Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 2:42am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   gmer finding files whose name change		 « Previous topic | Next topic »
Pages: 1 2 3  4 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: gmer finding files whose name change  (Read 738 times)
pcguy99
Junior Member
**





   


Posts: 76
gmer finding files whose name change
« on: Mar 25th, 2008, 1:14pm »		 Quote Quote  Modify Modify
I have run gmer on my computer and it has found a file whose name changes between reboots of the computer. I also ran gmer on another computer that also has THunter and it showed similar behavior.  
 
Code:

 
COMPUTER 1
 
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-25 13:55:24
Windows 5.1.2600 Service Pack 2
 
 
---- System - GMER 1.0.14 ----
 
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwAdjustPrivilegesToken [0xF5727C2E]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwConnectPort [0xF572720C]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreateFile [0xF572784E]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreateKey [0xF57283DC]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreatePort [0xF57270FA]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreateSection [0xF5728C94]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreateSymbolicLinkObject [0xF5727E14]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwCreateThread [0xF5726CCA]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwDeleteKey [0xF5728058]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwDeleteValueKey [0xF5728208]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwDuplicateObject [0xF5726B7C]
SSDT  spiz.sys                          ZwEnumerateKey [0xF747BCA2]
SSDT  spiz.sys                          ZwEnumerateValueKey [0xF747C030]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwLoadDriver [0xF5728934]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwOpenFile [0xF5727A58]
SSDT  spiz.sys                          ZwOpenKey [0xF745E0C0]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwOpenProcess [0xF57268C6]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwOpenSection [0xF57276F2]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwOpenThread [0xF5726A24]
SSDT  spiz.sys                          ZwQueryKey [0xF747C108]
SSDT  spiz.sys                          ZwQueryValueKey [0xF747BF88]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwRenameKey [0xF5728792]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwSecureConnectPort [0xF57273CE]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwSetSystemInformation [0xF5728AD4]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwSetValueKey [0xF57285A2]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwShutdownSystem [0xF5727580]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwSystemDebugControl [0xF57275E6]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwTerminateProcess [0xF5726FC4]
SSDT  \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO)              ZwTerminateThread [0xF5726E92]
 
---- Kernel code sections - GMER 1.0.14 ----
 
?     spiz.sys                          The system cannot find the file specified. !
.text      USBPORT.SYS!DllUnload                            F701462C 5 Bytes  JMP 86D191D8  
?     C:\WINDOWS\system32\Drivers\mchInjDrv.sys                       The system cannot find the file specified. !
.text      ntdll.dll!NtDeleteValueKey                       7C90D8CE 5 Bytes  JMP 00D68480  
.text      ntdll.dll!NtOpenProcess                          7C90DD7B 3 Bytes  [ FF, 25, 1E ]
.text      ntdll.dll!NtOpenProcess + 4                           7C90DD7F 2 Bytes  [ 0E, 5F ]
.text      ntdll.dll!NtQueryDirectoryFile                        7C90DF5E 5 Bytes  JMP 00D62E80  
.text      ntdll.dll!NtSetSystemInformation                      7C90E729 5 Bytes  JMP 00D675D0  
.text      ntdll.dll!LdrUnloadDll                           7C91718B 5 Bytes  JMP 003A4F80  
 
 
======================================================================== ========================
COMPUTER 2
 
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-25 14:01:17
Windows 5.1.2600 Service Pack 2
 
 
---- System - GMER 1.0.14 ----
 
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwClose [0xB83611A5]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwCreateFile [0xB83609CC]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwCreateKey [0xB835D0B0]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwCreateProcess [0xB8360013]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwCreateProcessEx [0xB835FE90]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwCreateThread [0xB836054A]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwDeleteFile [0xB8361225]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwDeleteKey [0xB835D4E1]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwDeleteValueKey [0xB835D574]
SSDT  spnm.sys                          ZwEnumerateKey [0xB9EC7CA2]
SSDT  spnm.sys                          ZwEnumerateValueKey [0xB9EC8030]
SSDT  \SystemRoot\system32\drivers\khips.sys                     ZwLoadDriver [0xB80D78B0]
SSDT  \SystemRoot\system32\drivers\khips.sys                     ZwMapViewOfSection [0xB80D7A20]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwOpenFile [0xB8360C97]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwOpenKey [0xB835D307]
SSDT  \??\D:\AVG Anti-Spyware 7.5\guard.sys                      ZwOpenProcess [0xBA7798AC]
SSDT  spnm.sys                          ZwQueryKey [0xB9EC8108]
SSDT  spnm.sys                          ZwQueryValueKey [0xB9EC7F88]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwResumeThread [0xB83605D6]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwSetInformationFile [0xB8360F99]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwSetValueKey [0xB835D67D]
SSDT  \??\D:\AVG Anti-Spyware 7.5\guard.sys                      ZwTerminateProcess [0xBA779812]
SSDT  \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)                 ZwWriteFile [0xB8360EF6]
 
