Broni,
If I do that, it will probably remove the RestoreIt! MBR program. I can get it back though. I'll try that in a minute or two. Thanks.
Printable View
Broni,
If I do that, it will probably remove the RestoreIt! MBR program. I can get it back though. I'll try that in a minute or two. Thanks.
Update - results after restoring the MBR:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 1 !
Download RootRepeal.zip and unzip it to your Desktop.
- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Click the OK button
- In the next dialog, select all drives showing
- Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running- When the scan is complete, the Save Report button will become available
- Click this and save the report to your Desktop as RootRepeal.txt
- Go to File, then Exit to close the program
Post the report.
RootRepeal Report:
I am signing off for tonight - enough fighting with this problem PC for tonight. Thanks.
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/02/17 23:19
Program Version: Version 1.2.3.0
Windows Version: Windows 2000 SP4
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xB6EE7000 Size: 90112 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xEBA55000 Size: 4096 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xB6994000 Size: 45056 File Visible: No
Status: -
Name: srescan.sys
Image Path: srescan.sys
Address: 0xBFE77000 Size: 81920 File Visible: No
Status: -
Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!
Path: Volume C:\, Sector 1
Status: Sector mismatch
Path: C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-2-17-2009( 23-16-27 ).SDB
Status: Size mismatch (API: 559, Raw: 360)
SSDT
-------------------
ServiceTable Hooked [0x80480a20]!
#: 027 Function Name: NtConnectPort
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7093040
#: 032 Function Name: NtCreateFile
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb708f930
#: 035 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709aa80
#: 040 Function Name: NtCreatePort
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7093510
#: 041 Function Name: NtCreateProcess
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7099870
#: 043 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709cfd0
#: 049 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7093600
#: 052 Function Name: NtDeleteFile
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb708ff20
#: 053 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709b6e0
#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709b440
#: 058 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7099580
#: 086 Function Name: NtLoadKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709b8b0
#: 100 Function Name: NtOpenFile
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb708fd70
#: 106 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7099350
#: 111 Function Name: NtOpenThread
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7099150
#: 169 Function Name: NtReplaceKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709bcb0
#: 176 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7092c00
#: 180 Function Name: NtRestoreKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709c080
#: 184 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7093220
#: 194 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb7090120
#: 215 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\System32\vsdatant.sys" at address 0xb709b140
#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb7047f20
Stealth Objects
-------------------
Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x05b90000 Size: 5017600
Object: Hidden Module [Name: Intuit.Spc.Esd.Client.DataAccess.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04770000 Size: 135168
Object: Hidden Module [Name: System.Xml.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04210000 Size: 2076672
Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Config.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x03330000 Size: 86016
Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Logging.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x03010000 Size: 53248
Object: Hidden Module [Name: Intuit.Spc.Esd.Client.Common.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02ed0000 Size: 86016
Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02a50000 Size: 36864
Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02ca0000 Size: 28672
Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02e80000 Size: 61440
Object: Hidden Module [Name: Intuit.Spc.Esd.Core.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02f50000 Size: 233472
Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x02fe0000 Size: 36864
Object: Hidden Module [Name: Intuit.Spc.Foundations.Portability.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x030a0000 Size: 471040
Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.ExceptionHandling.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x032d0000 Size: 77824
Object: Hidden Module [Name: System.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x037a0000 Size: 3084288
Object: Hidden Module [Name: System.Configuration.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x03b40000 Size: 438272
Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Api.Net.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04550000 Size: 413696
Object: Hidden Module [Name: Intuit.Spc.Esd.Client.BusinessLogic.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04810000 Size: 143360
Object: Hidden Module [Name: System.Data.SQLite.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04940000 Size: 778240
Object: Hidden Module [Name: System.Data.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04ad0000 Size: 3059712
Object: Hidden Module [Name: System.Transactions.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04e00000 Size: 270336
Object: Hidden Module [Name: Intuit.Spc.Map.Reporter.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x04ee0000 Size: 479232
Object: Hidden Module [Name: System.EnterpriseServices.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x05190000 Size: 266240
Object: Hidden Module [Name: System.EnterpriseServices.Wrapper.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x05270000 Size: 126976
Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x05940000 Size: 307200
Object: Hidden Module [Name: System.Drawing.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x06140000 Size: 643072
Object: Hidden Module [Name: Intuit.Spc.Map.WindowsFirewallUtilities.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x06300000 Size: 1077248
Object: Hidden Module [Name: System.ServiceProcess.dll]
Process: IntuitUpdateService.exe (PID: 792) Address: 0x06560000 Size: 126976
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_CREATE]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_CLOSE]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_READ]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_WRITE]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_QUERY_EA]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SET_EA]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SHUTDOWN]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_CLEANUP]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SET_SECURITY]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_POWER]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_SET_QUOTA]
Process: System Address: 0x00000000 Size: -
Object: Hidden Code [Driver Object: 0x8203c5f0, IRP_MJ_PNP]
Process: System Address: 0x00000000 Size: -
I don't think, we have any rootkit issue here, but when you can...
Download avz4.zip from here
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window: https://discussions.virtualdr.com/
- Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
- After the update, from the "File" menu, choose "Standard Scripts"
- Put a check next to item 2: Advanced System Investigation
- Click Execute selected scripts
- At the next prompt, click the OK button
- Let the scan run and click "OK" when the completion prompt pops up
- Now Close out of the Standard Scripts window, and exit AVZ
- Navigate to the avz4 folder and locate the folder LOG
- Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
- Attach the compressed file, virusinfo_syscheck.zip, to your next reply.
Going to bed, though, too :)
Avz4 Results:
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 2/21/2009 5:33:42 PM
Database loaded: signatures - 211074, NN profile(s) - 2, microprograms of healing - 56, signature database released 20.02.2009 23:52
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 97058
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.0.2195, Service Pack 4 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
>>>> Probable masking of executable file's name 792 intuitupdateservice.exe, real name - IntuitUpdateSer
>>>> Probable masking of executable file's name 1564 roxwatchtray.exe, real name - RoxWatchTray.ex
>>>> Probable masking of executable file's name 1636 googletoolbarnotifier.exe, real name - GoogleToolbarNo
>>>> Probable masking of executable file's name 1244 superantispyware.exe, real name - SUPERAntiSpywar
>>>> Probable masking of executable file's name 1676 webshotstray.exe, real name - WebshotsTray.ex
>>>> Probable masking of executable file's name 2088 cpshelprunner.exe, real name - CPSHelpRunner.e
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0808E0)
Kernel ntoskrnl.exe found in memory at address 80400000
SDT = 804808E0
KiST = 804721E8 (248)
Function NtConnectPort (1B) intercepted (804C5ADA->B7093040), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateFile (20) intercepted (804A7172->B708F930), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateKey (23) intercepted (80511E50->B709AA80), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreatePort (28) intercepted (804C65D6->B7093510), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateProcess (29) intercepted (804E2264->B7099870), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateSection (2B) intercepted (804CB114->B709CFD0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateWaitablePort (31) intercepted (804C65F4->B7093600), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteFile (34) intercepted (804A0E26->B708FF20), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteKey (35) intercepted (80512214->B709B6E0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteValueKey (37) intercepted (80512430->B709B440), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDuplicateObject (3A) intercepted (804D61A8->B7099580), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtLoadKey (56) intercepted (80514256->B709B8B0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenFile (64) intercepted (804A8416->B708FD70), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenProcess (6A) intercepted (804DEB24->B7099350), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenThread (6F) intercepted (804DEDE4->B7099150), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtReplaceKey (A9) intercepted (8051470A->B709BCB0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (B0) intercepted (804C4EF2->B7092C00), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRestoreKey (B4) intercepted (80513BFC->B709C080), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSecureConnectPort (B8) intercepted (804336C0->B7093220), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetInformationFile (C2) intercepted (804A93BA->B7090120), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetValueKey (D7) intercepted (80513F9A->B709B140), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtTerminateProcess (E0) intercepted (804E32CC->B7047F20), hook C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys, driver recognized as trusted
Functions checked: 248, intercepted: 22, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\driver\tcpip[IRP_MJ_CREATE] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLOSE] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLEANUP] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Checking - complete
2. Scanning memory
Number of processes found: 41
Analyzer: process under analysis is 736 C:\WINNT\System32\drivers\CDAC11BA.EXE
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 792 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 860 C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 1268 C:\Program Files\Pwrchute\ups.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
Analyzer: process under analysis is 1320 C:\WINNT\system32\YEDIScan.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1520 C:\WINNT\system32\desk95.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1564 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1572 C:\Program Files\IconLock\ICONLOCK.EXE
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1588 C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1424 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 2088 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
[ES]:Application has no visible windows
Number of modules loaded: 377
Scanning memory - complete
3. Scanning disks
F:\Documents and Settings\User\Local Settings\Temp\SPR1910.EXE >>> suspicion for IRC-Worm.Win32.***ot.c ( 086DE4D0 042E7F72 0021DE6F 001E4DAD 91648)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINNT\system32\APITRAP.DLL --> Suspicion for Keylogger or Trojan DLL
C:\WINNT\system32\APITRAP.DLL>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\WINNT\system32\Hook95.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINNT\system32\Hook95.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse, all events
C:\WINNT\system32\Hook95.dll>>> Neural net: file with probability 99.87% like a typical keyboard/mouse events interceptor
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll>>> Behavioural analysis
1. Reacts to events: keyboard
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll>>> Neural net: file with probability 99.92% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "APITRAP.DLL"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
>> Security: automatic logon is enabled
Checking - complete
9. Troubleshooting wizard
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>> Internet Explorer -unsigned ActiveX elements are allowed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 262399, extracted from archives: 213608, malicious software found 0, suspicions - 1
Scanning finished at 2/21/2009 6:03:37 PM
Time of scanning: 00:29:57
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete
Avz4 zip file attached
First off, I didn't get any notification about your reply, so I'm sorry for being late.
1. What's the story about Norton, because I can see it being present, but I'm not sure, if you use it, or not.
2. Upload following files to http://www.virustotal.com/ for security check:
- c:\winnt\system32\yediscan.exe
- C:\WINNT\system32\Drivers\RITFSD.sys
3.
- Close all windows then double click on AVZ.exe
- Click File > Custom scripts
- Running script window will open
- Copy & paste the contents of the following codebox in the Running script window
Code:begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
BC_DeleteFile('F:\Documents and Settings\User\Local Settings\Temp\SPR1910.EXE');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
- Note: When you run the script, your PC will be restarted
- Click Run
- Restart your PC if it doesn't do it automatically, and post back with a new HijackThis log.
Broni,
Thanks for sticking with this one.
VirusTotal results for YEDIScan.exe:
Code:File YEDIScan.exe received on 02.23.2009 00:07:41 (CET)
Current status: finished
Result: 0/39 (0%)
AAntivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.22 -
AhnLab-V3 2009.2.21.0 2009.02.22 -
AntiVir 7.9.0.87 2009.02.22 -
Authentium 5.1.0.4 2009.02.22 -
Avast 4.8.1335.0 2009.02.22 -
AVG 8.0.0.237 2009.02.22 -
BitDefender 7.2 2009.02.23 -
CAT-QuickHeal 10.00 2009.02.22 -
ClamAV 0.94.1 2009.02.22 -
Comodo 984 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.22 -
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6368 2009.02.20 -
F-Prot 4.4.4.56 2009.02.22 -
F-Secure 8.0.14470.0 2009.02.22 -
Fortinet 3.117.0.0 2009.02.22 -
GData 19 2009.02.22 -
Ikarus T3.1.1.45.0 2009.02.22 -
K7AntiVirus 7.10.639 2009.02.21 -
Kaspersky 7.0.0.125 2009.02.23 -
McAfee 5533 2009.02.22 -
McAfee+Artemis 5533 2009.02.22 -
Microsoft 1.4306 2009.02.23 -
NOD32 3878 2009.02.22 -
Norman 6.00.06 2009.02.20 -
nProtect 2009.1.8.0 2009.02.22 -
Panda 10.0.0.10 2009.02.22 -
PCTools 4.4.2.0 2009.02.22 -
Prevx1 V2 2009.02.23 -
Rising 21.17.62.00 2009.02.22 -
SecureWeb-Gateway 6.7.6 2009.02.22 -
Sophos 4.39.0 2009.02.22 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.22 -
TheHacker 6.3.2.4.263 2009.02.21 -
TrendMicro 8.700.0.1004 2009.02.20 -
VBA32 3.12.10.0 2009.02.22 -
ViRobot 2009.2.20.1617 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.22 -
Additional information
File size: 106496 bytes
MD5...: 2c27d5518f8ae66ec6cea1ba4c2d0831
SHA1..: 564d6971c4155ff702c0056559afa54973e52373
SHA256: 09baa62278a33da8dd01088cffe070821781c06feaeedc0f42bf5310c0a67916
SHA512: 9ac4082ac1dbdf91bd5990782196db249be3f019c0af986c77efba94e4e2dc3f
d570abd114b5afbd6cd633413d3f6d1508233df8225f3fd9491eca0c7514be85
ssdeep: 3072:fBdg7tWeAaLFzJpHZB5yaDWqMa/o1j9l:MWeAaLFrh367l
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x403001
timedatestamp.....: 0x3cc4b132 (Tue Apr 23 00:56:18 2002)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xfb46 0x10000 6.53 c1542d445bc766506f79c982d1d00491
.rdata 0x11000 0x3892 0x4000 4.49 4a1c94f0a61f43ffa1799150a520839e
.data 0x15000 0x705c 0x4000 2.12 5852eb176ef9c73dbae0cc5e69bfb04c
.rsrc 0x1d000 0x1c8 0x1000 0.76 9e8077420f3ccac323fd955bdbe3c645
( 6 imports )
> KERNEL32.dll: RtlUnwind, GetCommandLineA, ExitProcess, HeapAlloc, HeapFree, RaiseException, HeapSize, HeapReAlloc, TerminateProcess, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetFilePointer, GetStringTypeW, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, SetStdHandle, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, lstrcpynA, SetLastError, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GetCurrentThreadId, OutputDebugStringA, GetModuleFileNameA, LocalAlloc, DeviceIoControl, GetLastError, LocalFree, CloseHandle, FlushFileBuffers, WriteFile, LCMapStringA, lstrcpyA, CreateFileA, GetCurrentProcess, Sleep, GetOEMCP, GlobalFlags, GetCPInfo, GetProcessVersion, lstrcmpA, LoadLibraryA, FreeLibrary, lstrcatA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpiA, GetModuleHandleA, GlobalFindAtomA, GlobalDeleteAtom, GetProcAddress, TlsGetValue, GetVersion, GlobalAlloc, LocalReAlloc, TlsSetValue, GlobalReAlloc, GlobalLock, GlobalFree, GlobalHandle, GlobalUnlock, LCMapStringW, TlsAlloc, GetStringTypeA, GetStartupInfoA, GetDriveTypeA
> USER32.dll: PostMessageA, LoadIconA, SetWindowTextA, LoadCursorA, GetSysColorBrush, ReleaseDC, GetDC, GetClassNameA, PtInRect, ClientToScreen, PostQuitMessage, DestroyMenu, TabbedTextOutA, DrawTextA, GrayStringA, SetFocus, AdjustWindowRectEx, GetClientRect, CopyRect, MapWindowPoints, GetTopWindow, GetCapture, WinHelpA, GetSysColor, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetDlgItem, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, DestroyWindow, CreateWindowExA, GetClassLongA, SetPropA, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, GetWindow, SetWindowLongA, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, DispatchMessageA, GetClassInfoA, GetKeyState, CallNextHookEx, PeekMessageA, SetWindowsHookExA, UnhookWindowsHookEx, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, SendMessageA, MessageBoxA, EnableWindow, LoadStringA, RegisterWindowMessageA, SetWindowPos, SetForegroundWindow
> GDI32.dll: CreateBitmap, SetTextColor, SetBkColor, GetClipBox, GetDeviceCaps, DeleteObject, GetObjectA, SaveDC, DeleteDC, SelectObject, GetStockObject, RestoreDC, SetMapMode, OffsetViewportOrgEx, SetViewportExtEx, SetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, SetWindowExtEx, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape
> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
> ADVAPI32.dll: SetServiceStatus, RegisterServiceCtrlHandlerA, DeregisterEventSource, StartServiceCtrlDispatcherA, CloseServiceHandle, RegDeleteKeyA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyA, OpenServiceA, OpenSCManagerA, RegSetValueExA, ReportEventA, CreateServiceA, DeleteService, RegisterEventSourceA
> COMCTL32.dll: -
( 0 exports )
No problem :)
VirusTotal results for RITFSD.sys:
Code:File RITFSD.sys received on 02.23.2009 00:28:08 (CET)
Current status: finished
Result: 0/39 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.22 -
AhnLab-V3 2009.2.21.0 2009.02.22 -
AntiVir 7.9.0.87 2009.02.22 -
Authentium 5.1.0.4 2009.02.22 -
Avast 4.8.1335.0 2009.02.22 -
AVG 8.0.0.237 2009.02.22 -
BitDefender 7.2 2009.02.23 -
CAT-QuickHeal 10.00 2009.02.22 -
ClamAV 0.94.1 2009.02.22 -
Comodo 983 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.23 -
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6368 2009.02.20 -
F-Prot 4.4.4.56 2009.02.22 -
F-Secure 8.0.14470.0 2009.02.22 -
Fortinet 3.117.0.0 2009.02.22 -
GData 19 2009.02.23 -
Ikarus T3.1.1.45.0 2009.02.22 -
K7AntiVirus 7.10.639 2009.02.21 -
Kaspersky 7.0.0.125 2009.02.23 -
McAfee 5533 2009.02.22 -
McAfee+Artemis 5533 2009.02.22 -
Microsoft 1.4306 2009.02.23 -
NOD32 3878 2009.02.22 -
Norman 6.00.06 None.. -
nProtect 2009.1.8.0 2009.02.22 -
Panda 10.0.0.10 2009.02.22 -
PCTools 4.4.2.0 2009.02.22 -
Prevx1 V2 2009.02.23 -
Rising 21.17.62.00 009.02.22 -
SecureWeb-Gateway 6.7.6 2009.02.22 -
Sophos 4.39.0 2009.02.22 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.22 -
TheHacker 6.3.2.4.263 2009.02.21 -
TrendMicro 8.700.0.1004 2009.02.20 -
VBA32 3.12.10.0 2009.02.22 -
ViRobot 2009.2.20.1617 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.22 -
Additional information
File size: 59520 bytes
MD5...: 83f903d80705bf49e6186237babcbd99
SHA1..: 51fda8fa05122a5f7b588770a345b1dc8ba93584
SHA256: c4f8597caa6eb09d8351c18439435185e0c4bf5acb5c990053a038a6b1dd20b6
SHA512: 94cf8f746755a8f4afbd15a2e119014978e9d9e887ff05b916ae318aec58a216
664172e4ef2856ac52dd0e4890541108e8190283ae8d33e1d829e93257f39dc5
ssdeep: 768:458xMlm3dQrgY5Rh8IAbzuKXlCqFs1vZZb1ksV7Dd93Ok+23FuI8l5N8:458
b3CEML80GEbksV7DS2h8R
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1dd60
timedatestamp.....: 0x4488265b (Thu Jun 08 13:30:03 2006)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0xd274 0xd280 5.99 4019a83011a7e5dc70e090e8bc5727f6
.rdata 0xd580 0x128 0x180 3.64 97f052774e4a5933170ac6cc991ae6d9
.data 0xd700 0x510 0x580 0.00 f956229cbef6d6101a10f91b4daa25c6
INIT 0xdc80 0x578 0x580 5.68 f90c98049ea6fc68c7b478c6015738e7
.reloc 0xe200 0x630 0x680 5.97 2baf0188a757c465fc25cf20f404d030
( 2 imports )
> ntoskrnl.exe: RtlInitUnicodeString, DbgPrint, IofCompleteRequest, IoCreateSymbolicLink, IoCreateDevice, ExAllocatePoolWithTag, ExFreePoolWithTag, RtlUnicodeStringToInteger, _wcsupr, _wcsicmp, wcscpy, wcslen, swprintf, wcsstr, ExInitializeResourceLite, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, IoDeleteSymbolicLink, ZwClose, ZwQueryValueKey, ZwOpenKey, RtlAssert, ZwCreateFile, ZwReadFile, ZwWriteFile, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryVolumeInformationFile, sprintf, _allmul, wcscat, ZwQueryDirectoryFile, wcsrchr, _aulldiv, wcsncat, wcsncmp, ZwSetValueKey, IoDeleteDevice
> HAL.dll: KeGetCurrentIrql
( 0 exports )
HijackThis cannot complete in Normal mode now. An error message box pops up that says "This action cannot be completed because the other application is busy. Choose "Switch To" to activate the busy application and correct the problem." However, neither the Retry botton or the "Switch To" button procudes any different results, the error message just returns. I am going to try the Norton Removal Tool in Safe Mode to see what happens, unless you have other suggestions. Thanks.
Please, do, and also complete step 3 from my previous reply.
Thanks, Broni. I did complete step 3 above. I haven't checked to see if there was a log file created.