ROOTKIT QUESTIONS -- Marcos?

Discussion in 'other security issues & news' started by ROOTKIT QUESTIONS, Oct 28, 2005.

Thread Status:
Not open for further replies.
  1. Can any kind of virus or rootkit survive quick and full format?
    If so can they infect PC again?

    I read somewhere on the intenret that rootkits are even able to hide in bad sectors, bios or VIDEO CARD memory...?

    Please give us experts description.
     
  2. xanybodyx

    xanybodyx Guest

    Anybody?
     
  3. zippidoda

    zippidoda Guest

    If devilsadvocate can't answer it , or another expert, you may have to look at root kit dot com seeking your answer.

    zippidoda
     
  4. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi there

    as I understand it, the current state of play in regard to your questions are as follows

    A full format and reinstall will defeat a rootkit

    The ability to use Videocard resources has been published as a "proof of concept" although I believe it was EEPROM chips where the vulnerability lay. Video RAM is cleared when powered down and so would not be susceptible. I do not think that this POC has so far been seen in real life though.

    HD Rider UK
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I haven't heard of anything actually spreading that uses the video card memory, but it is possible.. things are also just beginning. As for whether that's possible, anything is possible. At this point I doubt there's really much to worry about. If you are worried, just get the drive tool from your drive manufacturer and do a zero-fill format, or use Eraser to create a nuke disk. You can also flash your BIOS, but this is potentially risky unless you have a motherboard (like my Asus) that detects corrupt BIOS flashes and helps you fix them.

    In short, I wouldn't lose any sleep over it at this point, but keep an eye out. As soon as that kind of stuff starts spreading you can bet there will be experts publishing instructions on how to fix it. Video card manufacturers do have flash utilities for video cards, they're just really hard (if not impossible) to find at the moment.. but if that ever becomes an issue, I'm sure they will release them.
     
  6. dodowa

    dodowa Guest

    "Video card manufacturers do have flash utilities for video cards, they're just really hard (if not impossible) to find at the moment.. but if that ever becomes an issue, I'm sure they will release them."

    You hit it right on the head. The nasty actualy reflashes the video card , this has nothing to do with your video card losing all it's brains on shut down. With the video card reflashed to the attackers liking, yes the bug will restartup on boot. The attacker gets ahold of the flash exe and then rewrites it a bit.
     
  7. u_b_pwn3d

    u_b_pwn3d Guest


    But that's the point isn't it? Now's the time to use a rootkit like that, before anyone figures it out. when everyone says "Oh, that isn't possible" or "Not yet". Strike while the iron's hot, is the saying I think. ;)
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    This is true, however rootkit detection in general is still in it's infancy.. is there really a need to go that far yet? Besides, AFAIK it's still in the POC phase.. it's not going to be very sucessful/useful if it announces it's presence with persistant BSODs.
     
  9. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    While rootkit detection is still something of a "black art", and there is widespread confusion over what a rootkit actually is/does, the fact is that the scummers have raised their game here. I am seeing an increasing number of HJT logs where our old friends such as Elitum etc are using rootkit code to hide their installers. Rootkits and Malware are just made for each other for the simple reason that the rootkit code gives persistance to the malware bundle. Everytime you think you have got a system clean, the stealthed installer puts it all back on for you, lovely. I think it is inevitable that more malware installations will use this technology in the next few months, especially since the code for rootkits such as FU is freely available for the malware merchants to bolt on. Even though the more esoteric rootkit technology such as flash rewrites are not currently viable, with the amount of money involved how long will it be before Proof of Concept becomes In The Wild?

    HD Rider UK
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I definitely agree that it's just a matter of time. If we can at least get to the point that we can easily identify which rootkit is installed, then we can tell whether the user needs to go as far as flashing the video card or not.
     
  11. controler

    controler Guest

    Yes at present the video card approach is not able to access main memory. There was some talk about a wierd pixil thing and even Direct X 9 but it appears
    they are looking more at the I/O interface drivers.
    HD Rider Uk ? you mentioned money. That is right on. For enough money the coder will make almost anything happen. There seems to be so much going on these days, it is hard to keep up with it all. It is great HJT logs are still of use.

    I wonder how technical a batch file would have to be to use net stop hackerdefender in it? I guess it would have to use any number of names that a service could be called. Just brainstorming again LOL
    I guess if you know the name of the service (exe) you can use autoexec.bat to net stop service on boot.

    controler
     
  12. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi Controller

    Thankfully hackerdefender and Apropos are easily detected by RKRevealer and Blacklight. The difficult one is the FU rootkit which both those tools miss, however, FU usually shows up in a safe mode start up list from HJT, and sometimes in the services 023 lines in the HJT log itself in a line like this

    O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe.

    With FU, its then a case of digging through data and then writing a batch to get the processes, files, services and reg entries all at one go.

    HD Rider UK
     
  13. StevieO

    StevieO Guest

    Hi,

    The more places there are to hide the more difficult and time consuming it is/will be to track them down.

    XP etc has a lot more areas etc to be covered/tracked, especially if NTFS partions are enabled !

    Take a look at just some of the problems people are experiencing over on here for example.

    http://www.sysinternals.com/Forum/forum_topics.asp?FID=15


    StevieO
     
  14. geekzone

    geekzone Guest

    It seems to me that M$ should get off their collective a$$es, stop talking about rootkits and make that ghostbuster thing available for download. You know the one that's supposed to be able to be run off a bootable cd. How long are we going to have to wait to have effective protection against these threats?
     
  15. controler

    controler Guest

    I was also wondering if a person could just look at the running service on the compromised computer with the bootcd and then use a net or sc command to first stop the service from the boot cd? And maybe even change the registry value? Is there some experts here on either of those two? I have not used them
    for the more advanced commands. I have only used them in batch files to stop, pause or start services ect.

    ok edit, I just tried to shut down AVP and it doesn't work. AVP protected.


    controler
     
    Last edited by a moderator: Oct 30, 2005
  16. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    If the mods here will allow it, i can post an example of how i cleaned a FU rootkit in real life, the post would be in 4 parts
    1- the HJT log
    2- the safe mode startup list and regsearch log
    3- the first fix
    4- the final fix cleaning up the leftovers

    HD Rider Uk
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That would be great :)
     
  18. controler

    controler Guest

    I don't see how posting a fix for a well known rootkit would be against the TOS.

    controler
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Sounds good... thanks! :cool:
     
  20. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi There

    Give me a day or so and I will put something together, sorry for the delay but work is really busy at the moment.

    HD Rider Uk
     
  21. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Hi there

    well I have put something together quickly. I am posting this for information as to how I did this particular log. It is not meant to illustrate best practice or to be a model fix in any way. Just regard it as an insight into a very steep learning curve for me.



    Here is the initial log



    Logfile of HijackThis v1.99.1
    Scan saved at 2:24:33 PM, on 9/23/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Symantec AntiVirus\DoScan.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\eDonkey2000\edonkey2000.exe
    C:\WINDOWS\system32\vrnhg\icayfq.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\AutoCAD 2006\acad.exe
    C:\DOCUME~1\jbrown\LOCALS~1\Temp\AdskCleanup.0001
    C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Documents and Settings\jbrown\Desktop\Temp\HHSpdHck.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
    O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [mrxltgb] C:\WINDOWS\system32\oteutebu\mrxltgb.exe
    O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKLM\..\Run: [cgpq] C:\WINDOWS\system32\qmktjj\cgpq.exe
    O4 - HKLM\..\Run: [jjccfhum] C:\WINDOWS\system32\ovsq\jjccfhum.exe
    O4 - HKLM\..\Run: [icayfq] C:\WINDOWS\system32\vrnhg\icayfq.exe
    O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08013d59b3a0b8...tzip/RdxIE2.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.webex.com/client/v_mywebex...ent/ieatgpc.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
    O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: cgpqqmktjj - Unknown owner - C:\WINDOWS\system32\qmktjj\cgpq.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)
    O23 - Service: cplkmkxpqfx - Unknown owner - C:\WINDOWS\system32\kxpqfx\cplkm.exe
    O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: icayfqvrnhg - Unknown owner - C:\WINDOWS\system32\vrnhg\icayfq.exe
    O23 - Service: ivxprhhjnjfe - Unknown owner - C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
    O23 - Service: jjccfhumovsq - Unknown owner - C:\WINDOWS\system32\ovsq\jjccfhum.exe
    O23 - Service: mrxltgboteutebu - Unknown owner - C:\WINDOWS\system32\oteutebu\mrxltgb.exe
    O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  22. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    After running through several fixes without success and suspecting a rootkit, I discussed the log with Atribune and Cretemonster who suggested getting a startup log from HJT in safe mode. After further prompts, I did some research that also revealed the fact that this rootkit hid some of the services by installing them as Non PnP Devices. I asked the user to get me screenshots from device manager so that i could ID those ones as well. Unfortunately, i dont have access to those screenshots now.

    StartupList report, 9/29/2005, 11:10:16 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\jbrown\Desktop\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\jbrown\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Acrobat Speed Launcher.lnk = ?
    AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    (Default) =
    HPAIO_PrintFolderMgr = C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    vptray = C:\PROGRA~1\SYMANT~2\VPTray.exe
    gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    cplkm = C:\WINDOWS\system32\kxpqfx\cplkm.exe
    THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    guycrm = C:\WINDOWS\system32\fhlpnxy\guycrm.exe
    babfk = C:\WINDOWS\system32\vljhvq\babfk.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    services32 = C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
    H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

    (Default) = "C:\WINDOWS\system32\notepad.exe" "%1"

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    [{8b15971b-5355-4c82-8c07-7e181ea07608}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [CKAVWebScan Object]
    InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
    CODEBASE = http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

    [{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
    CODEBASE = http://software-dl.real.com/08013d59b3a0b8...tzip/RdxIE2.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

    [Java Plug-in 1.5.0_04]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

    [MsnMessengerSetupDownloadControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
    CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    [Java Plug-in 1.4.2_03]
    InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

    [Java Plug-in 1.5.0_02]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

    [Java Plug-in 1.5.0_04]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
    CODEBASE = https://mathsoft.webex.com/client/v_mywebex...ent/ieatgpc.cab

    [QDiagHUpdateObj Class]
    InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
    CODEBASE = http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    abp480n5: system32\DRIVERS\ABP480N5.SYS (system)
    Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
    Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
    adpu160m: system32\DRIVERS\adpu160m.sys (system)
    aeaudio: system32\drivers\aeaudio.sys (manual start)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD: \SystemRoot\System32\drivers\afd.sys (system)
    Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
    Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)
    Aha154x: system32\DRIVERS\aha154x.sys (system)
    aic78u2: system32\DRIVERS\aic78u2.sys (system)
    aic78xx: system32\DRIVERS\aic78xx.sys (system)
    Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    AliIde: system32\DRIVERS\aliide.sys (system)
    ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)
    AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)
    amsint: system32\DRIVERS\amsint.sys (system)
    aokxlhk: \??\C:\WINDOWS\system32\jsjdflb\aokxlhk (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    asc: system32\DRIVERS\asc.sys (system)
    asc3350p: system32\DRIVERS\asc3350p.sys (system)
    asc3550: system32\DRIVERS\asc3550.sys (system)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
    Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
    ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
    ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
    Autodesk Licensing Service: "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (manual start)
    Broadcom NetXtreme 57xx Gigabit Controller: system32\DRIVERS\b57xp32.sys (manual start)
    babfkvljhvq: C:\WINDOWS\system32\vljhvq\babfk.exe (autostart)
    Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
    Broadcom ASF IP monitoring service v6.0.4: C:\WINDOWS\system32\basfipm.exe (autostart)
    BASFND: \??\C:\WINDOWS\system32\Drivers\BASFND.sys (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    cbidf: system32\DRIVERS\cbidf2k.sys (system)
    Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
    Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
    Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
    cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)
    CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    CmdIde: system32\DRIVERS\cmdide.sys (system)
    Command Service: C:\WINDOWS\amJyb3du\command.exe (autostart)
    COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    cplkmkxpqfx: C:\WINDOWS\system32\kxpqfx\cplkm.exe (autostart)
    Cpqarray: system32\DRIVERS\cpqarray.sys (system)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    CWShredder Service: c:\program files\InterMute\SpySubtract\CWShredder.exe service (autostart)
    dac2w2k: system32\DRIVERS\dac2w2k.sys (system)
    dac960nt: system32\DRIVERS\dac960nt.sys (system)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (autostart)
    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Disk Driver: system32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (manual start)
    MS IEEE-1284.4 Driver: system32\DRIVERS\Dot4.sys (manual start)
    Print Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Prt.sys (manual start)
    Scan Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Scan.sys (manual start)
    Dot4USB Filter Dot4USB Filter: system32\DRIVERS\dot4usb.sys (manual start)
    dpti2o: system32\DRIVERS\dpti2o.sys (system)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    Intel® PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
    ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
    ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
    ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Fax: %systemroot%\system32\fxssvc.exe (autostart)
    Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\DRIVERS\fltMgr.sys (system)
    Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
    GATXKBZI: C:\DOCUME~1\jbrown\LOCALS~1\Temp\GATXKBZI.exe (manual start)
    GLNHHZOO: C:\DOCUME~1\jbrown\LOCALS~1\Temp\GLNHHZOO.exe (manual start)
    Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
    guycrmfhlpnxy: C:\WINDOWS\system32\fhlpnxy\guycrm.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
    hpn: system32\DRIVERS\hpn.sys (system)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i2omp: system32\DRIVERS\i2omp.sys (system)
    i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
    ialm: system32\DRIVERS\ialmnt5.sys (manual start)
    IIS Admin: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
    CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
    ini910u: system32\DRIVERS\ini910u.sys (system)
    IntelIde: system32\DRIVERS\intelide.sys (system)
    Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
    IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
    IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: system32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
    ivxprhhjnjfe: C:\WINDOWS\system32\hhjnjfe\ivxpr.exe (autostart)
    Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
    Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
    mraid35x: system32\DRIVERS\mraid35x.sys (system)
    WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
    FTP Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
    Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
    msymrqbvpoy: C:\WINDOWS\system32\rqbvpoy\msym.exe (autostart)
    NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050928.007\naveng.sys (manual start)
    NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050928.007\navex15.sys (manual start)
    Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\system32\lsass.exe (autostart)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: system32\DRIVERS\nv4_mini.sys (manual start)
    IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
    Parallel port driver: system32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: system32\DRIVERS\pci.sys (system)
    PCIIde: system32\DRIVERS\pciide.sys (system)
    perc2: system32\DRIVERS\perc2.sys (system)
    perc2hib: system32\DRIVERS\perc2hib.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
    WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
    ql1080: system32\DRIVERS\ql1080.sys (system)
    Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)
    ql12160: system32\DRIVERS\ql12160.sys (system)
    ql1240: system32\DRIVERS\ql1240.sys (system)
    ql1280: system32\DRIVERS\ql1280.sys (system)
    Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
    Rdbss: system32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (autostart)
    SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
    SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (system)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: system32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Sentinel: \SystemRoot\System32\Drivers\SENTINEL.SYS (autostart)
    Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
    Serial port driver: system32\DRIVERS\serial.sys (system)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
    Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
    smwdm: system32\drivers\smwdm.sys (manual start)
    Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
    Rainbow USB SuperPro: system32\DRIVERS\SNTNLUSB.SYS (manual start)
    Sparrow: system32\DRIVERS\sparrow.sys (system)
    SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
    Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Srv: system32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
    Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
    Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{2F130D52-0BDB-47EB-AF81-1E09BA7E21E7} (manual start)
    Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (autostart)
    symc810: system32\DRIVERS\symc810.sys (system)
    symc8xx: system32\DRIVERS\symc8xx.sys (system)
    SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (disabled)
    SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
    SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
    sym_hi: system32\DRIVERS\sym_hi.sys (system)
    sym_u3: system32\DRIVERS\sym_u3.sys (system)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
    TosIde: system32\DRIVERS\toside.sys (system)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    ultra: system32\DRIVERS\ultra.sys (system)
    uosfngi: \??\C:\WINDOWS\system32\flpiqev\uosfngi (manual start)
    Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
    USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
    ViaIde: system32\DRIVERS\viaide.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    World Wide Web Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
    Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
    Windows CE USB Serial Host Driver: system32\DRIVERS\wceusbsh.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    XWC: C:\DOCUME~1\jbrown\LOCALS~1\Temp\XWC.exe (manual start)
    NTPort Library Driver: \??\C:\WINDOWS\system32\zntport.sys (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    jxbvilxg.exe = C:\WINDOWS\system\jxbvilxg.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 38,543 bytes
    Report generated in 0.079 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  23. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    It was now a case of going through t he data provided and trying to come up with a fix that tackled as much as possible.



    Ok, On with the Fix


    Copy everything inside the quote box below and paste it into Notepad. Save it as killfiles.txt on your desktop.

    Copy everything inside the quote box below and paste it into Notepad. Go up to File > Save As, then click the drop-down box to change the "Save As Type" to "All Files". Save it as delserv.bat on your desktop.




    1) Please download the Killbox here.
    Unzip it to the desktop but do NOT run it yet.

    2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

    3) Once in Safemode, Double-click delserv.bat.

    4) Still in Safe Mode, please run Killbox.

    5) Select "Delete on Reboot".

    6) Open the text file you made earlier (Killfiles.txt), and copy the file names to the clipboard by highlighting them and pressing Control-C:

    7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    :cool: Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..



    Let the system reboot but ensure it boots into Safe Mode by pressing F8 as your computer is booting up. Then select the Safe Mode option.



    9) Once in Safemode, Open the Device Manager and select View Hidden Devices from The View Menu. Navigate to Non PnP Devices and expand that line.

    10) Click on the entry labelled aokxlhk, then in the Actions menu, select Disable.Repeat this for the entry labelled uosfngi

    11) Click on the entry labelled aokxlhk, then in the Actions menu, select Uninstall.Repeat this for the entry labelled uosfngi

    12) Using Widows Explorer, locate and delete the following folders

    C:\WINDOWS\system32\jsjdflb
    C:\WINDOWS\system32\vljhvq
    C:\WINDOWS\amJyb3du
    C:\WINDOWS\system32\kxpqfx
    C:\WINDOWS\system32\fhlpnxy
    C:\WINDOWS\system32\hhjnjfe
    C:\WINDOWS\system32\rqbvpoy
    C:\WINDOWS\system32\flpiqev

    13) Boot into Normal mode

    14) Once in Normal Mode, copy the part in bold below into notepad. Save it as regfix.reg (set filetype to "All Files")


    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
    "jxbvilxg.exe"=-

    Doubleclick the file you made (regfix.reg) and confirm you want to merge it with the registry.

    15) Reboot into safe Mode and rescan with Spysweeper, save the log it creates.

    16) Reboot once more into Normal Mode, Rescan with HJT and post a new HiJackThis log, as well as the Spysweeper Log..


    Good Luck :thumbsup:




    //////////////////////////////////////////



    This achieved partial success in that the user no longer had popups appearing, but the fix had not removed everything. The Spysweeper log showed that the scan was stumbling over a strtup item, so I did a serarh for that file reference in the registry


    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "guycrm.exe" 10/5/2005 8:56:30 AM

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89C3C1CF-E7DD-6F34-93F4-C3504E424838}\InprocServer32]
    @="C:\\WINDOWS\\system32\\fhlpnxy\\guycrm.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "guycrm"="C:\\WINDOWS\\system32\\fhlpnxy\\guycrm.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Startup\id_30]
    "Value"="C:\\WINDOWS\\system32\\fhlpnxy\\guycrm.exe"

    "C:\\Documents and Settings\\jbrown\\My Documents\\eDonkey2000 Downloads\\[Autodesk.AutoCAD.2006.o_O??].keygen.exe"="[Autodesk.AutoCAD.2006.o_O??].keygen"
    "C:\\WINDOWS\\system32\\fhlpnxy\\guycrm.exe"="guycrm"




    ///////////////////////////////////

    Bingo, the regsearch showed a hidden folder with a keygen file in it (no comment!!!). A fresh Startup log showed what remained, So lets build all that into a fix using a batch to avoid reboots and hit everything at once.





    The Fix

    Step #1

    Ensure that Spysweeper is updated.

    Step #2

    Copy everything inside the quote box below and paste it into Notepad. Go up to File > Save As, then click the drop-down box to change the "Save As Type" to "All Files". Save it as gotcha.bat on your desktop.

    Step #3

    Please Disconnect from the Internet completely. Then SHUT DOWN Ewido, MSAS, Trojan Hunter, and Spysweeper as these may interfere with the fix if they are running.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
    O4 - HKLM\..\Run: [guycrm] C:\WINDOWS\system32\fhlpnxy\guycrm.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08013d59b3a0b8...tzip/RdxIE2.cab
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Step #4

    Once in Safemode, Double-click Gotcha.bat that you created earlier.

    Step #5

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    eDonkey2000

    Please note any other programs that you dont recognize in that list in your next response

    Step #6

    Still in Safe Mode, Re enable and then Rescan with Spysweeper, save the log it creates.

    Step #7

    Reboot into safe Mode and rescan again with Spysweeper, save the log it creates.

    Step #8

    Reboot once more into Normal Mode. Re-enable ALL the previously disabled Security applications, including their real time protection functions, Rescan with HJT, then reconnect to the net and post a new HiJackThis log, as well as the 2 Spysweeper Logs for me here.

    Good Luck



    /////////////////////////////////////




    Due to my own stupidity, I had messed up the service delete, but this next post remedied that

    Ok on with the fix

    Step #1

    Print these instructions out for reference

    Step #2

    Copy everything inside the quote box below and paste it into Notepad. Go up to File > Save As, then click the drop-down box to change the "Save As Type" to "All Files". Save it as delcom.bat on your desktop.

    Step #3

    Boot into safe mode

    Step #4

    Once in Safemode, Double-click delcom.bat that you created earlier.

    Step #5

    Reboot into Normal Mode. , Rescan with HJT, and post a new HiJackThis log,



    ///////////////////////////////////

    Finally, that was it. The users logs were clean, nothing in the startups, no popups, no problems. I am aware that there will be remnants left over in the registry and that this fix was neither neat, nor elegant. No doubt there are ways I could have done it "better" but I was happy just to have enabled the user to regain control over his PC. I must offer my thanks to Atribune and Cretemonster and the rest of the Staff at Geekstogo for their support on this log, and also to the user who was willing to be a guinea pig here while I stumbled around.
     
Loading...
Thread Status:
Not open for further replies.