anti-rootkit scanner
anti-rootkit scanner
need a good rootkit tool.... i have a couple of drives with i think rootkit infections
Yes, and it's true that few are as opinionated about what to do with computer technology than the people who work on it. I know. I am one.
Combofix is good (mostly), but overkill if all you want to do is check for and remove rootkits (along with hazardous if not cautious). I probably would have suggested just the ARK too along with a suggestion that if a rootkit is present there is a chance for other stuff there as well. No harm being thorough.
Combofix is good (mostly), but overkill if all you want to do is check for and remove rootkits (along with hazardous if not cautious). I probably would have suggested just the ARK too along with a suggestion that if a rootkit is present there is a chance for other stuff there as well. No harm being thorough.
Re:
Grendel wrote:I never suggest combofix if I don't have access to the machine in question, it's the sledge hammer of fixing tools -- use at your own risk.
i have access to the machine, its sitting here in front of me...
i dont know what im missing, the drive has been scanned repeatedly and coming up clean of virus/adware/spyware/rootkits/trojans... you name it
here is a hijack log of the said machine, anyone see anything that i may have missed?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:10 PM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\PROGRA~1\\AVG\\AVG8\\avgwdsvc.exe
C:\\WINDOWS\\System32\\gearsec.exe
C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\lxddserv.exe
C:\\WINDOWS\\system32\\lxddcoms.exe
C:\\Program Files\\Common Files\\Motive\\McciCMService.exe
C:\\Program Files\\Common Files\\Panda Software\\PavShld\\pavprsrv.exe
C:\\WINDOWS\\System32\\ScsiAccess.EXE
C:\\WINDOWS\\system32\\svchost.exe
C:\\PROGRA~1\\AVG\\AVG8\\avgrsx.exe
C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe
C:\\PROGRA~1\\AVG\\AVG8\\avgnsx.exe
C:\\Program Files\\AVG\\AVG8\\avgcsrvx.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\System32\\hkcmd.exe
C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe
C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe
C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe
C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe
C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe
C:\\WINDOWS\\system32\\taskmgr.exe
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn0\\yt.dll
O2 - BHO: (no name) - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - (no file)
O2 - BHO: (no name) - {00534B55-3155-CA4F-B41D-0E922121D03C} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn0\\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\\Program Files\\Lexmark Toolbar\\toolband.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\\Program Files\\AVG\\AVG8\\avgssie.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\\Program Files\\Windows Live\\Family Safety\\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll
O2 - BHO: (no name) - {566C2B45-015E-43BE-AF6D-30F204494EE7} - (no file)
O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\\Program Files\\Yahoo!\\Common\\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\\Program Files\\Yahoo!\\Common\\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\\Program Files\\MSN Apps\\ST\\01.03.0000.1005\\en-xu\\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\\Program Files\\Google\\Google Toolbar\\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\\Program Files\\Google\\GoogleToolbarNotifier\\5.0.926.3450\\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\MSN Toolbar\\01.02.5000.1021\\en-us\\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\\Program Files\\Google\\Google Toolbar\\Component\\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\MSN Toolbar\\01.02.5000.1021\\en-us\\msntb.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn0\\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\\Program Files\\Lexmark Toolbar\\toolband.dll
O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\\Program Files\\Google\\Google Toolbar\\GoogleToolbar.dll
O4 - HKLM\\..\\Run: [IgfxTray] C:\\WINDOWS\\System32\\igfxtray.exe
O4 - HKLM\\..\\Run: [HotKeysCmds] C:\\WINDOWS\\System32\\hkcmd.exe
O4 - HKLM\\..\\Run: [lxddmon.exe] "C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"
O4 - HKLM\\..\\Run: [lxddamon] "C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"
O4 - HKLM\\..\\Run: [FaxCenterServer] "C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe" /s
O4 - HKLM\\..\\Run: [AVG8_TRAY] C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe
O4 - HKLM\\..\\Run: [CMESys] "C:\\Program Files\\Common Files\\CMEII\\CMESys.exe"
O4 - HKCU\\..\\Run: [SpybotSD TeaTimer] C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe
O4 - HKCU\\..\\Run: [swg] C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKUS\\S-1-5-18\\..\\Run: [Yahoo! Pager] "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\\S-1-5-18\\..\\Run: [MySpaceIM] C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\\S-1-5-18\\..\\RunOnce: [FlashPlayerUpdate] C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\\.DEFAULT\\..\\Run: [Yahoo! Pager] "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - HKUS\\.DEFAULT\\..\\RunOnce: [FlashPlayerUpdate] C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\\Program Files\\AOL Toolbar\\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\\Program Files\\Yahoo!\\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~2\\OFFICE11\\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\\Program Files\\Yahoo!\\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\\Program Files\\Yahoo!\\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\\Program Files\\Yahoo!\\Common/ycsms.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\\Program Files\\Windows Live\\Writer\\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\\Program Files\\Windows Live\\Writer\\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\\WINDOWS\\system32\\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\\WINDOWS\\system32\\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\\Program Files\\Yahoo!\\Common\\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\WINDOWS\\system32\\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\\WINDOWS\\system32\\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O12 - Plugin for .avi: C:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download2.games.yahoo.com/games/ ... /wt1_x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\\Program Files\\Yahoo!\\Common\\yinsthelper.dll
O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - http://www.serialspot.com/serials/serials.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ ... tility.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {8F2B3E96-94B3-4CA0-919A-531DDC9ABE92} (XUploadPhotos Class) - http://www.hi5.com/friend/photoshare/bi ... oadLib.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\\Program Files\\AVG\\AVG8\\avgpp.dll
O20 - AppInit_DLLs: C:\\WINDOWS\\System32\\win_13.dll
O20 - Winlogon Notify: avgrsstarter - C:\\WINDOWS\\SYSTEM32\\avgrsstx.dll
O20 - Winlogon Notify: e4c3f6f2382 - C:\\WINDOWS\\system32\\__c004A09E.dat (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\\PROGRA~1\\AVG\\AVG8\\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\\WINDOWS\\System32\\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\\\lxddserv.exe
O23 - Service: lxdd_device - - C:\\WINDOWS\\system32\\lxddcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\\Program Files\\Common Files\\Macromedia Shared\\Service\\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\\Program Files\\Common Files\\Motive\\McciCMService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\\Program Files\\Common Files\\Panda Software\\PavShld\\pavprsrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\\WINDOWS\\System32\\ScsiAccess.EXE
--
End of file - 12519 bytes
i know i see panda there, but ive already killed the service and am in the process of deleting it with hijack.
i guess ill have to check out combofix