please look at this log.

this is the sdfix log...has my passwords been compromised?
since it found rootkits?





SDFix: Version 1.46
****************

Mon 12/11/2006 - 21:22:11.17

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking For Trojan Services...

Service Name:


File Path:



Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Rootkit pe386 Present!
Rootkit msguard Present!
Rootkit lzx32 Present!

Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6de0759720c7d5f6249a35ca9247df09\BIT56.tmp

FINISHED!

 

Hi mesa101, to answer your question, yes, it would be a good idea to change all you online account passwords. From a clean computer of course.

Please download the following programs:

Download AVG Antirootkit Beta from here
Download ADS Spy from here.
Download SmitfraudFix from here
Download F-Secure's BlackLight from here.
Download HijackThis (click the link)

[bold]Note[/bold]: Print or copy these instructions to Notepad. You will not be able to access the internet during the fix.

Disconnect from the internet.

* Install AVG Antirootkit Beta.
* Restart your computer before running AVG Antirootkit Beta.
* Open AVG Anti-Rootkit Beta and click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
* Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC.
* AVG Anti-Rootkit Beta renames the Mailbot.AZ Rootkit Driver so that the driver will not be loaded at the next reboot. But, it doesn't remove the actual Rootkit ADS and its Registry Entries. These can be removed by using ADS Spy.

* Extract ADS Spy to its own folder.
* Open ADS Spy. and select the "Full Scan (all NTFS drives)".
* Click "Scan the "System for Alternate Data Streams." Once the scan is complete, select rootkit driver and click "Remove selected streams"
* Close ADS Spy and ALL open Windows.

* Open Notepad.(not Wordpad)
* Copy and paste the bold text inside the box below into Notepad, including the blank line at the end.

-----------------------------------------------------------------------
[bold]REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msguard][/bold]

-----------------------------------------------------------------------

Save name as fix.reg and type as "all files" to your desktop.
Close Notepad.
Double click fix.reg and click Yes at prompt.

Open Blacklight.
* Click the Scan button.
* Leave the PC idle while it is scanning.
* When it has completed, click the Close button.
* A text file, fsbl-date/time, will be saved in the Blacklight folder.


Extract SmitfraudFix.zip to the desktop.
Open the newly created folder, SmitfraudFix.
Open SmitfraudFix.cmd and run Option 1.
The report can be found at the root of the system drive, usually at C:\rapport.txt.


Extract HijackThis.zip to a permanent folder.
Open HijackThis.exe
Click "Do a system scan and save a logfile".
Notepade will open with the log. It will also be saved in the HijackThis folder.


Please post back with the BlackLight log, the contents of rapport.txt and the HiajckThis log.

 

SmitFraudFix v2.122

Scan done at 21:27:50.92, Tue 12/12/2006
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

SDFix: Version 1.46
****************

Mon 12/11/2006 - 21:22:11.17

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking For Trojan Services...

Service Name:


File Path:



Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Rootkit pe386 Present!
Rootkit msguard Present!
Rootkit lzx32 Present!

Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6de0759720c7d5f6249a35ca9247df09\BIT56.tmp

FINISHED!
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
12/12/06 21:33:38 [Info]: BlackLight Engine 1.0.47 initialized
12/12/06 21:33:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/12/06 21:33:38 [Note]: 7019 4
12/12/06 21:33:38 [Note]: 7005 0
12/12/06 21:33:43 [Note]: 7006 0
12/12/06 21:33:43 [Note]: 7011 1660
12/12/06 21:33:43 [Note]: 7026 0
12/12/06 21:33:43 [Note]: 7026 0
12/12/06 21:33:44 [Note]: FSRAW library version 1.7.1020
12/12/06 21:35:27 [Note]: 2000 1012
12/12/06 21:35:27 [Note]: 2000 1012
12/12/06 21:35:39 [Note]: 7007 0
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:39 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{52495B0F-B6E9-4B2F-B88E-62F6FB098A39}: NameServer = 216.163.120.19 208.45.137.132
O17 - HKLM\System\CS1\Services\Tcpip\..\{52495B0F-B6E9-4B2F-B88E-62F6FB098A39}: NameServer = 216.163.120.19 208.45.137.132
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

i guess that about does it...let me know if i missed anything..thanks

 

i forgot to mention ads spy did not find anything...

 

Okay, I'm not sure why SDFix is still saying pe386 is still present when both Blacklight and SmitfraudFix are reporting clean. Let's get one more opinion just to be sure.


Download [bold]Rootkit Revealer[/bold] from here.
Create a new folder, named [bold]RKR[/bold], in C:\
Extract the files to the new folder.
Open [bold]RootkitRevealer.exe[/bold].
Close all other windows and click the "[bold]Scan[/bold]".
[bold]Important[/bold]: Leave the computer idle while the scan runs.
When the scan is finished, click File > Save... to save the text file to the C:\RKR\ folder.
Post the log in your next reply.

 

here is the rootkit revealer log..

HKLM\SECURITY\Policy\Secrets\SAC* 8/26/2004 6:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/26/2004 6:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 11/1/2006 6:33 PM 13 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume

 

I now know why SDFix was showing pe386 still present. You posted the same log twice...lol. Look at the times of the scans: both SDFix logs are from: Mon 12/11/2006 - 21:22:11.17

So, good new. The rootkit is gone.

Any other problems?

 

sorry for the foul up,,i didn't mean to do that..
i really appreciate your valuable time and help.
until next time.....thank you........

 

You're very welcome!

Good luck.