Steviebone

got ur pm reply... thank you... I await ur latest words of wisdom... and as always thanks a million!

Ok Im mad now... lol, I set spyware detector to run again every few hours for a while... the trojan zapchast resurfaced in a restore point file... to my knowledge I have not rebooted since the last scan... so this bugger is re-asserting itself somehow... in fact the only thing run inbetween scans was dss... c:\system volume information\_restore{2201e7e1-07c6-42bd-9a3d-8ec03be3ea1a}\rp479\a0107864.dll#@#2DBB00F5E171FF1101C350516116DCBC next to last one added.... this sucker was added minutes before dss was run while I was gone (I was not home at the time). In all my years of computing I have

ok I ran the scan... can I upload this file to u rather than post the results to the world? There's some sensitive data there... Steve ---- edit ----- ok you have a private message with instructions how to find the log...

thanks,,, I will do as u instructed... one update... I ran an indepth scan using Spyware Detector... it found the Zapchast trojan and a keylogger again. I'm getting bounce backs from mail I havent sent so I'm pretty sure theres another dam mailbot on here again. Funny, avast and nod32 dont pick any of this stuff up! Will get back to u... shortly Thanks again!

Hello again... thanks for your previous help... no more rootkits that I know of, however, I have discovered that since disinfection I am having problems with Windows Firewall. After each reboot, some important entries are lost and Remote Assistance is enabled again. I have always had Remote Assistance disabled. In fact, even in services I have all the Remote entries disabled. The services are not being re-enabled, but the Remote Assistance checkbox in Windows Firewall IS being reset each time I reboot as well as most of the other exceptions that had already been set are lost altogether. This s

couldnt find a way to restrcit the scan to c: so I let it run until most of c & d were done and the stopped it. It found three threats, all of which were identifiable by me: pskill - I use it to kill local process from a batch file before running games ipscan - I use it to scan my network for open ports lzx32 - quarantined by combofix (this was the culprit and is zipped up inside the combo quarantine folder) couple of comments, couple of questions first, I think I'll hold on to all the handy tools I have used during this process, don't see any need to to trash them... any reason I shouldn'

lol, will do....

kapersky on-line was slower than dog... 1% complete after 6 hours... fook that... donwloaded the latest kaspesky but it wouldnt install as long as I had avast installed... sorry I already paid for avast and I like the script monitoring feature...

oops, forgot I had run avenger where I had already killed those files: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fjobmayi ******************* Script file located at: \??\C:\Program Files\kroancfe.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\XP\system32\71430B71.exe deleted successfully. File C:\chdir.bat not found! Deletion of file C:\chdir.bat failed! Could not process line: C

ok, will do... the newtasks I created... I was just trying to get the task scheduler to work... wanted to see if I deleted a task and recreated it... but no luck... i have those tasks backed up so I am prolly about to delete all of them... at present they keep trying to run but just generate 'could not start' messages... will work the java over next... get back to u later today... and as always, thanks

lol, I just saw the vfp start thing in the registry report which u had me fix with the reg file... that should stop that bad boy from resurfacing, thanks. Can't believe I didnt think to scan the report for mentions of vfp... --- On second look, Y is the CD drive and those files are only on the CD... so something else was running first...

************************* Rustock.b-fix v. 1.01 -- By ejvindh ************************* Tue 05/22/2007 13:56:46.09 No Rustock.b-rootkits found ******************************* End of Logfile ********************************

running the rustbfix thingy again next

ok, second combofix scan with all protective programs off did better (see below). Perhaps the combo was picking up on something in spydetector? Anyway it found no lzx32 this time... curious.... As for the task manager thingy: 0x80090016: Keysey does not exist. I have googled the hell out of that one and tried every fix I could find including deletion of the RSA files, etc. There are no registry entries that MS talks about. I did find a few people complaining about this problem after applying updates. "Staypuffer" - 2007-05-22 9:58:48 Service Pack 2 ComboFix 07-05.20.9.V - Running from:

oh and btw, fwiw, somewhere in this whole process my task scheduler got broke... always gives me an 0x80090016 error... tried all the published fixes for it to no avail the taskscheduler can no longer see or set credentials...

well chit... I ran combofix, but I forgot to turn off all my protective programs first. Immediately upon execution spydetector popped up window that said "Rustock.b successfully removed". Then towards the end of the scan another popup saying Trojan.Agent removed. Then combo said disinfecting and rebooting. After reboot, the following log was generated: "Staypuffer" - 2007-05-22 9:18:29 Service Pack 2 ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\" Rootkit driver lzx32 is present. A rootkit scan is required ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2

file uploaded... will post combofix log shortly... sysinternals yes... great replacement for task manager... still wondering why the USB interuupts were triggering with no disk access but then I think USB drives are polled... one reason why they stink... btw, u been plenty of help, thanks

ok I think I fugured it out... I downloaded a program called process explorer which is more detailed than task manager (of course everything Windows has built in sucks compared to third party alternatives!). This program broke the activity down much better. The spikes were coming from hardware interrupts. Hardware interrupts? Yep. It was all the USB drives. I disconnected the USB drives and wahla... the interrupt load went down as did the overall activity which now hovers between 0-4%... acceptable if not perfect. I'm hoping the system is now clean. Let me know if you see anything else in the

Backlight didn't find anything. BTW, I have 8 other machines in here including some servers. Even with apps running on them most of them idle at 0-2% only spiking when an app does something (such as a web hit). Even then the spike is small and non-repetitive. The activity here is repetitive and continuous... I'm pretty sure there's still a rogue process running somewhere....

ok thanks for all ur help.. a couple of notes, I finally let the installer go... whatever it did it did and has not come back the last few reboots the rootkit program runs the hidden file scan but crashes near the end every time... Ive checked the disk for errors but nada... at the point only one file is listed in the window... to the best of my knowledege no log is ever written for that function, the other three logs are copied below.. As for resource useage, in safe mode of course the task manager looks right. I disabled ALL of the programs however for these tests, following the instructions

btw, whats an HIP program? (sorry for the dummie question)

using the one found here: http://www.antirootkit.com/software/RootKit-Unhooker.htm hope this is the same

I cannot reach the server where the unhooker program is located... got another link for it? How about an IP address (perhaps its a DNS issue?).

below is the log u asked for: Rustock.b-ADS attached to the System32-folder: Attempting to remove ADS... Looking for Rustock.b-files in the System32-folder: ECHO is off. ******************* Post-run Status of system ******************* Rustock.b-driver on the system: YOU NEED TO CONSULT MORE ADVANCED TOOLS!! The Gmer-rootkitscanner may be a good place to start. Gmer rootkit-scanner may be found here: http://www.gmer.net Rustock.b-ADS attached to the System32-folder: ECHO is off. You should either run the tool again or consult more advanced tools The Gmer-rootkitscanner may be a good place to s

I ran avg in safe mode, reran combofix, and for a brief period it looked as tho this might have done it... but alas... the windows installer for vfp9 persisted popping up continuously on every reboot until I let it run... here is the avg and another current hijack log: Logfile of HijackThis v1.99.1 Scan saved at 1:24:51 AM, on 5/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\XP\System32\smss.exe C:\XP\system32\winlogon.exe C:\XP\system32\services.exe C:\XP\system32\lsass.exe C:\XP\system32\svchost.exe C:\XP\System32\