---- Kernel code sections - GMER 1.0.14 ----
 
?     spnm.sys                          The system cannot find the file specified. !
PAGENDSM   NDIS.sys!NdisMIndicateStatus                     B9CE6A5F 6 Bytes  JMP B835535C \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Software)
.text      USBPORT.SYS!DllUnload                       B982962C 5 Bytes  JMP 89D071D8  
 
---- User code sections - GMER 1.0.14 ----
                       The system cannot find the file specified. !
[...]
 
======================================================================== ==========================
 
 

 
My question is are the spiz.sys and spnm.sys files being created by TrojanHunter or is this a rootkit?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #1 on: Mar 25th, 2008, 2:46pm »		 Quote Quote  Modify Modify
To the best of my knowledge, spiz.sys and spnm.sys are not being created by TrojanHunter.  You could test this by temporarily removing TH on one of the computers to see if GMER stops finding spiz.sys and spnm.sys.
 
C:\WINDOWS\system32\Drivers\mchInjDrv.sys is used by THGuard to inject code for self protection.  
 
As to whether spiz.sys and spnm.sys are rootkits, I rather doubt it or GMER would be able to clearly snag it.  Perhaps the GMER technical support can provide more definitive information.
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #2 on: Mar 27th, 2008, 8:44am »		 Quote Quote  Modify Modify
Well I decided to have TrojanHunter 5 scan my entire computer, so I let it run overnight. In the morning I turned on my monitor to discover that the TrojanHunter application had closed and there is no trace of a logfile! I am doing a complete scan again in the hope that this was a fluke!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #3 on: Mar 27th, 2008, 9:01am »		 Quote Quote  Modify Modify
TH V5.0 will not create a scan report (log) unless it finds something malicious or possibly malicious.  Any log that is created is in folder Scan Report at C:\Program Files\TrojanHunter 5.0\Scan Report.  
 
However, TrojanHunter GUI should not have closed on its own is you initiated a manual full system scan.
« Last Edit: Mar 27th, 2008, 9:02am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #4 on: Mar 27th, 2008, 3:06pm »		 Quote Quote  Modify Modify
Well again I ran a complete scan, during which it apparently found some items, but again THunter window closed near the completion of its scan of all of my partitions! However there is no logfile!!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #5 on: Mar 28th, 2008, 12:10am »		 Quote Quote  Modify Modify
This is definitely not normal behavior of the TrojanHunter GUI manual scanner.  Is it doing this on both computers?
 
Would you please:  
 
1.  Look in your Event Viewer and see if any errors are being reported concerning a TH error.
 
-  START>RUN> and type in   Eventvwr
 
2.  Open TH GUI and click on the Options icon on the left icon bar.  
 
-  Under Clean Options, be sure that "Show clean dialog if trojans were found" is checked.  
 
-  I recommend that all options in the list of options be checked marked, except perhaps the very last one "Warn on executable files with double extensions".  
 
3.  Run TH LiveUpdate to obtain the latest rulesets.
 
4.  Boot your computer in SAFE MODE and attempt another full scan with TrojanHunter.  If it finds anything malicious, it should alert you at the end of the scan and ask you to let it clean the infected items.  
« Last Edit: Mar 28th, 2008, 1:46am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #6 on: Mar 28th, 2008, 4:10pm »		 Quote Quote  Modify Modify
on Mar 28th, 2008, 12:10am, siliconman01 wrote:
This is definitely not normal behavior of the TrojanHunter GUI manual scanner.  Is it doing this on both computers?
 
Would you please:  
 
1.  Look in your Event Viewer and see if any errors are being reported concerning a TH error.
 
-  START>RUN> and type in   Eventvwr

 
Nothing for trojanhunter
 
Quote:

 
2.  Open TH GUI and click on the Options icon on the left icon bar.  
 
-  Under Clean Options, be sure that "Show clean dialog if trojans were found" is checked.  
 
-  I recommend that all options in the list of options be checked marked, except perhaps the very last one "Warn on executable files with double extensions".  
 
3.  Run TH LiveUpdate to obtain the latest rulesets.
 
4.  Boot your computer in SAFE MODE and attempt another full scan with TrojanHunter.  If it finds anything malicious, it should alert you at the end of the scan and ask you to let it clean the infected items.  

 
Done and THunter still closed during the scan.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #7 on: Mar 28th, 2008, 10:35pm »		 Quote Quote  Modify Modify
Hmmm, does this "TH closing before completion" occur on both of your computers?  
 
Would you please post a Hijackthis log on the computer that TH is prematurely closing on.  The link below describes how to download/install Hijackthis.
 
http://www.misec.net/forum/board/FAQ/1163329424
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #8 on: Mar 28th, 2008, 11:35pm »		 Quote Quote  Modify Modify
Note eEye's Blink was just installed tonight after all this started happening:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:15 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Blink\blinksvc.exe
C:\WINDOWS\system32\svchost.exe
D:\Blink\blinkrm.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
D:\WinPatrol\winpatrol.exe
D:\TrueImageHome\TrueImageMonitor.exe
D:\CounterSpy\SBCSSvc.exe
D:\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
D:\Blink\BLINK.EXE
D:\FileBX\FileBX.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\GhostSurf Platinum\Proxy.exe
E:\Downloads\HiJackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [WinPatrol] d:\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: AutorunsDisabled
O4 - Startup: ERUNT AutoBackup.lnk = D:\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Blink.lnk = D:\Blink\BLINK.EXE
O4 - Global Startup: FileBox eXtender.lnk = D:\FileBX\FileBX.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Evernote - res://d:\Evernote3\enbar.dll/2000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - d:\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - d:\Evernote3\enbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B6B3180-3D93-4F3D-A01F-79219E005249} : NameServer = 64.56.143.163,64.56.143.165
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - D:\Blink\IEMimeFilter.dll
O20 - AppInit_DLLs: secuload.dll,c:\windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - D:\Blink\blinksvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - D:\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\CounterSpy\SBCSSvc.exe
O23 - Service: SBO - Sysinternals www.sysinternals.com - C:\DOCUME~1\gregg\LOCALS~1\Temp\SBO.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: WMPTSZMM - Sysinternals www.sysinternals.com - C:\DOCUME~1\gregg\LOCALS~1\Temp\WMPTSZMM.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
 
--
End of file - 9180 bytes
« Last Edit: Mar 28th, 2008, 11:36pm by pcguy99 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #9 on: Mar 29th, 2008, 1:22am »		 Quote Quote  Modify Modify
I do not see anything malicious showing up in your HJT log.  There are a couple of items that you should correct, however.
 
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
 
To correct these, please do this:
 
-  Go to the Control Panel
-  Select Display
-  Select the Desktop tab
-  Click on Customize Desktop
-  Select the Web tab
-  Delete Desktop Component 0
-  Delete Desktop Component 1
-  If there are other items EXCEPT "My Current Home Page", delete them.
-  Click on OK and OK
 
Now back to the TH premature closure, I see that you have multiple disks/Partitions.  Also you have many different security programs.  I suspect one of them is causing some type of conflict.  
 
Is the any error message displayed with TH prematurely closes or does it just go poof ??
 
-  Would you please scan one disk at a time starting with C drive and see if TH will scan specific disks/partitions okay.  
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #10 on: Mar 29th, 2008, 8:57am »		 Quote Quote  Modify Modify
on Mar 29th, 2008, 1:22am, siliconman01 wrote:
I do not see anything malicious showing up in your HJT log.  There are a couple of items that you should correct, however.
 
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
 
To correct these, please do this:
 
-  Go to the Control Panel
-  Select Display
-  Select the Desktop tab
-  Click on Customize Desktop
-  Select the Web tab
-  Delete Desktop Component 0
-  Delete Desktop Component 1
-  If there are other items EXCEPT "My Current Home Page", delete them.
-  Click on OK and OK

 
There were no Dekstop Component 0 or 1 shown. Only one entry with a check box and no description. As well there was no "My Current Home Page" on the web tab.
 
Quote:

Now back to the TH premature closure, I see that you have multiple disks/Partitions.  Also you have many different security programs.  I suspect one of them is causing some type of conflict.  
 
Is the any error message displayed with TH prematurely closes or does it just go poof ??
 
-  Would you please scan one disk at a time starting with C drive and see if TH will scan specific disks/partitions okay.  
 
 
 

 
It seems that it may be one of the last partition or so that this happens as in the past I was able to scan c: thru e: without any problems. Will find out exactly which of the remaining partitions the shutdown of THunter occurs.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #11 on: Mar 29th, 2008, 12:06pm »		 Quote Quote  Modify Modify
Quote:
There were no Dekstop Component 0 or 1 shown. Only one entry with a check box and no description. As well there was no "My Current Home Page" on the web tab.

 
That's odd.  Were you signed on with a User account with full administrative privileges when checking this?
 
Quote:
It seems that it may be one of the last partition or so that this happens as in the past I was able to scan c: thru e: without any problems. Will find out exactly which of the remaining partitions the shutdown of THunter occurs.

 
Thus far that's encouraging.  Hopefully you can drill down to the culprit.  It's starting to sound like some type of corrupt file that TH is hitting during the scan.  
 
Once you find the partition, run a disk check on it.  For example, if it is the F partition-
 
-  Go to START-RUN and type in    CHKDSK F: /r /f
(Note the space before /r and /f )
 
-  Click on OK
 
-  CHKDSK will start scanning the F partition for errors or corrupt data.  It will attempt to fix any found errors.  
 
-  After CHKDSK is completed, run another TH scan to see if the problem is resolved.  
 
« Last Edit: Mar 29th, 2008, 12:09pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #12 on: Mar 29th, 2008, 3:20pm »		 Quote Quote  Modify Modify
on Mar 29th, 2008, 12:06pm, siliconman01 wrote:

 
That's odd.  Were you signed on with a User account with full administrative privileges when checking this?

 
Yes but what I meant was that there were no errors in the log pertaining to TrojanHunter.
 
Quote:

 
 
Once you find the partition, run a disk check on it.  For example, if it is the F partition-
 
-  Go to START-RUN and type in    CHKDSK F: /r /f
(Note the space before /r and /f )
 
-  Click on OK
 
-  CHKDSK will start scanning the F partition for errors or corrupt data.  It will attempt to fix any found errors.  
 
-  After CHKDSK is completed, run another TH scan to see if the problem is resolved.  
 

 I did that on the offending partition, which is the last one H: and the chkdsk completed with it finding any errors however upon completion of the chkdsk it through up an error message
 
http://www.sharemation.com/frustrated/chkdsk%20error.GIF
« Last Edit: Mar 29th, 2008, 3:35pm by pcguy99 » IP Logged
pcguy99
Junior Member
**





   


Posts: 76
Re: gmer finding files whose name change
« Reply #13 on: Mar 29th, 2008, 9:32pm »		 Quote Quote  Modify Modify
Well THunter is still disappearing when scanning my last partition.  Cry
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: gmer finding files whose name change
« Reply #14 on: Mar 29th, 2008, 11:02pm »		 Quote Quote  Modify Modify
The error that CHKDSK issued is a system level error indicating a problem occurred when it was running, probably when trying to fix a disk error.
 
1.  Please boot your computer into SAFE MODE and re-run CHKDSK H: /r /f
 
(No errors should be issued is the CHKDSK is completed successfully)
 
2.  Reboot back into Normal Mode.
 
3.  If it looks like CHKDSK completed successfully, run another TH scan on the H drive.  
 
NOTE:  If an error occurred while running CHKDSK, run it on one of your other partitions and see if it completes successfully.  This will help determine if it a system level problem with CHKDSK or something incorrectible on the H drive.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1 2 3  4 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register