Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Removing a rootkit virus

Options
  • 28-02-2010 12:17am
    #1
    freethepenguins
    Registered Users Posts: 87 ✭✭


    Hey,

    I've had a few problems with my laptop lately and I installed the Avira security, it found a rootkit virus and it was unable to remove. I get the message that the file is critical to the O.S.. I have found where the file is and I still cann't remove it. Any one have any ideas?

    This is the name of the file TR/Rootkit.Gen Trojan.
    Tagged:


Comments

  • Options
    #2
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    here is the file path also

    C:\WINDOWS\system32\drivers\hustirve.sys


  • Options
    #3
    IrishTonyO
    Registered Users Posts: 2,321 ✭✭✭IrishTonyO


    There are a good few free programmes on internet that will remove them here is one

    http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html


  • Options
    #4
    old_aussie
    Registered Users Posts: 3,410 ✭✭✭old_aussie


    What antivirus program were you using when laptop got virus?


  • Options
    #5
    Alanstrainor
    Registered Users Posts: 23,157 ✭✭✭✭Alanstrainor


    Moved from laptops.


  • Options
    #6
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    hi

    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.


  • Advertisement
  • Options
    #7
    n0brain3r
    Registered Users Posts: 919 ✭✭✭n0brain3r


    ASJ112 wrote: »
    hi

    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.

    Thats some good advice the only thing I'd add is to skip the recovery console installation it will run fine with out and if you really need it you can boot from your OS recovery cd and get the recovery console. I must of used combofix to repair over a hundred machines and the only time it ever let me down was when I installed the Recovery Console - Not combofix's fault as the install is MS's but the laptop wouldn't boot until I repaired the boot.ini so I skip the RC install now and never had an issue.


  • Options
    #8
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    Please install the recovery console, its rather important


  • Options
    #9
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    still cann't remove it, it appears to be reading the virus as part of the OS for some reason. I'm using avira anti-virus.


  • Options
    #10
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    can you not run combofix at all ?


  • Options
    #11
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    ASJ112 wrote: »
    can you not run combofix at all ?


    hey ya I can run combofix and in the log if says the following

    *Deregistered* - hustirve

    but avira still finds the rootkit and when I try to just delete the file myself I get the following message

    Cannot delete hustrive: Cannot read from the source file or disk.


  • Advertisement
  • Options
    #12
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    you need to post the combofix log


  • Options
    #13
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    By log do u mean the report at the end, when the tool had completed running


  • Options
    #14
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    yup


  • Options
    #15
    Kepti
    Closed Accounts Posts: 426 ✭✭Kepti


    You should back up your data and then reformat the drive and reinstall your OS. It's the recommended solution for dealing with rootkits if you want to be certain it's removed.

    http://en.wikipedia.org/wiki/Rootkit#Removal


  • Options
    #16
    Andysavanah
    Closed Accounts Posts: 13 Andysavanah


    hi i was checking my email this morning and somehow this virus conned me and now i keep getting warnings coming up saying system hijack and steath intrusion etc, what should i do? i had the mc fee virus this but just uninstalled and now trying norton instead. i have new acer laptop with windows 7. :(


  • Options
    #17
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    ASJ112 wrote: »
    yup
    heres the log

    ComboFix 10-03-02.02 - Danny 1 03/03/2010 0:22.1.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.300 [GMT 0:00]
    Running from: c:\documents and settings\Danny 1\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\sysReserve.ini
    c:\documents and settings\Danny 1\Application Data\avdrn.dat
    c:\program files\Helper
    c:\windows\system32\18467.exe
    c:\windows\system32\26500.exe
    c:\windows\system32\41.exe
    c:\windows\system32\6334.exe
    c:\windows\system32\imvalid.ico
    c:\windows\system32\imvalid.ico.bak0
    c:\windows\system32\sp2.exe
    c:\windows\system32\Sp3.exe
    c:\windows\system32\STDOLE.DLL
    c:\windows\system32\u2g.f
    c:\windows\system32\VB40016.DLL
    c:\windows\system32\WNDTOOLS.DLL

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
    .

    2010-03-02 23:53 . 2010-03-02 23:53
    d
    w- c:\program files\Common Files\Apple
    2010-03-02 23:52 . 2010-03-02 23:52
    d
    w- c:\program files\QuickTime

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-28 00:07 . 2006-09-22 18:11 12 ----a-w- c:\windows\bthservsdp.dat
    2010-02-04 01:51 . 2010-02-04 01:51 16 ----a-w- c:\documents and settings\NetworkService\Application Data\anvkgp.dat
    2010-01-20 12:13 . 2010-01-21 19:23 52224 ----a-w- c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-01-20 12:13 . 2010-01-21 19:23 101376 ----a-w- c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-01-11 21:04 . 2010-01-11 21:04
    d
    w- c:\documents and settings\Danny 1\Application Data\ArcSoft
    2010-01-05 10:00 . 2006-01-09 11:02 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-10 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2004-08-10 20:00 17408
    w- c:\windows\system32\corpol.dll
    2009-12-31 16:50 . 2004-08-10 20:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 22:27 . 2009-05-07 23:57 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-12-08 19:27 . 2005-09-28 17:04 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:43 . 2005-09-28 16:35 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2009-12-04 18:22 . 2004-08-10 20:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2006-12-21 21:50 . 2006-12-21 21:50 251 ----a-w- c:\program files\wt3d.ini
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 766041]
    "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 53248]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "RTHDCPL"="RTHDCPL.EXE" [2006-08-16 16248320]
    "SkyTel"="SkyTel.EXE" [2006-08-16 2879488]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-09-07 479232]
    "Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
    "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-30 442368]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
    "Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-07-28 208896]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-07-31 346112]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-8-3 45056]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Danny 1^Start Menu^Programs^Startup^wwwpos32.exe]
    path=c:\documents and settings\Danny 1\Start Menu\Programs\Startup\wwwpos32.exe
    backup=c:\windows\pss\wwwpos32.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
    2006-10-17 02:20 398944 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-02-15 18:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [07/05/2009 23:57 108289]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/03/2009 01:27 54752]
    S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - hustirve
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    Supplementary Scan
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Trusted Zone: is-software-download.com
    Trusted Zone: is-software-download25.com
    Trusted Zone: is10-soft-download.com
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    FF - ProfilePath - c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://ie.msn.com
    FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=en-IE&FORM=MIC6E5&q=
    FF - component: c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\documents and settings\Danny 1\Application Data\VideoEgg\Loader\4665\npvideoegg-loader.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
    HKLM-Run-eLockMonitor - c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
    SharedTaskScheduler-{f0d4f88e-e1f8-460f-a41c-6cfb7f73af79} - c:\windows\system32\xskmoqx.dll
    MSConfigStartUp-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
    AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-03 00:27
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hustirve]

    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-03-03 00:28:53
    ComboFix-quarantined-files.txt 2010-03-03 00:28

    Pre-Run: 15,165,259,776 bytes free
    Post-Run: 15,309,340,672 bytes free

    - - End Of File - - 8833AF7659B5C2F4BD9EA56E3D1136D7


  • Options
    #18
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    hi

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Trusted Zone: is-software-download.com
    Trusted Zone: is-software-download25.com
    Trusted Zone: is10-soft-download.com
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com

    Driver::
    hustirve
    File::
    c:\documents and settings\Danny 1\Start Menu\Programs\Startup\wwwpos32.exe
    c:\windows\pss\wwwpos32.exeStartup

    Registry::
    [-HKLM\~\startupfolder\C:^Documents and Settings^Danny 1^Start Menu^Programs^Startup^wwwpos32.exe]


    Save this as CFScript.txt, in the same location as ComboFix.exe


    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


  • Options
    #19
    freethepenguins
    Registered Users Posts: 87 ✭✭freethepenguins


    Heres the log


    ComboFix 10-03-07.02 - Danny 1 07/03/2010 23:38:40.3.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.421 [GMT 0:00]
    Running from: c:\documents and settings\Danny 1\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Danny 1\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "c:\documents and settings\Danny 1\Start Menu\Programs\Startup\wwwpos32.exe"
    "c:\windows\pss\wwwpos32.exeStartup"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_HUSTIRVE
    \Service_hustirve


    ((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
    .

    2010-03-02 23:53 . 2010-03-02 23:53
    d
    w- c:\program files\Common Files\Apple
    2010-03-02 23:52 . 2010-03-02 23:52
    d
    w- c:\program files\QuickTime

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-07 23:47 . 2010-02-04 01:51 792064 ----a-w- c:\windows\system32\drivers\hustirve.sys
    2010-03-07 23:47 . 2006-09-22 18:11 12 ----a-w- c:\windows\bthservsdp.dat
    2010-02-04 01:51 . 2010-02-04 01:51 16 ----a-w- c:\documents and settings\NetworkService\Application Data\anvkgp.dat
    2010-01-20 12:13 . 2010-01-21 19:23 52224 ----a-w- c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-01-20 12:13 . 2010-01-21 19:23 101376 ----a-w- c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-01-11 21:04 . 2010-01-11 21:04
    d
    w- c:\documents and settings\Danny 1\Application Data\ArcSoft
    2010-01-05 10:00 . 2006-01-09 11:02 832512
    w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-10 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2004-08-10 20:00 17408
    w- c:\windows\system32\corpol.dll
    2009-12-31 16:50 . 2004-08-10 20:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 22:27 . 2009-05-07 23:57 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-12-08 19:27 . 2005-09-28 17:04 2189184
    w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:43 . 2005-09-28 16:35 2066048
    w- c:\windows\system32\ntkrnlpa.exe
    2006-12-21 21:50 . 2006-12-21 21:50 251 ----a-w- c:\program files\wt3d.ini
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 766041]
    "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 53248]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "RTHDCPL"="RTHDCPL.EXE" [2006-08-16 16248320]
    "SkyTel"="SkyTel.EXE" [2006-08-16 2879488]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-09-07 479232]
    "Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
    "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-30 442368]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
    "Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-07-28 208896]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-07-31 346112]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-8-3 45056]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
    2006-10-17 02:20 398944 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-02-15 18:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [07/05/2009 23:57 108289]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/03/2009 01:27 54752]
    S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    Supplementary Scan
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    FF - ProfilePath - c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://ie.msn.com
    FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=en-IE&FORM=MIC6E5&q=
    FF - component: c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Danny 1\Application Data\Mozilla\Firefox\Profiles\jh14i3jt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\documents and settings\Danny 1\Application Data\VideoEgg\Loader\4665\npvideoegg-loader.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-07 23:51
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(632)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3336)
    c:\windows\system32\WININET.dll
    c:\windows\system32\MSNCHATHOOK.DLL
    c:\windows\system32\sysenv.dll
    c:\windows\system32\CryptoAPI.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\acer\Empowering Technology\ePerformance\MemCheck.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\rundll32.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\docume~1\DANNY1~1\LOCALS~1\Temp\RtkBtMnt.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-07 23:53:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-07 23:53
    ComboFix2.txt 2010-03-06 02:33
    ComboFix3.txt 2010-03-03 00:28

    Pre-Run: 15,009,120,256 bytes free
    Post-Run: 15,057,518,592 bytes free

    - - End Of File - - 3037C04F516B1A5B165DB14242AE914E


  • Options
    #20
    ASJ112
    Site Banned Posts: 1,167 ✭✭✭ASJ112


    looking good

    Please download OTM
    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      :Processes

:Services

:Reg

:Files
c:\windows\system32\drivers\hustirve.sys

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean





    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
      [*]Click on My Computer under Scan.
      [*]Once the scan is complete, it will display the results. Click on View Scan Report.
      [*]You will see a list of infected items there. Click on Save Report As....
      [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    5. Options
      #21
      freethepenguins
      Registered Users Posts: 87 ✭✭freethepenguins


      Hey I ran avira last nite and it was able to remove the rootkit, cheers bud u have been a great help


    6. Advertisement
    Advertisement