1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

avg rootkit detects hidden driver, reappears

Discussion in 'Virus & Other Malware Removal' started by eccwoes, Oct 25, 2007.

Thread Status:
Not open for further replies.
  1. eccwoes

    eccwoes Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    68
    Hello, on scanning my computer with avg rootkit latest version, it detects a hidden driver file with a seemingly random name in c system 32 drivers folder. I force avg to fix it and to finish the fix it needs to reboot, but the next time I boot and run avg rootkit it immediately detects another hidden driver in the same location with a different name. eg - a4j01ztw.sys, a8bs781d.sys etc. I haven't noticed anything going wrong with my computer but i'm a bit worried in case i'm being keylogged or something. Also a couple of days ago avg virus scan told me my mbr had been modified, but this hasn't affected the operation of the computer so far. The latter change may have occurred when I allowed a registry change while installing a game. I had all my virus/spybot/firewall turned off at the time in case it intefered with the installation.

    i would be grateful for any help or information.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:31:57, on 25/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\mgabg.exe
    C:\WINDOWS\system32\wwSecure.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\GRISOFT\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection -

    {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Matrox PowerDesk SE] "c:\Program Files\Matrox

    Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Matrox Powerdesk]

    C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search

    & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

    (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

    /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y

    "%SystemRoot%\System32\syssetub.dll"

    "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

    (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y

    "%SystemRoot%\System32\syssetub.dll"

    "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

    (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y

    "%SystemRoot%\System32\syssetub.dll"

    "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

    (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y

    "%SystemRoot%\System32\syssetub.dll"

    "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

    Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Matrox Centering Service - Matrox Graphics Inc. -

    c:\Program Files\Matrox Graphics

    Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. -

    C:\WINDOWS\system32\mgabg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc.

    - C:\WINDOWS\system32\wwSecure.exe

    --
    End of file - 4377 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - rootkit detects hidden
  1. lunarlander
    Replies:
    5
    Views:
    653
  2. ricincalifornia
    Replies:
    2
    Views:
    480
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/643313

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice