WiredWX Hobby Weather ToolsLog in

 


Rootkit.Agent

2 posters

descriptionRootkit.Agent EmptyRootkit.AgentThu Jun 24, 2010 2:44 pm

more_horiz
Hello, every time I run an MBAM scan, this rootkit.agent is found within my drivers and every time it is removed, the thing comes back upon restart. Simply deleting the file does not seem to be working. Here is the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/24/2010 11:38:06 AM
mbam-log-2010-06-24 (11-38-06).txt

Scan type: Quick scan
Objects scanned: 105899
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\vtotjuok.sys (Rootkit.Agent) -> No action taken.

descriptionRootkit.Agent EmptyRe: Rootkit.AgentThu Jun 24, 2010 5:12 pm

more_horiz
Hello.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

descriptionRootkit.Agent EmptyRe: Rootkit.AgentFri Jun 25, 2010 1:55 am

more_horiz
Updated, did another scan. Removed ~20 infections, rebooted, scanned, still here!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4236

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/24/2010 10:54:27 PM
mbam-log-2010-06-24 (22-54-27).txt

Scan type: Quick scan
Objects scanned: 129127
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\vtotjuok.sys (Rootkit.Agent) -> No action taken.

descriptionRootkit.Agent EmptyRe: Rootkit.AgentFri Jun 25, 2010 3:37 pm

more_horiz
Hello.

  • Download combofix from here
    Link 1
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

Rootkit.Agent CF_download_FF

Rootkit.Agent 2aflf5z

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionRootkit.Agent EmptyRe: Rootkit.AgentSat Jun 26, 2010 1:14 am

more_horiz
ComboFix 10-06-25.02 - Administrator 06/25/2010 19:51:51.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2030.1491 [GMT -7:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\35y3Y.jpg
c:\users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\6UspRJUJo.jpg
c:\users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Qaa77l.jpg
c:\users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\uBS43.jpg
c:\users\Administrator\AppData\Local\oxezisijih.dll
c:\windows\system32\st322000.dll

Infected copy of c:\windows\system32\drivers\partmgr.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-19 01:08 . 2010-06-19 01:08 5105904 ----a-w- c:\users\Administrator\AppData\Roaming\OnLive\clients\213.53986\client.dll
2010-06-19 01:07 . 2010-06-19 01:07 -------- d-----w- c:\users\Administrator\AppData\Roaming\OnLive
2010-06-19 01:07 . 2010-06-19 01:07 -------- d-----w- c:\program files\OnLive
2010-06-17 12:27 . 2010-06-17 12:27 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-06-17 12:27 . 2010-06-17 12:27 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-06-12 01:36 . 2010-06-12 01:36 -------- d-----w- c:\program files\Stunlock Studios
2010-06-12 01:35 . 2010-06-12 01:35 -------- d-----w- c:\program files\Microsoft XNA
2010-06-06 10:43 . 2010-06-06 10:43 -------- d-----w- c:\program files\Veoh Networks
2010-06-02 00:54 . 2010-06-02 00:54 45828 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 03:00 . 2009-12-11 12:39 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-26 03:00 . 2010-04-21 10:08 823808 ----a-w- c:\windows\system32\drivers\vtotjuok.sys
2010-06-26 02:51 . 2009-08-22 20:05 -------- d-----w- c:\programdata\NVIDIA
2010-06-26 02:30 . 2009-08-22 20:44 -------- d-----w- c:\users\Administrator\AppData\Roaming\.purple
2010-06-25 05:49 . 2009-08-23 07:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent
2010-06-25 05:36 . 2010-04-21 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 01:34 . 2009-08-25 22:53 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-06-19 07:23 . 2009-08-22 21:19 -------- d-----w- c:\program files\Heroes of Newerth
2010-06-17 12:16 . 2010-05-22 18:21 -------- d-----w- c:\program files\ffdshow
2010-06-17 12:15 . 2009-08-22 20:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 12:13 . 2010-05-18 09:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-06-16 11:20 . 2009-10-17 09:19 -------- d-----w- c:\users\Administrator\AppData\Roaming\dvdcss
2010-06-16 07:25 . 2009-09-28 01:43 -------- d-----w- c:\users\Administrator\AppData\Roaming\mIRC
2010-06-16 06:31 . 2009-09-28 01:43 -------- d-----w- c:\program files\mIRC
2010-06-15 13:10 . 2010-05-09 11:57 -------- d-----w- c:\users\Administrator\AppData\Roaming\foobar2000
2010-06-08 12:50 . 2009-08-22 20:17 103560 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-03 20:30 . 2010-05-23 00:06 -------- d-----w- c:\programdata\Ubisoft
2010-05-30 17:45 . 2009-11-02 04:15 -------- d-----w- c:\users\Administrator\AppData\Roaming\gtk-2.0
2010-05-25 06:53 . 2010-05-18 09:20 -------- d-----w- c:\users\Administrator\AppData\Roaming\DivX
2010-05-24 03:20 . 2010-03-29 04:23 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-24 03:20 . 2010-03-29 04:23 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-23 00:02 . 2010-05-22 23:54 -------- d-----w- c:\program files\Ubisoft
2010-05-22 18:21 . 2010-05-22 18:21 -------- d-----w- c:\program files\Common Files\doubleTwist
2010-05-22 18:21 . 2010-05-22 18:21 -------- d-----w- c:\programdata\doubleTwist Corporation
2010-05-22 18:07 . 2010-05-22 18:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2010-05-21 22:17 . 2009-08-22 20:05 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-21 22:17 . 2009-08-22 20:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-21 22:12 . 2009-12-02 08:35 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-05-21 05:46 . 2010-05-21 05:46 2165 ----a-w- c:\users\Administrator\AppData\Roaming\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2010-05-20 03:13 . 2009-08-23 08:00 -------- d-----w- c:\program files\uTorrent
2010-05-14 23:26 . 2010-05-14 23:26 2095 ----a-w- c:\users\Administrator\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
2010-05-09 11:56 . 2010-05-09 11:56 -------- d-----w- c:\program files\foobar2000
2010-05-03 22:56 . 2009-09-09 21:47 -------- d-----w- c:\programdata\Microsoft Help
2010-05-03 18:13 . 2009-09-06 08:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-29 22:39 . 2010-04-21 15:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-21 15:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 04:06 . 2009-09-11 20:09 -------- d-----w- c:\program files\Total Video Converter
2010-04-21 10:08 . 2010-04-21 10:08 70656 --sha-r- c:\windows\system32\WSDApi0.dll
2010-04-04 01:27 . 2010-04-04 01:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-04 01:27 . 2010-04-04 01:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:27 . 2010-04-04 01:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-04 01:27 . 2010-04-04 01:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 23:54 . 2009-08-31 23:31 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-29 04:23 . 2010-03-29 04:23 138056 ----a-w- c:\users\Administrator\AppData\Roaming\PnkBstrK.sys
2010-03-29 04:23 . 2010-03-29 04:23 138056 ----a-w- c:\users\Administrator\AppData\Roaming\PnkBstrK.sys
2010-03-29 04:22 . 2010-03-29 04:22 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-29 04:22 . 2010-03-29 04:22 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

Code:

<pre>
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Everything\everything .exe
c:\program files\IDT\WDM\sttray .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Razer\DeathAdder\razerhid .exe
</pre>


