We'll do some house cleaning after I'm reasonably certain that we have killed the rootkit.
Download ISeeYouXP again and unzip to the root of drive C. I fixed that error.
Your HijackThis and SDFix logs look good.
Super Moderator
We'll do some house cleaning after I'm reasonably certain that we have killed the rootkit.
Download ISeeYouXP again and unzip to the root of drive C. I fixed that error.
Your HijackThis and SDFix logs look good.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
Sweeter words were never said. But "Your ISeeYouXP log looks good and you're virus-free" would be even better. Just letting you know that.Your HijackThis and SDFix logs look good.Log coming up as soon as I run it.
Senior Member
And here's that log! Will we make it before 300? The race is on!
It's 6K too big to be a text file post, so here it is as a ZIP with the .txt in it.
Super Moderator
I was right about there being a RootKit on the system. You have a variant of Trojan.Peacomm, which I added for detection by ISeeYouXP on the last update.
Download and install RegistrarLite. Make sure you select a Majorgeeks download link and not the Authors!
Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (explained further down).
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72
To take ownership of the key do the following:
* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.
Registry Patch
Download the attached FixME_reg.zip to your Desktop and Unzip it. Now double click it and allow it to merge with the registry.
PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.
Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).After click Edit Permissions, here is what I expect you to see in the Group or user names area of the form:HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72
Everyone
SYSTEM
Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, boot into safe mode and repeat these exact same steps from safe mode. Reboot your PC!
Now run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..
Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\ijl11.dll
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\keylog.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\LexFiles.ulf
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-1a2a-2d72.sys- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
Now boot into SAFE MODE
Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\ijl11.dll
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\keylog.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\LexFiles.ulf
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-1a2a-2d72.sys
Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.
REBOOT to Normal Mode.
Attach the following logs:
HijackThis
ISeeYouXP
Last edited by ShadowPuterDude; 05-22-2007 at 06:33 PM.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
Results from fixME.rg - No error messages; window says successful.
I go back in to do the Part 2 and, for some of the keys (below), I navigate to the key and RegLite gives me, in the right window, a red folder called ACCESS DENIED. I'm going to try and get at them in Safe Mode, because I assume that's what you mean, but I wanted to get this up.
<QUOTE>
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72
</QUOTE>
For all of these, when I go into Edit Permissions, I get more options [Administrators (EDDIE/Administrators), CREATOR OWNER, Owner (EDDIE\Owner), Power Users (EDDIE\Power Users), SYSTEM, and Users (EDDIE\Users)]. EDDIE is my computer's name.
Senior Member
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es, there is also a folder labelled " +*windbg48" (the spaces are part of the filename; the * is actually a square like you get when the font doesn't have the right character). It's also got the access denied thing, and I found it kind of by accident, but I know we deleted something called windbg48 somewhere along the line, so I assume it's worth calling to attention.
EDIT: I also found this same key inside ControlSet001\Services and ControlSet002\Services. Also, the following key
HKEY_LOCAL_MACHINE\SECURITY
has the same red folder icon, and all of the many subfolders within it are red. When I get down to no more subfolders in any given tree, I get the same red ACCESS DENIED folder.
This is in safe mode.
HOWEVER, I also no longer can find the ones from BEFORE - that is, the ones in the list you gave me - in safe mode. They do not seem to exist, even though I never deleted them because I couldn't.
Last edited by StckFigure; 05-22-2007 at 07:43 PM.
Senior Member
I'm going to stop here and wait for further instructions because of this.... so I'm stopping right before the point in your instructions where I'm supposed to run Killbox.
Super Moderator
The registry patched worked as it was supposed to work.Originally Posted by StckFigure
Remove the " +*windbg48" using RegistrarLite.
Then give me fresh logs from HijackThis and ISeeYouXP
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
I can't remove the windbg48 with RegLite because it's giving me the same problems as the other ones with the red ACCESS DENIED folders. It says I've successfully taken ownership, but then nothing changes and I still have the red folder and the longer list of Group/User names. Many of the choices for Group or User Name also have all the Allow checkboxes checked and grayed out, but when I do the right click and delete, nothing happens.
Super Moderator
If you don't see the Everyone group, choose your user account name (if it shows) otherwise choose Administrator (if it shows).
Download a new copy of ISeeYouXP and unzip to the root of Drive C. I have updated to detect the windbg48 RootKit driver.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote