CastleCops® URGENT ATTENTION NEEDED

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

URGENT ATTENTION NEEDED
Goto page 1, 2 Next

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

revolver88

Trooper
Trooper

Joined: Aug 23, 2006
Posts: 15
Location: USA

Posted: Wed Aug 23, 2006 10:49 pm Post subject: URGENT ATTENTION NEEDED

/postlite165135-.html Taz sent me here. He said something about a rootkit, could you please explain what that is. Logfile of HijackThis v1.99.1 Scan saved at 6:54:30 PM, on 8/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AIM\aim.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\Peter\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

PCBruiser

SRT Team Lead

Forums Admin

Joined: May 11, 2005
Posts: 11723

Posted: Wed Aug 23, 2006 11:30 pm Post subject:

Hi, revolver88. I am only qualified to help you start to find and diagnose the rootkit, if one is in fact present. Then, one of our rootkit experts will actually help you to remove the rootkit if present. To get started, I would like you to download the following five programs to your computer: RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html Hook Analyzer: http://www.resplendence.com/hookanalyzer gmer: http://www.gmer.net/ Blacklight: http://www.f-secure.com/blacklight/ Sophos Anti-Rootkit: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html Initially, we will only use the first three programs that you have downloaded. I would like you to run the first three programs in the following sequence: 1. RootkitRevealer: RootkitRevealer will scan your system and provide a report. Please take a screen shot of that report and post it in this thread. 2. Hook Analyzer: Hook Analyzer will also do a scan. Please check the button at the bottom that says "Show hooked services only". Again, please take a screenshot of the results of this scan and post it in this thread. 3. gmer: Next, run gmer. The 5th tab is labeled "Rootkit". Please post a screen shot of that tab as well. Now stop. Post the screen shots from these three programs before going on. We will want to see those results before doing anything else. If you have any questions about these instructions, please post before doing anything further. In addition, can you please post how you connect to the Internet, and if you use a hardware router/firewall. _________________ Don't read? Can't learn!

revolver88

Trooper
Trooper

Joined: Aug 23, 2006
Posts: 15
Location: USA

Posted: Thu Aug 24, 2006 2:10 am Post subject:

how do i make a screen shot if the you have to scroll down to see some of the text

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Thu Aug 24, 2006 2:46 am Post subject:

1. For Rootkit Revealer: when the scan is done, go up to File > Save. Choose to save it to your desktop. Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here. 2. For GMER: while at the rootkit tab, click copy button > ok. In your next reply, right-click and select paste.

revolver88

Trooper
Trooper

Joined: Aug 23, 2006
Posts: 15
Location: USA

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17542

Posted: Thu Aug 24, 2006 3:49 am Post subject:

This topic is indeed authorized. Keep at it. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

PCBruiser

SRT Team Lead

Forums Admin

Joined: May 11, 2005
Posts: 11723

Posted: Thu Aug 24, 2006 6:58 pm Post subject:

revolver88, you do indeed have what I believe are some unusual entries in those logs. I have asked for assistance from one of our Rootkit Experts, one of whom will take this over from here and try to assist you. I also noted that I had not provided any definition of what a rootkit is. I think this will help you understand what one is: http://en.wikipedia.org/wiki/Rootkit _________________ Don't read? Can't learn!

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Thu Aug 24, 2006 9:46 pm Post subject:

The only rootkit that I can point out from these logs belong to Daemon Tools. Your HJT log file also looks clean. However, there is one unknown hook that may belong to something legitimate. To prove this, we may need to do the follwing test: click start -> run -> type: msconfig and press enter go to the services tab -> check Hide all microsoft services -> click disable all go to startup tab -> click disable all -> ok restart the computer After the computer restarts, please do not connect to the internet since all protection tools are disabled. Please do another GMER, rootkit analyzer and rootkit revealer scan and post the results. To undo changes in the system configuration utility, open msconfig as shown earlier -> under general tab, select normal startup -> ok -> restart Can you also provide a brief description of what malware symptoms or the strangel behaviour in your computer that you may suspect that there is malware. _________________ Microsoft MVP - Consumer Security 2008 An Invitation to Think - York University

revolver88

Trooper
Trooper

Joined: Aug 23, 2006
Posts: 15
Location: USA

Posted: Thu Aug 24, 2006 11:37 pm Post subject:

rootkit hook analyser: index......service name........adress.......module..........hooked 31..........ntconnectport / ZwConnectPort.........0x8205F250.....???.....YES 41..........NtCreateKey / ZwCreateKey.........0xF8455B3A......sptd.sys...Yes 71....NtEnumerateKey/ ZwEnumerateKey...0xF8455C7E....sptd.sys.....Yes 73....NtEnumerateValueKey/ZwEnumerateValueKey...0xF8455FF6.............sptd.sys...Yes 119...NtOpenKey/ZwOpenKey...0xF8455A18.....stpd.sys....Yes 160...NtQueryKey/RtlFreeHeap/ZwQueryKey...0xF84560C0...stpd.sys..Yes 177..NtQueryValueKey/ZwQueryValueKey...0xF8455F58...stpd.sys..Yes 247..NtSetValueKey/ZwSetValueKey...0xF8456148...stpd.sys...Yes rootkit revealer: HKLM\S-1-5-21-2256261650-84653002-40086576-1008\RemoteAccess\InternetProfile 7/3/2005 1:15 PM 3 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/5/2005 1:41 AM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/7/2006 5:50 PM 0 bytes Access is denied. gmer: GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-24 18:25:48 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT 8205F250 ZwConnectPort SSDT sptd.sys ZwCreateKey SSDT sptd.sys ZwEnumerateKey SSDT sptd.sys ZwEnumerateValueKey SSDT sptd.sys ZwOpenKey SSDT sptd.sys ZwQueryKey SSDT sptd.sys ZwQueryValueKey SSDT sptd.sys ZwSetValueKey ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823DDA40 Device \Driver\00000053 \Device\00000055 IRP_MJ_SYSTEM_CONTROL [F845CEA8] sptd.sys Device \Driver\00000053 \Device\00000055 IRP_MJ_DEVICE_CHANGE [F8470A70] sptd.sys Device \Driver\00000053 \Device\00000055 IRP_MJ_PNP_POWER [F8469728] sptd.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 823DD0E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 820B4DA8 Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 823DD0E8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 820F0EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 820F0EB0 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 820B4DA8 Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 823DD0E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82013BA8 Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82013BA8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B77F9D13-387C-42FF-98C6-5BC3F02B7596} IRP_MJ_CREATE 82013BA8 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 823DDC78 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82055AB0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 82055AB0 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 81FCC0E8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 81FCC0E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 823DD0E8 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 8221AB70 Device \Driver\dtscsi \Device\Scsi\dtscsi1Port1Path0Target0Lun0 IRP_MJ_CREATE 821394D8 Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 821394D8 Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8218F940 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 821FCCB8 ---- Files - GMER 1.0.10 ---- File C:\System Volume Information\MountPointManagerRemoteDatabase File C:\System Volume Information\tracking.log File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F} ---- EOF - GMER 1.0.10 ---- Symptoms: 1)Some links and sites show "this page cannot be displayed" (always the same links such as signing in to yahoo. 2)AIM was deleted from the computer. 3)Aim shows "The AIM service cannot be reached" Same thing happens with battlenet (while playing warcraft) Also, Daemontools is on the desktop, should i delete it?

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Fri Aug 25, 2006 2:23 am Post subject:

I am so sorry I totaly forgot about your original issue. You have or had an AIM virus according to your original hjt log. Did you use AIMfix to remove lockx.exe? Due to the editing, I cant tell what was done. Please download and run AIMfix.exe from here: http://www.jayloden.com/AIMFix.exe Once its done a logfile will be created. Please copy and paste the contents of that logfile in your next reply. The AIM virus has tampered with AOL so you may need to reinstall that application. If you do not use Daemon-Tools, then you can go to the add/remove programs and uninstall that application. If you decide to remove Daemon-Tools, then please perform another rootkit analyzer and GMER scan after the uninstallation and then post the results. As for the websites you cant access, are they all secure websites? Can you access other secure pages besides yahoo such as banking site? Try this for instance: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1156472332&rver=4.0.1531.0&wp=LBI&wreply=http:%2F%2Fwww.msn.com%2F&lc=1033&id=1184 _________________ Microsoft MVP - Consumer Security 2008 An Invitation to Think - York University

revolver88

Trooper
Trooper

Joined: Aug 23, 2006
Posts: 15
Location: USA

Posted: Fri Aug 25, 2006 2:53 am Post subject:

the aimfix didnt pick up anything. i could not reach the webpage you provided. The ones that dont seem to work are any that have anything to do with a password I wont remove daemon tools if it isnt doing any harm (is it?) I dont know how i removed lockx, i dont remember being able to find it.