Author Topic: Trojan Horse Root kit???? (Read 4388 times)

compukit · « **on:** April 09, 2009, 11:18:51 AM »

Hello all,

I was wondering if someone could kindly help me as my AVG anti-virus keeps telling me there is trojan horse root-kit on my computer?

It seems to be running perfectly fine but the AVG warning message pops up every 5-10minutes and this Trojan Root kit sounds dangerous.

The files AVG mentions are port135sik.sys, ati64si.sys, ws2_32sik.sys and a few others??

I have run Hi-jack this and below is the log:

Is there anybody out there that can help me please

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:33, on 09/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\User\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Myage] rundll32.exe "C:\WINDOWS\evevuladiwox.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [User] C:\Documents and Settings\User\User.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 4650 bytes

x2543 · « **Reply #1 on:** April 09, 2009, 04:20:49 PM »

I would, I would start and run a scan with Kasperksy's free online virus scanner. http://www.kaspersky.com/virusscanner to check out. Kasperksy does have decent detection rates.

Secondly, Check out this post and try running through the steps there. http://www.computerhope.com/forum/index.php/topic,46313.0.html, and do have evilfantasy or broni analyze your HJT log and other logs if you do those.

compukit · « **Reply #2 on:** April 14, 2009, 05:37:58 AM »

Hi and thanks for the advice.

I have run a scan with Kapersky's virus scanner and it found some nasty rootkit stuff which I cleared.

ALso, as you said I have followed all 6 steps set out by evilfantasy on this post http://www.computerhope.com/forum/index.php/topic,46313.0.html.

Below are the super antispyware and Malware bytes' logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/14/2009 at 11:46 AM

Application Version : 4.26.1000

Core Rules Database Version : 3842
Trace Rules Database Version: 1797

Scan type : Complete Scan
Total Scan Time : 00:24:17

Memory items scanned : 398
Memory threats detected : 0
Registry items scanned : 3908
Registry threats detected : 1
File items scanned : 13968
File threats detected : 11

Trojan.Agent/Gen-RootkitDropper
   [User] C:\DOCUMENTS AND SETTINGS\USER\USER.EXE
   C:\DOCUMENTS AND SETTINGS\USER\USER.EXE
   C:\WINDOWS\Prefetch\USER.EXE-08FB60B5.pf

Adware.Tracking Cookie
   C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
   C:\Documents and Settings\User\Cookies\[email protected][1].txt
   C:\Documents and Settings\User\Cookies\[email protected][1].txt
   C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
   C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt

Rootkit.Agent/Gen-SoftV
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{BBFE1587-51E2-4161-B9CD-D3540A63782A}\RP182\A0041656.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{BBFE1587-51E2-4161-B9CD-D3540A63782A}\RP182\A0041661.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{BBFE1587-51E2-4161-B9CD-D3540A63782A}\RP182\A0041662.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{BBFE1587-51E2-4161-B9CD-D3540A63782A}\RP182\A0041663.SYS

I did remove the selected items above and restarted the computer as requested.

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

10/04/2009 11:29:00
mbam-log-2009-04-10 (11-29-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72687
Time elapsed: 32 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RXToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\RXToolBar\rx.xml (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Program Files\RXToolBar\rxtoolbar.cfg (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Program Files\RXToolBar\rxwebsearches.xsl (Adware.RXToolbar) -> Quarantined and deleted successfully.

Thankyou for the help.

Shandy · « **Reply #3 on:** April 14, 2009, 11:08:17 AM »

It looks like it did the job, if you want though, post a new hijackthis log here to be checked over.

evilfantasy · « **Reply #4 on:** April 14, 2009, 07:03:06 PM »

Hello compukit.

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

----------

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please include the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Helpmeh · « **Reply #5 on:** April 14, 2009, 07:08:33 PM »

evilfantasy · « **Reply #6 on:** April 14, 2009, 07:11:19 PM »

I'm going to start removing your posts Helpmeh.

See here http://www.computerhope.com/forum/index.php/topic,57605.0.html

Quote

Posting advice without having the title "Malware Removal Specialist" under your user name in the Computer Viruses and Spyware forum will get your post edited or deleted as the wrong advice is too risky for the users we are trying to help.

Helpmeh · « **Reply #7 on:** April 14, 2009, 07:16:57 PM »

Quote from: evilfantasy on April 14, 2009, 07:11:19 PM

I'm going to start removing your posts Helpmeh.

See here http://www.computerhope.com/forum/index.php/topic,57605.0.html

Just want to point out "the wrong advice is too risky". You can remove the other posts, but the post I made above is just giving an option to pasting the code into the post (where some may get cut off by user-error or char. limit).

evilfantasy · « **Reply #8 on:** April 14, 2009, 07:18:36 PM »

Do you think that this is my first time requesting logs?

Please stop bumping posts with these comments.

Computer Hope Forum

News:

Author Topic: Trojan Horse Root kit???? (Read 4388 times)

compukit

Trojan Horse Root kit????

x2543

Re: Trojan Horse Root kit????

compukit

Re: Trojan Horse Root kit????

Shandy

Re: Trojan Horse Root kit????

evilfantasy

Re: Trojan Horse Root kit????

Helpmeh

Re: Trojan Horse Root kit????

evilfantasy

Re: Trojan Horse Root kit????

Helpmeh

Re: Trojan Horse Root kit????

evilfantasy

Re: Trojan Horse Root kit????