1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot remove Trojan.NtRootKit.6360

Discussion in 'Virus & Other Malware Removal' started by mrsamz, Apr 28, 2010.

Thread Status:
Not open for further replies.
  1. mrsamz

    mrsamz Thread Starter

    Joined:
    Apr 28, 2010
    Messages:
    1
    Hello,

    I've been scouring the web looking for a resolution. My specific file comes up with only a few listings on google. I have tried the following:

    ComboFix
    VundoFix
    Malwarebytes
    etc etc.

    I've tried to use Killbox, GiPo utilities, and others to delete or delete on reboot, doesn't work. Malwarebytes and Dr. Web CureIt will find the file and say it's deleted. If I scan again.. it's there. Booting into safe mode and DOS, again, file is locked cannot delete, or DOS, attached device is not functioning..

    THE FILE NAME & LOCATION ARE:
    C:\WINDOWS\system32\drivers\cpxuto.sys


    When scanning with Dr. Web, it shows the file as, "Trojan.NtRootKit.6360"


    HERE ARE MY COMP. SPECS:
    OS Name Microsoft Windows XP Professional
    Version 5.1.2600 Service Pack 2 Build 2600
    System Manufacturer Dell Inc.
    System Model OptiPlex GX520
    System Type X86-based PC
    Processor x86 Family 15 Model 4 Stepping 3 GenuineIntel ~2992 Mhz
    Processor x86 Family 15 Model 4 Stepping 3 GenuineIntel ~2992 Mhz
    BIOS Version/Date Dell Inc. A06, 2/20/2006
    SMBIOS Version 2.3
    Hardware Abstraction Layer Version = "5.1.2600.2705 (xpsp.050622-1524)"
    Total Physical Memory 2,560.00 MB
    Available Physical Memory 1.67 GB
    Page File Space 3.83 GB

    HERE IS MY HIJACK LOG:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:15:17 PM, on 4/28/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\NTROOTKIT Removal Tool\NTROOTKIT-Removal-Tool.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JDINARDO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1114\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Drafting')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1114\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Drafting')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1116\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JDinardo')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1116\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'JDinardo')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1116\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'JDinardo')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1117\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jeff')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-1117\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Jeff')
    O4 - HKUS\S-1-5-21-3904798422-3565687182-272278461-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    O4 - HKUS\S-1-5-21-660867393-2310028512-3886670922-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    O4 - HKUS\S-1-5-21-660867393-2310028512-3886670922-500\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Administrator')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\Program Files\SmartWhois\swmsie.exe
    O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
    O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://chil.solidworks.com/htdocs/pdownload/edrawings/e2010sp02/cab//eModelsStandard.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
    O16 - DPF: {23E641E3-6223-475B-9511-5DBB6C58CE30} (EntryNET55.EntryNet) - http://www.brosco.com/entrynet/cabs/Ezoe55.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - https://answernet.bradleycorp.com/JWALK4/JWALKXS/jwalkx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = QD.local
    O17 - HKLM\Software\..\Telephony: DomainName = QD.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = QD.local
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 12809 bytes



    Please help! Thank you in advance!
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919860

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice