Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Trojan.Pandex!inf and Winlogon.exe
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Trojan.Pandex!inf and Winlogon.exe
 Post Reply Post Reply Page  <1234>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		Post Options Post Options   Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Topic: Trojan.Pandex!inf and Winlogon.exe
    Posted: 26 February 2007 at 3:29pm

Hi again. I have run HJT and Rootkit unhooker. As always your help is appreciated ... I wouldn't know if I had any other malware!  Please note I'm in London so if I don't reply later it'll be cuz I'm asleep

Here are the logs:-

HJT

Logfile of HijackThis v1.99.1
Scan saved at 21:10:38, on 26/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Hijack This\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - (no file)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ADVFN -
O16 - DPF: ADVFN 4v4 -
O16 - DPF: ADVFN US -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 

Rootkit Unhooker

>SSDT State
NtClose
Actual Address 0xAE5F9CB0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateKey
Actual Address 0xAE5ED540
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateProcess
Actual Address 0xAE5F99C0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateProcessEx
Actual Address 0xAE5F9B40
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateSection
Actual Address 0xAE5FA5B0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateSymbolicLinkObject
Actual Address 0xAE5FA230
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtCreateThread
Actual Address 0xAE5FAF10
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtDeleteKey
Actual Address 0xAE5ED660
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtDeleteValueKey
Actual Address 0xAE5ED6E0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtDuplicateObject
Actual Address 0xAE5F9E00
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtEnumerateKey
Actual Address 0xAE5ED770
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtEnumerateValueKey
Actual Address 0xAE5ED820
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtFlushKey
Actual Address 0xAE5ED8D0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtInitializeRegistry
Actual Address 0xAE5ED950
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtLoadKey
Actual Address 0xAE5EE1F0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtLoadKey2
Actual Address 0xAE5ED970
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtNotifyChangeKey
Actual Address 0xAE5EDA70
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtOpenFile
Actual Address 0xF7415FF0
Hooked by: kl1.sys

NtOpenKey
Actual Address 0xAE5EDB50
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtOpenProcess
Actual Address 0xAE5F97B0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtOpenSection
Actual Address 0xAE5FA400
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtQueryKey
Actual Address 0xAE5EDC50
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtQueryMultipleValueKey
Actual Address 0xAE5EDD00
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtQuerySystemInformation
Actual Address 0xAE5FABC0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtQueryValueKey
Actual Address 0xAE5EDDB0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtReplaceKey
Actual Address 0xAE5EDE60
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtRestoreKey
Actual Address 0xAE5EDEF0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtResumeThread
Actual Address 0xAE5FAEC0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSaveKey
Actual Address 0xAE5EDF80
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetContextThread
Actual Address 0xAE5FB230
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetInformationFile
Actual Address 0xAE5FBAE0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetInformationKey
Actual Address 0xAE5EE010
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetInformationProcess
Actual Address 0xAE5FF2A0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetSecurityObject
Actual Address 0xAE5F7A30
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSetValueKey
Actual Address 0xAE5EE0B0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtSuspendThread
Actual Address 0xAE5FAE70
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtTerminateProcess
Actual Address 0xAE5FAA10
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtUnloadKey
Actual Address 0xAE5EE1B0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

NtWriteVirtualMemory
Actual Address 0xAE5F9CD0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6D80
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6D90
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6DA0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6DC0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6DE0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6E10
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6E20
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6E40
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6E50
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6F10
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F6FE0
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F7020
Hooked by: C:\WINDOWS\system32\drivers\klif.sys


Actual Address 0xAE5F7060
Hooked by: C:\WINDOWS\system32\drivers\klif.sys

>Processes
>Drivers
>Files
Suspect File: C:\DivX::$DATA Status: Hidden
Suspect File: C:\Documents and Settings::$DATA Status: Hidden
Suspect File: C:\drivers::$DATA Status: Hidden
Suspect File: C:\Hijack This::$DATA Status: Hidden
Suspect File: C:\I386::$DATA Status: Hidden
Suspect File: C:\kav::$DATA Status: Hidden
Suspect File: C:\lspfix::$DATA Status: Hidden
Suspect File: C:\MSOCache::$DATA Status: Hidden
Suspect File: C:\photos::$DATA Status: Hidden
Suspect File: C:\Program Files::$DATA Status: Hidden
Suspect File: C:\Recycled::$DATA Status: Hidden
Suspect File: C:\RECYCLER::$DATA Status: Hidden
Suspect File: C:\RkUnhooker::$DATA Status: Hidden
Suspect File: C:\System Volume Information::$DATA Status: Hidden
Suspect File: C:\tmp::$DATA Status: Hidden
Suspect File: C:\UnrealTournament::$DATA Status: Hidden
Suspect File: C:\WINDOWS::$DATA Status: Hidden
Suspect File: C:\WUTemp::$DATA Status: Hidden
>Hooks
fastfat.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification at address 0xADDF687C hook handler located in [unknown_code_page]
ntoskrnl.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump at address 0x804FBE09 hook handler located in [klif.sys]
ntoskrnl.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump at address 0x804E8752 hook handler located in [klif.sys]
ntoskrnl.exe-->SwapContext, Type: Inline - RelativeJump at address 0x804DB92E hook handler located in [klif.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xAE7DAF28 hook handler located in [unknown_code_page]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xAE7DAF54 hook handler located in [unknown_code_page]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xAE7DAF60 hook handler located in [unknown_code_page]
tcpip.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification at address 0xAE7DAF88 hook handler located in [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xBAF5DB4C hook handler located in [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xBAF5DB1C hook handler located in [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xBAF5DB3C hook handler located in [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xBAF5DB28 hook handler located in [unknown_code_page]
wanarp.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification at address 0xBAF5DC08 hook handler located in [unknown_code_page]
[108]dmadmin.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0100108C hook handler located in [kernel32.dll]
[108]dmadmin.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010E0 hook handler located in [kernel32.dll]
[108]dmadmin.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x010010AC hook handler located in [kernel32.dll]
[1116]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401030 hook handler located in [kernel32.dll]
[1116]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401034 hook handler located in [kernel32.dll]
[1120]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1120]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1120]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[1224]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1224]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1224]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[1324]LEXBCES.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0043B0B4 hook handler located in [kernel32.dll]
[1324]LEXBCES.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0043B0C8 hook handler located in [kernel32.dll]
[1348]spoolsv.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x010010EC hook handler located in [kernel32.dll]
[1348]spoolsv.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010BC hook handler located in [kernel32.dll]
[1352]LEXPPS.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0041E148 hook handler located in [kernel32.dll]
[1352]LEXPPS.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041E144 hook handler located in [kernel32.dll]
[1384]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401030 hook handler located in [kernel32.dll]
[1384]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401034 hook handler located in [kernel32.dll]
[1516]CapabilityManager.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0043207C hook handler located in [kernel32.dll]
[1536]netdde.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001130 hook handler located in [kernel32.dll]
[1536]netdde.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x01001138 hook handler located in [kernel32.dll]
[1620]CTSVCCDA.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00408124 hook handler located in [kernel32.dll]
[1620]CTSVCCDA.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00408140 hook handler located in [kernel32.dll]
[1640]SAgent2.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00412084 hook handler located in [kernel32.dll]
[1640]SAgent2.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00412070 hook handler located in [kernel32.dll]
[168]TeaTimer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x005131E4 hook handler located in [kernel32.dll]
[168]TeaTimer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0051338C hook handler located in [kernel32.dll]
[168]TeaTimer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00513338 hook handler located in [kernel32.dll]
[168]TeaTimer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x005131D8 hook handler located in [kernel32.dll]
[1844]tcpsvcs.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001030 hook handler located in [kernel32.dll]
[1844]tcpsvcs.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x01001094 hook handler located in [kernel32.dll]
[1844]tcpsvcs.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001034 hook handler located in [kernel32.dll]
[184]SUPERAntiSpyware.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0048B080 hook handler located in [kernel32.dll]
[184]SUPERAntiSpyware.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0048B084 hook handler located in [kernel32.dll]
[1856]snmp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0100109C hook handler located in [kernel32.dll]
[1856]snmp.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1896]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1896]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1896]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[2032]Mediadet.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00420160 hook handler located in [kernel32.dll]
[2032]Mediadet.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0042015C hook handler located in [kernel32.dll]
[2032]Mediadet.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x00420174 hook handler located in [kernel32.dll]
[2264]msnmsgr.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004012C0 hook handler located in [kernel32.dll]
[236]epmworker.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0045C058 hook handler located in [kernel32.dll]
[236]epmworker.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0045C05C hook handler located in [kernel32.dll]
[236]epmworker.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0045C0F0 hook handler located in [kernel32.dll]
[2896]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[2896]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[2896]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[3224]Generic.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0044C098 hook handler located in [kernel32.dll]
[3804]ati2evxx.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00443224 hook handler located in [kernel32.dll]
[3804]ati2evxx.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0044318C hook handler located in [kernel32.dll]
[3972]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [kernel32.dll]
[3972]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010011D4 hook handler located in [kernel32.dll]
[3972]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0100112C hook handler located in [kernel32.dll]
[3972]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100117C hook handler located in [kernel32.dll]
[3972]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001254 hook handler located in [kernel32.dll]
[3980]CTNotify.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004221E0 hook handler located in [kernel32.dll]
[3980]CTNotify.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004221DC hook handler located in [kernel32.dll]
[4072]Application Launcher.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0041B0A4 hook handler located in [kernel32.dll]
[4072]Application Launcher.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0041B0F0 hook handler located in [kernel32.dll]
[468]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[468]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[468]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[644]winlogon.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001234 hook handler located in [kernel32.dll]
[644]winlogon.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010013DC hook handler located in [kernel32.dll]
[644]winlogon.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x01001408 hook handler located in [kernel32.dll]
[644]winlogon.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x01001384 hook handler located in [kernel32.dll]
[644]winlogon.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001238 hook handler located in [kernel32.dll]
[688]services.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x010011A0 hook handler located in [kernel32.dll]
[688]services.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0100113C hook handler located in [kernel32.dll]
[688]services.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x010011F8 hook handler located in [kernel32.dll]
[864]ati2evxx.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00443224 hook handler located in [kernel32.dll]
[864]ati2evxx.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0044318C hook handler located in [kernel32.dll]
[888]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[888]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[888]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[988]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[988]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[988]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

 

 

 
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 374 		Post Options Post Options   Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 26 February 2007 at 1:08pm

If possible i would like you to run a couple of diagnostic tools just to confirm that Elvis has been kicked out of the building

Can you please download the 2 following tools,please use only as directed since they will both relay information about legitimate objects and do not panic about the amount of data generated>>>

HiJackThis  http://majorgeeks.com/download.php?det=3155

Extract(Unzip) to its own folder and rename it to qwerty.exe

If you can Copy&paste the log generated after hitting the scan button.

RootKit Unhooker  http://rku.xell.ru/?l=e&a=dl

Use scan(far right tab only) All box's checked and save report generated to C&P to your reply.

Do not action anything other than diagnostic scans at this moment

 

 
___________
Ade Gill
Malwarebytes Researcher

Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		Post Options Post Options   Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 26 February 2007 at 5:10am

Guys I think everything is OK now. Thanks a lot for your help. This seems to be quite a new trojan as there was very little help out there and my Symantec AV could sort it out either. I'll be dumping my Symantec now for sure!!!

By the way, do you think the command below would have picked up the problem with winlogon.exe and fixed it?

sfc /scannow
Back to Top
Xiotek View Drop Down
Newbie
Newbie
Avatar

Joined: 26 February 2007
Location: United States
Online Status: Offline
Posts: 1 		Post Options Post Options   Quote Xiotek Quote  Post ReplyReply Direct Link To This Post Posted: 26 February 2007 at 2:34am
Nice !
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 374 		Post Options Post Options   Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 3:11pm

How i use IceSword is by clicking the file tab and opening up the folder explorer tree.

If when you arranged system32 folder by date modified there are any suspect dll's such as Xsfer,wsys and usbpda at the bottom.

Find them using Icesword file tree,it will list files in order(abc)

Goto the malware file entry and use right click/force delete option on each if present.

Reboot to see if they have been nuked.

HTH



Edited by fcukdat - 25 February 2007 at 3:14pm
___________
Ade Gill
Malwarebytes Researcher

Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		Post Options Post Options   Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 2:57pm

So far so good, Kaspersky seems to be holding up well !

 

Silly question -- how do I use IceSword to force delete wsys.dll and other files?!

 



Edited by chimpmagnet - 25 February 2007 at 3:01pm
Back to Top
techno_rulez View Drop Down
Groupie
Groupie


Joined: 26 January 2007
Location: Czech Republic
Online Status: Offline
Posts: 62 		Post Options Post Options   Quote techno_rulez Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 1:24pm
Originally posted by chimpmagnet

Fcuk, I was just about to re-intall XP -- Good timing!!


I am going to try out ur suggestion now. Thanks for the post, I will update soon.


chimpmagnet
You can also use the Windows XP recovery console to delete the file, that is reported by Symantec AV. You can also use some Rescue CD based on BartPE or Windows PE. This will ensure the file will not be held by some process.

Usually it is not even possible to remove the files held by Winlogon.exe in the Safe Mode, as the Winlogon.exe is started there as well.

Note: Infected files hold by Winlogon.exe (Winlogon\Notify registry branch) can be sometimes renamed and after restart, the file can be deleted (this removal technique can be used to remove parts of I-Worm/Stration (E-mail-Worm.Warezov))

Edited by techno_rulez - 25 February 2007 at 1:34pm
Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		Post Options Post Options   Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 1:11pm

Fcuk, I was just about to re-intall XP -- Good timing!!

I am going to try out ur suggestion now.  Thanks for the post, I will update soon.
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 374 		Post Options Post Options   Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 12:59pm

Sorry fella's if i'm unfashionably late but here's some additional advice should anyone else come across this thread requiring help etc

My apologies chimpmagnet for not posting earliar,i have been busy trying to capture this type of stuff

Congrats you are the unfortunate victim of CWS ****

The free Kasp AV6 personal trial will disinfect the patched Winlogon.exe

http://www.kaspersky.com/

IceSword force delete will nuke wsys.dll(located in Windows/system32 folder) and svchost.exe(located in Windows/temp folder).

Each time i'm getting this infection on my Pc it is dropping 3 different named .sys files in the system32 folder.If you goto view tab and arrange icons by date modified it will probaly be the last 3 .sys files.

Upload these to VirusTotal service for malware checking and if you get any positive identifications delete them in safemode.

http://www.virustotal.com/en/indexf.html

HTH:)
___________
Ade Gill
Malwarebytes Researcher

Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		Post Options Post Options   Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 12:20pm

Karl

Many thanks for the reply. I will do a full re-install ... I have spent way too much time on this now and have exhausted a lot of options.

It's just very disappointing that the big AV companies can't stop these viruses - Symantec didn't even help me when I contacted their analysts via online chat.

Thanks again - it's good to know that there are good people out there.
Back to Top
 Post Reply Post Reply Page  <1234>

Forum Jump Forum Permissions View Drop Down