Author Topic: Rootkit Safety Question (Read 3360 times)

Kateylynn73 · « **on:** March 02, 2009, 12:17:06 PM »

So I very stupidly and accidentally downloaded a rootkit and my comps a mess. I tried this removal kit thing that some university put online to help get rid of it, but it didn't really work. I don't even want my comp anymore, but my music and photos and personal files are on there. My question is is it safe to transfer my files to an external hard drive with the rootkit still on my comp or will it infect the external hardrive as well? Are the files infected? Do I need to get rid of the rootkit first? PLEASE HELP ME!!!

evilfantasy · « **Reply #1 on:** March 02, 2009, 12:35:56 PM »

How do you know it's a rootkit?

Rootkits very seldom come alone. There is usually some other form of malware along with them so it's best to either wipe the drive or clean it. We can help with the cleaning and you won't loose anything.

Just need to work with me and we will get it taken care of. First we need to find it.

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

----------

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Kateylynn73 · « **Reply #2 on:** March 09, 2009, 02:28:44 PM »

Thanks for your help, let me know what to do!

From Rooter.exe Notpad:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:38115 Mo/Free:2690 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Mon 03/09/2009|12:18

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
---------- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
---------- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
---------- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
---------- C:\WINDOWS\System32\SCardSvr.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\WINDOWS\System32\Ati2evxx.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
---------- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
---------- C:\Program Files\Canon\CAL\CALMAIN.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
---------- C:\WINDOWS\system32\pctspk.exe
---------- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
---------- C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
---------- C:\Program Files\UnHackMe\hackmon.exe
---------- C:\Program Files\Sprint music manager\MEMonitor.exe
---------- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
---------- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

1 - "C:\Rooter$\Rooter_1.txt" - Mon 03/09/2009|12:20

----------------------\\ Scan completed at 12:20
From HijackThis Notpad:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:09 PM, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\UnHackMe\UnHackMe.exe
C:\DOCUME~1\KATLIN~1\LOCALS~1\Temp\0xECE55B20\a4f3d0ef-63ec-4389-8418-2c13538478d9\usetup.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newfirstpage.com/?cm=612470&lt=1&it=2008-10-17%2020%3A26%3A25&dt=2008-11-02%2014%3A44%3A46&q=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwsb.exe] C:\WINDOWS\system32\kdwsb.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: MEMonitor.lnk.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: kcjxib.dll mxzdbw.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6426 bytes

evilfantasy · « **Reply #3 on:** March 09, 2009, 02:42:38 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newfirstpage.com/?cm=612470<=1&it=2008-10-17%2020%3A26%3A25&dt=2008-11-02%2014%3A44%3A46&q=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwsb.exe] C:\WINDOWS\system32\kdwsb.exe
O20 - AppInit_DLLs: kcjxib.dll mxzdbw.dll

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"C:\WINDOWS\system32\kdwsb.exe"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Kateylynn73 · « **Reply #4 on:** March 09, 2009, 03:59:20 PM »

ComboFix 09-03-06.02 - Katlin The Amazing 2009-03-09 13:31:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.74 [GMT -8:00]
Running from: c:\documents and settings\Katlin The Amazing\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KATLIN~1\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\llpjtdro.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-09 12:22 . 2009-03-09 12:22   <DIR>   d--------   c:\program files\Trend Micro
2009-03-09 12:18 . 2009-03-09 12:20   <DIR>   d--------   C:\Rooter$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 21:14   65,786   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-09 21:14   64   ----a-w   c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-09 21:13   ---------   d-----w   c:\program files\UnHackMe
2008-09-27 19:36   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-09-27 19:36   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-27 19:36   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-09-27 19:36   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-09-27 19:36   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-03-09 177392]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-01-04 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2009-01-04 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-01-04 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-01-04 259312]
"PCTVOICE"="pctspk.exe" [2002-07-18 c:\windows\system32\pctspk.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\Katlin The Amazing\Start Menu\Programs\Startup\
MEMonitor.lnk.lnk - c:\program files\Sprint music manager\MEMonitor.exe [2007-10-31 929792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

S0 KmxStart;KmxStart;c:\windows\System32\DRIVERS\kmxstart.sys [2008-06-24 93712]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
S1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CaCCProvSP
*Deregistered* - CAISafe
*Deregistered* - CCALib8
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - ITMRTSVC
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PPCtlPriv
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SCardSvr
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UmxAgent
*Deregistered* - UmxCfg
*Deregistered* - UmxFwHlp
*Deregistered* - UmxPol
*Deregistered* - Update
*Deregistered* - VET-FILT
*Deregistered* - VET-REC
*Deregistered* - VETEBOOT
*Deregistered* - VETEFILE
*Deregistered* - VETMONNT
*Deregistered* - VETMSGNT
*Deregistered* - VgaSave
*Deregistered* - Vmodem
*Deregistered* - VolSnap
*Deregistered* - Vpctcom
*Deregistered* - Vvoice
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69ce0190-6656-11dc-a475-0004234b49b8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-05 c:\windows\Tasks\CAAntiSpywareScan_Daily as Katlin The Amazing at 9 16 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 21:10]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Katlin The Amazing\Application Data\Mozilla\Firefox\Profiles\3i9zxumj.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 13:47:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1864)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(152)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-03-09 13:55:49
ComboFix-quarantined-files.txt 2009-03-09 21:55:21

Pre-Run: 27,381,727,232 bytes free
Post-Run: 27,479,879,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

222

evilfantasy · « **Reply #5 on:** March 09, 2009, 04:08:10 PM »

Looks good to me.

How is the computer running now?

Kateylynn73 · « **Reply #6 on:** March 09, 2009, 04:10:40 PM »

A lot faster, does that mean it's clean? Can I delete those programs I downloaded for this?

evilfantasy · « **Reply #7 on:** March 09, 2009, 04:16:48 PM »

Delete this folder > C:\Rooter$

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Kateylynn73 · « **Reply #8 on:** March 09, 2009, 04:28:43 PM »

I just tried to delete Combofix the way you told me and it's telling me to diable my antispyware again so it can perform a scan.....

Kateylynn73 · « **Reply #9 on:** March 09, 2009, 04:35:30 PM »

Never mind, it worked! Thank you so much!

evilfantasy · « **Reply #10 on:** March 09, 2009, 04:37:29 PM »

Your welcome.

Safe surfing...

Computer Hope Forum

News:

Author Topic: Rootkit Safety Question (Read 3360 times)

Kateylynn73

Rootkit Safety Question

evilfantasy

Re: Rootkit Safety Question

Kateylynn73

Re: Rootkit Safety Question

evilfantasy

Re: Rootkit Safety Question

Kateylynn73

Re: Rootkit Safety Question

evilfantasy

Re: Rootkit Safety Question

Kateylynn73

Re: Rootkit Safety Question

evilfantasy

Re: Rootkit Safety Question

Kateylynn73

Re: Rootkit Safety Question

Kateylynn73

Re: Rootkit Safety Question

evilfantasy

Re: Rootkit Safety Question