antivirus xp 2008 - Rootkit still present?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dewbldw1213

Thread Starter
Joined
Sep 17, 2008
Messages
1
Hello Tech Guys,

A problem still exists on my machine and any help would be appreciated immensely.

Lavasoft ad-aware detected and removed "Antivirus XP 2008". But I still saw suspicious activity occuring as viewed in sysinternal's Process Explorer. Per another help thread I read on your forum, I installed and ran ComboFix from BleepingComputer. Below is the log file. During running, at one point it stated "Combofix has detected the presence of rootkit activity and needs to reboot".

After ComboFix finished, things cleared up considerably, however every time I reboot, several odd occurences happen. I have Process Explorer set to start automatically, and it shows that Windows User Mode Driver Manager (wdfmgr) comes up after a delayed period. Until it does, opening Windows Explorer will just show a "searching flashlight" at the computer icon (file system not detected). This behavior is new. Also, Windows automatic update (wuauclt) will start although I have that completely disabled in options. Thanks very much for your help.


ComboFix 08-09-15.02 - Don 2008-09-16 19:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.319 [GMT -4:00]
Running from: D:\Documents and Settings\Don\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Don\Favorites\Online Security Test.url
D:\Documents and Settings\LocalService\Application Data\sysproc64
D:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys
D:\WINDOWS\system32\drivers\svchost.exe
D:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini
D:\WINDOWS\system32\oembios.exe
D:\WINDOWS\system32\sysproc64
D:\WINDOWS\system32\sysproc64\sysproc32.sys
D:\WINDOWS\system32\sysproc64\sysproc86.sys
D:\WINDOWS\system32\tdssadw.dll
D:\WINDOWS\system32\tdssinit.dll
D:\WINDOWS\system32\tdssl.dll
D:\WINDOWS\system32\tdsslog.dll
D:\WINDOWS\system32\tdssmain.dll
D:\WINDOWS\system32\tdssserf.dll
D:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-14 14:59 . 2008-09-14 14:59 63 --a------ D:\Winamp.ini
2008-09-09 12:32 . 2008-09-09 12:32 <DIR> d-------- D:\Program Files\Unibrain
2008-09-08 23:36 . 2002-10-10 12:06 7,952 --a------ D:\WINDOWS\system32\drivers\UBFWDev.sys
2008-09-08 10:59 . 2008-09-15 20:57 <DIR> d-------- D:\downloads
2008-09-02 16:48 . 2008-09-02 16:48 <DIR> d-------- D:\Program Files\ResizeEnable
2008-08-25 22:15 . 2008-08-25 22:22 <DIR> d-------- D:\Program Files\cueproc-1.10
2008-08-25 10:20 . 2008-08-25 10:20 <DIR> d-------- D:\Program Files\shntool-3.0.7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 17:33 --------- d-----w D:\Program Files\Mozilla Thunderbird
2008-09-16 02:08 --------- d-----w D:\Documents and Settings\Don\Application Data\foobar2000
2008-09-14 02:28 --------- d-----w D:\Program Files\DartPro 32
2008-09-09 03:36 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-09-06 02:17 --------- d-----w D:\Program Files\foobar2000
2008-08-31 15:29 --------- d-----w D:\Documents and Settings\Don\Application Data\Syntrillium
2008-08-28 16:05 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-28 00:11 --------- d-----w D:\Program Files\Java
2008-08-27 02:57 --------- d-----w D:\Documents and Settings\Don\Application Data\Mp3tag
2008-08-12 22:27 --------- d-----w D:\Program Files\Mp3tag
2008-08-07 20:14 647,168 ----a-w D:\WINDOWS\system32\FireiX.dll
2008-08-06 23:55 --------- d-----w D:\Program Files\PhotoFiltre
2008-08-06 21:23 393,216 ----a-w D:\WINDOWS\system32\CFiCamera.dll
2008-08-06 21:21 253,952 ----a-w D:\WINDOWS\system32\FiCommon.dll
2008-08-06 21:21 1,482,752 ----a-w D:\WINDOWS\system32\ubShared.dll
2008-08-06 21:17 692,224 ----a-w D:\WINDOWS\system32\ubUI.dll
2008-08-06 19:59 1,130,496 ----a-w D:\WINDOWS\system32\UB1394.dll
2008-08-06 19:34 233,472 ----a-w D:\WINDOWS\system32\ubVideo.dll
2008-08-06 18:03 24,576 ----a-w D:\WINDOWS\system32\drivers\ubfwnet.sys
2008-08-06 17:53 39,424 ----a-w D:\WINDOWS\system32\drivers\UBUMAPI.sys
2008-08-06 17:52 17,408 ----a-w D:\WINDOWS\system32\drivers\UBSBM.sys
2008-08-06 17:52 100,352 ----a-w D:\WINDOWS\system32\drivers\UB1394.sys
2008-08-06 17:48 114,688 ----a-w D:\WINDOWS\system32\drivers\ubohci.sys
2008-07-21 19:44 --------- d-----w D:\Program Files\PhoneTools
2007-08-22 15:44 62,104 ----a-w D:\Documents and Settings\Don\Application Data\GDIPFONTCACHEV1.DAT
1998-08-24 19:09 10,000 ----a-w D:\WINDOWS\inf\unregpn.exe
2006-05-06 16:42 7,260,160 ----a-w D:\Program Files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"kX Mixer"="D:\WINDOWS\System32\kxmixer.exe" [2008-04-04 500224]
"SmcService"="D:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

D:\Documents and Settings\Don\Start Menu\Programs\Startup\
Process Explorer.lnk - D:\Program Files\Process Explorer\procexp.exe [2006-02-22 1455680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= ctwdm32.dll
"aux3"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=IndexDat.cmd

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2007-04-09 12:32 19456 D:\WINDOWS\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2007-04-09 12:32 19968 D:\WINDOWS\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Program Files\\BitTorrent\\bittorrent.exe"=

R2 SBKUPNT;SBKUPNT;D:\WINDOWS\System32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
R2 ubsbm;Unibrain 1394 SBM Driver;D:\WINDOWS\System32\DRIVERS\ubsbm.sys [2008-08-06 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;D:\WINDOWS\System32\DRIVERS\ubumapi.sys [2008-08-06 39424]
R2 UMAXPCLS;Print Port Scanner Driver;D:\WINDOWS\System32\DRIVERS\umaxpcls.sys [2001-08-17 22912]
R3 ctgame;Game Port;D:\WINDOWS\System32\DRIVERS\ctgame.sys [2007-04-10 19112]
R3 kxwdmdrv;kX WDM Driver Service;D:\WINDOWS\System32\drivers\kx.sys [2008-04-04 568320]
R3 UBFWNet;Unibrain 1394 FireNet Adapter NT Driver;D:\WINDOWS\System32\DRIVERS\ubfwnet.sys [2008-08-06 24576]
R3 ubohci;Unibrain 1394 OHCI Driver;D:\WINDOWS\System32\DRIVERS\ubohci.sys [2008-08-06 114688]
S1 vcdrom;Virtual CD-ROM Device Driver;D:\Documents and Settings\Don\Desktop\WinXP Virtual CD Control PAnel\VCdRom.sys [ ]
S3 PTHSBUS;Curitel USB Composite Device Driver (UDP);D:\WINDOWS\System32\DRIVERS\PTHSBUS.sys [2007-02-26 27008]
S3 PTHSMDM;Curitel Packet Service Drivers (UDP);D:\WINDOWS\System32\DRIVERS\PTHSMDM.sys [2007-02-26 41344]
S3 PTHSVSP;Curitel Packet Service Diagnostic Serial Port (UDP);D:\WINDOWS\System32\DRIVERS\PTHSVSP.sys [2007-02-26 39680]
S3 UBFWDev;FireNet PC;D:\WINDOWS\System32\DRIVERS\UBFWDev.sys [2002-10-10 7952]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-inrhcvm7j0e111 - D:\Documents and Settings\Don\Local Settings\Temp\.tt70.tmp.exe
SharedTaskScheduler-bestreak - (no file)
SSODL-bestreak-{874443fe-aa33-4ebf-a6ac-73208787e62d} - D:\WINDOWS\System32\viruxz.dll
MSConfigStartUp-lphcrm7j0e111 - D:\WINDOWS\System32\lphcrm7j0e111.exe
MSConfigStartUp-MsgCenterExe - D:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
MSConfigStartUp-SVCHOST - D:\WINDOWS\System32\drivers\svchost.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\9s52e11z.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npmnqmp07010901.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 19:06:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-09-16 19:07:05
ComboFix-quarantined-files.txt 2008-09-16 23:07:03

Pre-Run: 13,182,418,944 bytes free
Post-Run: 13,227,765,760 bytes free

142
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top