------- Sigcheck -------


[-] 2009-08-22 . A6E0C9720DE23A1C785788D549A3C7E0 . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll



c:\windows\System32\linkinfo.dll ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
c:\windows\System32\termsrv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-17 2937528]
"AdobeBridge"="" [N/A]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
"doubleTwist"="c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Start_ShowMyMusic"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\dtlite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskSpace]
c:\program files\DeskSpace\deskspace.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
c:\users\ADMINI~1\AppData\Local\Temp\yivfvze.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-09 14:28 1238352 ----a-w- c:\games\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-15 20:43 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-25 135664]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2009-05-25 26736]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-09-19 3474384]
R3 scsichk;scsichk;c:\windows\system32\scsichk.sys [x]
R3 XDva296;XDva296;c:\windows\system32\XDva296.sys [x]
R4 dxiky;dxiky;c:\windows\system32\drivers\wpykb.sys [x]
R4 ihfql;ihfql;c:\windows\system32\drivers\afwslbe.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-11-06 691696]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-03 22784]


--- Other Services/Drivers In Memory ---

*Deregistered* - vtotjuok

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ BFE mpssvc WwanSvc
Akamai REG_MULTI_SZ Akamai
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-25 04:43]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-25 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\OnLive\FirefoxPlugin\npolgdet.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Call of Duty Modern Warfare 2_is1 - c:\program files\Activision\Modern Warfare 2\unins000.exe
AddRemove-Gunz - c:\ijji\ENGLISH\Gunz\Uninstall.exe
AddRemove-LostSagaUS - c:\program files\OGPlanet\LostSaga\uninstall.exe
AddRemove-OGPlanet Game Launcher US - c:\program files\OGPlanet\USLauncher\uninst.exe
AddRemove-PFPortChecker - c:\users\Administrator\Desktop\PFPortChecker\uninst.exe
AddRemove-{71D182CD-2E7B-4994-9937-6562CF2BFFFC}_is1 - c:\program files\Pokemon World Online\unins000.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kupnovtjtprrwin]
"imagepath"="\??\c:\windows\TEMP\1ED5.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vtotjuok]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,d9,7c,c1,d5,9f,94,4a,86,6b,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,d9,7c,c1,d5,9f,94,4a,86,6b,29,\

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_asf_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_avi_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.div\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_div_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_divx_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_mkv_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_mov_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_mp4_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_mpeg_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_mpg_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Winword.exe"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_qt_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tix\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_tix_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="txtfile"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xvid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="divx_xvid_file"

[HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\SecuROM\License information*]
"datasecu"=hex:81,1f,a5,cb,dc,5a,d5,69,a0,24,b6,01,70,60,5e,3e,5a,92,a3,af,4d,
94,c6,53,23,03,ba,3b,b1,7c,61,a0,9b,96,b4,b6,67,74,73,03,50,5e,c1,45,44,4e,\
"rkeysecu"=hex:38,7a,90,6d,6b,de,b2,5e,d2,42,fd,5a,86,6b,f2,6f

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-25 20:01:09
ComboFix-quarantined-files.txt 2010-06-26 03:01
ComboFix2.txt 2008-12-22 01:15
ComboFix3.txt 2008-12-21 20:15
ComboFix4.txt 2008-12-11 01:10

Pre-Run: 142,909,235,200 bytes free
Post-Run: 144,203,264,000 bytes free

- - End Of File - - B9FAFE88E1F52990A633FC9F31AC2065

descriptionRootkit.Agent EmptyRe: Rootkit.AgentSat Jun 26, 2010 1:11 pm

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    KILLALL::

    File::
    c:\windows\system32\drivers\vtotjuok.sys

    RenV::
    c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
    c:\program files\Everything\everything .exe
    c:\program files\IDT\WDM\sttray .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\Microsoft Office\Office12\groovemonitor .exe
    c:\program files\QuickTime\qttask  .exe
    c:\program files\Razer\DeathAdder\razerhid .exe

    Driver::
    scsichk
    XDva296
    dxiky
    ihfql
    vtotjuok

    DDS::
    uStart Page = hxxp://www.ask.com?o=14196&l=dis

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vtotjuok]

    RegLock::
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.div\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qt\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tix\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    [HKEY_USERS\S-1-5-21-2207334238-82132700-2091776249-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xvid\UserChoice]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]


  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Rootkit.Agent Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionRootkit.Agent EmptyRe: Rootkit.Agent

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum