|
|
||
10-02-2006, 12:04 PM
|
#1 (permalink) |
|
Gold Member
 
Join Date: Mar 2005
Location: Australia
Age: 22
Posts: 303
|
C:\WINDOWS\system32\rxx6ot.sys (HJT log)
Hi all,
My aunty has gotten into a touch of strife. She's come across a suspicous file, she cannot delete it manually or by using third party software. She has run various scans, in and out of safe mode (i'm not sure exactly what programs she has used), with AVG Resident Shield being the only program to detect the file. It cannot be quarantined, or deleted. She is running Windows XP Home. When i previewed this before posting, IE7 told me that this is a suspicous website for "Phishing"... does that mean theres something bad in the logs? HiJackThis log: Logfile of HijackThis v1.99.1 Scan saved at 2:42:44 PM, on 2/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\WINDOWS\system32\cidaemon.exe C:\PROGRA~1\INCRED~2\bin\IMApp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\04H5HNDU\hijackthis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - blank (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Crack\RegMech.exe /S O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~2\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk142YYAU O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...lscbase969.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119969403281 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1122466731750 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nat...nt/msichat.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9A1D3742-B874-40F0-865E-EC3F8E5BD7E4}: NameServer = 203.8.183.1 192.189.54.33 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: rxx5ot - rxx5ot.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe This is a log from AVG: name="filename">C:\WINDOWS\system32\rxx6ot.sys</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">BackDoor.Generic3.FYK</attr> </rec> <rec time="2006/10/02 10:58:34" user="SYSTEM" source="General"> <value>@HL_TestStopped</value> <attr name="testname">@TestName_02</attr> <attr name="infectedfiles">0</attr> </rec> </history> This is a log from rootkit reveal: C:\RECYCLER\NPROTECT\00486618.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\RECYCLER\NPROTECT\00486812.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\RECYCLER\NPROTECT\00487020.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\RECYCLER\NPROTECT\00487201.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\RECYCLER\NPROTECT\00487346.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\RECYCLER\NPROTECT\00487836.:Zone.Identifier 3/1/2005 4:03 PM 26 bytes Hidden from Windows API. C:\WINDOWS\system32\aazhy.ini 8/10/2006 8:57 PM 320 bytes Hidden from Windows API. C:\WINDOWS\system32\qz.dll 8/10/2006 8:57 PM 40.36 KB Hidden from Windows API. C:\WINDOWS\system32\qz.sys 8/10/2006 8:57 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\rxx6ot.sys 8/10/2006 8:57 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\zzddawert.dat 8/10/2006 8:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\Temp\JET3511.tmp 8/31/2006 4:43 PM 0 bytes Hidden from Windows API. C:\WINDOWS\Temp\JET7.tmp 8/31/2006 4:43 PM 0 bytes Hidden from Windows API. C:\WINDOWS\Temp\~DFBA8.tmp 8/31/2006 4:43 PM 16.00 KB Hidden from Windows API.
__________________
AMD X2 6000+ Asus M2N-SLI Deluxe (4x1Gb) Kingston DDR2 800 MSI 8800GTS 512Mb 2x WD 500Gb 16Mb 7200rpm SATA-II Corsair HX620 PSU Logitech MX5000 desktop Samsung SyncMaster 206BW |
|
|
|
10-02-2006, 12:46 PM
|
#2 (permalink) |
|
banned
Join Date: Apr 2006
Posts: 21,092
|
http://research.sunbelt-software.com...threatid=44159
Haxdoor.Fam=malware=trojan downloader=one place found with removal instructions= http://www.sophos.com/support/disinfection/trojan.html The name of the file seen on your machine is an alias for this particular trojan that can allow remote access to your machine as well as downloading other spywares for stealing passwords and other data. AVG is excellent at spotting the types of things missed by other programs while not always being able to quaranteen or remove. The number #2 + #3 paragraphs at the link above give specific instructions for removing this. The following two items could use a little removal themselves. R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - blank (file missing) O20 - Winlogon Notify: rxx5ot - rxx5ot.dll (file missing) |
|
|
|
|
10-21-2006, 06:26 PM
|
#3 (permalink) |
|
New Member
 
Join Date: Oct 2006
Posts: 2
|
Thank You very much!
 Hi, I'm the aunty who had the trouble, LOL! Thanks Livzz for posting that for me - I Just wanted to say a big thank you to PC Eye for your advice and to say all is clear now and computer is back on track. Your imput was much appreciated
|
|
|
|
 |
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| HJT log | 34erd | Computer Security | 5 | 08-10-2006 02:04 PM |
| HJT log | jp198780 | Computer Security | 1 | 06-30-2006 09:56 PM |
| HJT log | 34erd | Computer Security | 11 | 06-16-2006 06:12 AM |
| HJT Log what is it? | zeneena | Computer Security | 10 | 12-08-2005 12:11 AM |
| HJT Log | mpic92 | Computer Security | 1 | 10-31-2005 04:57 PM |
Linear Mode
