon re-booting the "'Avast E-mailer scanner icon" began running once again. Having no viable alternative I downloaded the sunbelt firewall which in the mean time has prevented outgoing connections from the source, which I currently cannot find. My final option was to do a system restore. Which I attempted to do however, all of my system restore points are no longer being shown. Except one: April 27th 2008 and it is damaged. What I'm finding odd is the fact that "whatever" this is, is running with remarkable clockwork. Every single second 10 E-mails are generated and are attemping to be sent.

Although the file extensions shown by Avast call them "[adw] and [trj]" or adware and trojan respectively I am not entirely satisfied they are infact adware or trojans. This one something different. It is not being detected by Avast, Spybot and the entry was not shown on the hijackthis logfile.

On a personal note. I build personal computers for a living and much of my time is spent helping poor people like myself rid themselves of viruses, trojans and worms. This one has me by the hair. Any help would be appreciated.

Thanks in advance!

saf-beagle

PS: link to my original hijackthis logfile: http://hjt.networktechs.com/parse.php?log=470084

Wow that is pretty nasty. My first suggestion would be to try a different anti-virus. I have complete faith in Avast but if your lucky maybe a different vendors anti virus will pick something up. I would try:

http://free.grisoft.com/ww.download?prd=afe

AVG is what I normally use. Now if that doesn't work..........well its really up to you. I hope all of yours files are backed up on an external DRIVE. I would try and reinstall avast and see if the problem persists. Also is anything else acting up besides avast? Hi soriano and thank you for your reply!

I believe what I have on my pc is something that antivirus programmes cannot detect. It is not "persay" a virus because it is not destructive it's attempting to send E-mails which is very un-nerving. The source of the E-mails addresses is puzzling as well.

Ran Avast in safe mode with network connections last evening with no results however, the rootkit didn't start. That opens a few possibilities where it could be hiding.

Just last Friday I backed up all of my files to external.

Actually, it's the avast "scan outbound mail" that tipped me off. Avast sounded a few warnings of multiple E-mails to the same recipients. Since I installed the firewall the outgoing connections have been blocked although, in the time it took me to write this response I've had over 300 connection attempts.

I'm still working on it but could use more suggestions.

Thanks!

~saf-b

Ok, I nailed it. It was in fact a rootkit and a few trojans. I was on the right track.

Have a LOOK:

Malwarebytes' Anti-Malware 1.11
Database version: 702

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 218185
Time elapsed: 1 hour(s), 22 minute(s), 30 second(s)

Memory Processes INFECTED: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025331.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025332.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025336.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025388.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025389.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP120\A0025460.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP120\A0025461.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNA.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNE.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNF.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinData.cab (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot.

The software "malwarebyte's Antimalware" I found at the Alwil ( www.avast.com ) forums. During the scan Avast sounded three warnings:

30.04.2008 19:28:00SYSTEM1840Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025331.exe\[UPX]" file.
30.04.2008 19:28:41SYSTEM1840Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025332.exe\[UPX]" file.
30.04.2008 19:28:49SYSTEM1840Sign of "Win32:TratBHO [trj]" has been found in "C:\System Volume Information\_restore{4E8D9A55-1C48-4078-8B23-262A31BB4056}\RP119\A0025388.dll" file.

I hope this can help people in the future.

~SAF-BPost a fresh Hijackthis log. Yes, of course:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:25:07, on 30.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\avmwlanstick\FRITZWLANMini.exe
C:\Programme\Naturalpoint\TrackIR4\TrackIR.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programme\Windows Live Toolbar\msn_sl.exe
C:\Dokumente und Einstellungen\jacko\Eigene Dateien\downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\FRITZWLANMini.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://jacksstuff41.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.kundenserver.de/app/static/activex/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programme\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: UPnPService - Magix AG - C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6593 bytes

~SAF-B

PS- JRE updated before running malwarebytes

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

This is a good time to clear your infected system restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and click Next.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

----------

.
Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
Here are some great tools to help you keep from getting infected again.

To prevent unknown applications from being installed on your computer install WinPatrol 2007

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.Hi Evil and thanks for your reply,

I followed all of your suggestions. Deleted O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing) entry and actually that entry did cause me a certain amount of interest however, I couldn't find any pertinant information regarding the .dll so I left it alone.

Upon attempting to use the cleanup command in run, defrag started (), no options tab was shown (Only English commands will work in the German command console,I believe thats the same for every Windows foreign language versions ). Perhaps there is a small difference? A tip from you here would be helpful as the rootkit deleted all of my restore points and set a new one. That alone causes some anxiety.

The other info you posted is also usefull. I know for example, exactly how, where and why the rootkit was installed on my pc: My own stupidity! I broke my own rules for downloading or viewing information on the internet and paid for it. Four days of work lost for moment of unattentiveness.

This forum is very interesting indeed. Thanks for your help!

~SAF-B

If removing the WinNt32.dll caused problems I apologize.

Do you mean that system restore no longer works?No, no! No need to apologise. You're right on the money!

I removed the entry without any problems. Initially, I found the WinNt32.dll to be interesting because I thought it didn't belong , however, I couldn't find any information on the internet regarding the situation with my pc. So I didn't remove it.

I removed the entry with no NEGATIVE or noticeable effects.

The system restore is in fact working. Oddly, all of my system restore points before April 27th 2008 are "missing" or are not being shown. Only April 27th 2008 which obviously contains the rootkit. So I'm assuming this "rootkit" hid or deleted my previous system restore points. ( I believe I have this XP pro version running since 2004 )

I followed your instructions this morning:

Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and click Next.

That worked fine and did in fact create a restore point

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Next to System Restore click Clean up...

After typing in "cleanmgr", defrag started. No options tab was shown. I started the console ( CMD) typed in cleanmgr and once again defrag started.

Am I doing something wrong?

~SAF-B
Try putting in cleanmgr.exe and see if it helps.Hmm. Same thing. Defrag starts. Try this.

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Cleanup. Pffft. That was a hit. Got it. Thanks for your help!Thats odd though that it isn't working with the run command.

Solve : Root kit?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment