So I've managed to clear off a few rootkits from my Win2k Server box.

Including one that changes sens to use a set of files zewgsfj .dll, .tmp etc that are hidden from windows but sitting in C:/Program Files/Internet Explorer/Connection Wizard/

and also a hidden service called dnsvr, i think that one was loading a C:\Program Files\Common Files\System\mssetup.msi, or something like that, that was also hidden from windows.

but with rootkit unhooker was able to identify and eradicate those.

However, there is a persistant hidden process that I can't figure out. There is always a copy of svchost.exe running, that is hidden from windows.

Rootkit Unhooker, gmer, and ice sword all see it.

Sometimes this svchost.exe spawns an IE process that is also hidden. Usually when it succeeds in doing so, the two rootkits noted above, reappear.

Now I can just kill the svchost.exe from any of the above mentioned tools.
However, when i do that, said tools now think just about every process running are hidden. The windows task manager only shows one a few things as still alive. However everything continues to work, just... not visible to the system.

The most annoying bit about all this is that the box in question is a webserver hosting three sites. And everytime all those rootkits above reappear, the other thing that appears is that one of the sites is being hijacked. A single line of javascript is inserted into one of the site's header files that calls, http:www.google9.info/al.js

That generates a lot of hits on a lot of sites, and sometimes manages to redirect you from reaching my site. So it's some kinda hack, where they
are using this annoyingly persistant rootkit to get in. So I figure get rid
of that, and I get rid of the hijackings. But I'm at wit's end trying to eradicate it.
Anyone with any ideas out there?

First of all - you should block this in your host file on all PCs:
http:www.google9.info/al.js

To do that - open this file in notepad:
C:\WINNT\SYSTEM32\DRIVERS\ETC

Skip two blank lines after this entry:
127.0.0.1 localhost
which should already be there.

and add the following line:
127.0.0.1 http:www.google9.info/al.js

Next, you should post a fresh RKU and Gmer log from the infected Win2K server.

Also, can I see the Process and Kernel Module logs from IceSword.

and last but not least a HJT log. Use these directions here to obtain it:
http://wiki.castlecops.com/Malware_Removal:_Reference_HijackThis_Log

Please rename Hijackthis.exe --> SugoiBen.exe before running the HJT scan. There is no need to rename the log file. Then post the HJT log, Gmer, RKU and the IceSword logs indicating any red entries in the IceSword logs.

If you need clarification of any of these instructions, please let me know. I have not gone into detail since you are familiar with most of these programs.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

adding that google line to my local hosts file won't do any good, since the request is coming from the clients connecting to my site. They are the ones getting redirected. I'd just like to stop the code from showing up every hour or so.

I suppose it's also worth mentioning that I've run several virus scans since my first post, and they all seem to be finding, but failing to clean a
TrojanDropper:Win32/Hupigon.gen

here's the logs:

RkUnhooker:
>SSDT State
>Processes
!!!!!!!!!!!Hidden process: C:\WINNT\system32\svchost.exe
Process Id: 544
EPROCESS Address: 0x88B305E0

>Drivers
>Files
Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System
Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System
>Hooks
wanarp.sys+0x000067C5, Type: Inline - RelativeJump at address 0xF673E7C5 hook handler located in [unknown_code_page]
wanarp.sys+0x000067D9, Type: Inline - RelativeJump at address 0xF673E7D9 hook handler located in [unknown_code_page]
wanarp.sys+0x000067E1, Type: Inline - RelativeJump at address 0xF673E7E1 hook handler located in [unknown_code_page]
wanarp.sys+0x000067F5, Type: Inline - RelativeCall at address 0xF673E7F5 hook handler located in [unknown_code_page]
wanarp.sys+0x000067FD, Type: Inline - RelativeCall at address 0xF673E7FD hook handler located in [unknown_code_page]
wanarp.sys+0x00006805, Type: Inline - RelativeJump at address 0xF673E805 hook handler located in [unknown_code_page]
wanarp.sys+0x0000680D, Type: Inline - RelativeJump at address 0xF673E80D hook handler located in [unknown_code_page]
wanarp.sys+0x00006815, Type: Inline - RelativeJump at address 0xF673E815 hook handler located in [unknown_code_page]
wanarp.sys+0x0000681D, Type: Inline - RelativeJump at address 0xF673E81D hook handler located in [unknown_code_page]
wanarp.sys+0x00006825, Type: Inline - RelativeJump at address 0xF673E825 hook handler located in [unknown_code_page]
wanarp.sys+0x0000682D, Type: Inline - RelativeJump at address 0xF673E82D hook handler located in [unknown_code_page]
wanarp.sys+0x00006835, Type: Inline - RelativeJump at address 0xF673E835 hook handler located in [unknown_code_page]
wanarp.sys+0x0000683D, Type: Inline - RelativeJump at address 0xF673E83D hook handler located in [unknown_code_page]
wanarp.sys+0x00006845, Type: Inline - RelativeJump at address 0xF673E845 hook handler located in [unknown_code_page]
wanarp.sys+0x0000684D, Type: Inline - RelativeCall at address 0xF673E84D hook handler located in [unknown_code_page]
wanarp.sys+0x00006855, Type: Inline - RelativeJump at address 0xF673E855 hook handler located in [unknown_code_page]
wanarp.sys+0x0000685D, Type: Inline - RelativeCall at address 0xF673E85D hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Icesword process:
Process:

System Idle Process
System
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\CSRSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\svchost.exe <- Red One
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LLSSRV.EXE
D:\PROGRA~1\MICROS~1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
D:\Program Files\Dantz\Client\REMOTSVC.EXE
D:\Program Files\Dantz\Client\Retroclient.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\SNMP.EXE
C:\WINNT\system32\userdump.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RkUnhooker\040ieje.exe
C:\WINNT\system32\dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
D:\PROGRA~1\MICROS~1\MSSQL\Binn\sqlagent.exe
C:\IISDebugTools\_IISCHAgent.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\system32\DLLHOST.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\TASKMGR.EXE
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\IceSword.exe


Ice sword kernel:
Kernel Module:

\WINNT\System32\ntoskrnl.exe
\WINNT\System32\hal.dll
\WINNT\System32\BOOTVID.dll
rkhdrv31.sys
ACPI.sys
\WINNT\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINNT\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
Diskperf.sys
dmload.sys
dmio.sys
PartMgr.sys
atapi.sys
disk.sys
\WINNT\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\System32\DRIVERS\e1000nt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\ati2mpad.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\openhci.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\parallel.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\EFS.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\ASPI32.SYS
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\??\C:\WINNT\system32\win32k.sys
\SystemRoot\System32\ati2drad.dll
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\termdd.sys
\??\C:\WINNT\system32\drivers\tmcomm.sys
\SystemRoot\system32\drivers\userdump.sys
\SystemRoot\System32\drivers\spud.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\??\C:\WINNT\system32\Drivers\PROCEXP100.SYS
\SystemRoot\System32\Drivers\IsDrv120.sys
\WINNT\system32\NTDLL.DLL



GMER:
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2007-03-27 13:40:26
Windows 5.0.2195 Service Pack 4


---- Processes - GMER 1.0.11 ----

Process C:\WINNT\system32\svchost.exe (*** hidden *** ) 544

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00003.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00004.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00005.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00006.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00007.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr00009.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr0000B.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr0000C.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr0000D.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr0000E.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\admin$\Application Data\Opera\Opera\profile\cache4\opr0000G.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:13:18 PM, on 3/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
D:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
d:\Program Files\Dantz\Client\Remotsvc.exe
d:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\userdump.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\SugoiBen.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gene2drug.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A66473E0-5C40-45D3-A1D9-5D857C59F00E}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gene2drug.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gene2drug.com,scienceboard.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gene2drug.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gene2drug.com,scienceboard.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gene2drug.com,scienceboard.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: Persits Software EmailAgent - Unknown owner - D:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe" /run (file missing)
O23 - Service: Retrospect Client - Dantz Development Corporation - d:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: UPNON - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UPNON.exe

svchost is a legit system process so it isn't the process itself that is bad - but it is probably launching a DLL that is malicious and inline hooking the valid driver winarp.sys. It's also hiding processes that establish a backdoor (iexplore) to cover its tracks.

The rookit logs are only helpful in that they provide the PID of the svchost which can help locate the hidden DLL. I suspect the rootkit is user mode because no hidden drivers were located by the better ARKs (unless all ARKS are being subverted).

I want you to do a couple things to see if we can locate what the hidden svchost is launching. Open IceSword, click processes, and get the PID (Process ID) of the hidden svchost.

Please open a notepad file and copy all this information to it, so you can follow the directions when your run your scans. You should be off the internet when doing your cans.

Download Autoruns:
http://www.microsoft.com/technet/sysinternals/utilities/autoruns.mspx

Download Process Explorer: -> I see you already have this, but just make sure you have the current version.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

Download AntiHookExec.zip from:
http://www.security.org.sg/code/antihookexec.html
I hope it runs on Win 2K!!

Make sure all files and folders are visible:
Go to Start -> Control Panel -> Folder Options ->View
Under Hidden files and folders,

• Check Show hidden files and folders.
  
• Uncheck Hide file extensions for known file types.
  
• Uncheck Hide Protected Operating System Files

I said to block it on all the PCs (since they are networked) and you can add these domains which are all associated with the same dodgy http:www.google9.info/al.js url. Precede www. before all except the one in red:
kiss-search.net
looktrack.com
validppc.com
s2.cnzz.com
mygole.com
adrogo.com
365searchs.com

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Another question, from your HJT log
O23 - Service: UPNON - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UPNON.exe
- I can see you ran Rootkit Revealer. Did any suspicious entries apear in the RKR scan report?

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

A couple new developments.

First, I found a couple of web accessible files that apparently we're being used to access my web server code. Cleaned those up, and the changes to my website have ceased. So that was just someone hacking in and screwing around. So one issue down I think.

They might have been triggering whatever viruses are there to re-spawn somehow. Because since I cleaned that up, everything has been quiet today. No surreptitious Internet Explorer instances running. I have copies of this sneaky lil asp file that was used, if anyone is interested.

That hidden svchost process is still there. And I know it might be totally legit, but it still bugs me. So I attempted to forge ahead with your suggestions.

First stumbling block however was that apparently antihookexec does not run on win2k server. It just opened a dos window spit out a ton of hex or something, and then had a memory fault and exited. Seeing what it does, that would have been quite handy in narrowing this down.

Second stumbling block, I couldn't schedule any down time for the server today, so I wasn't able to run the AVG scan in safe mode. Since it's been out so much lately, people were rather keen to get some work done while it was (semi-)healthy. Gonna try tomorrow to get some time to take it down and run all those scans.

Rootkit Revealer had pointed me towards a few hidden things which I was able to clean up. Runs reveal nothing but a bunch of registry entries with embedded nulls. Significant maybe? I'll run that tomorrow and post the results with the rest.

And sorry for the confusion on the host file item. I realized what you meant when I read it back later. Luckily, this server in question, is the only PC I have to worry about on our network.

Sorry, I checked the the AntiHookExec page and I could not locate what versions of Windows it works on.

You can do the Autoruns before and after logs using a normal mode to safe mode comparison instead.

The scans are fast so do it when you do the AVG scan.

Though the svchost file is legit, the fact that something is hiding it is not legit at all - so that is what we are trying to identify.

I would appreciate any scan reports that show the file responsible for that backdoor trojan that wouldn't delete.

I would also like to see the RKR log too, please.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Ok, so this morning I come in, and there is that mysterious IE process again. Back with a vengeance. Accompanying it was that same file I've
cleaned a bunch of times before.
c:\program files\internet explorer\connection wizard\zewgsfej.dll

But I let it be this time. Ran a bunch of scans with it alive:

Gmer:

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2007-03-29 14:06:25
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.11 ----

SSDT \??\C:\PROGRAM FILES\INTERNET EXPLORER\CONNECTION WIZARD\zewgsfej.sys ZwDeviceIoControlFile
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\PROGRAM FILES\INTERNET EXPLORER\CONNECTION WIZARD\zewgsfej.sys ZwQueryDirectoryFile
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Processes - GMER 1.0.11 ----

Process C:\WINNT\system32\svchost.exe (*** hidden *** ) 548
Library a (*** hidden *** ) @ C:\WINNT\System32\svchost.exe [588] 0x10000000

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 972

---- EOF - GMER 1.0.11 ----


RKR:

HKLM\SECURITY\Policy\Secrets\gthrsvc:{91379E99-58C6-4228-8CDC-D55FB0EB6B90}* 3/21/2003 12:43 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\gthrsvc:{EA7A691B-71D7-4E4A-AB97-C11E2AEB90BF}* 3/21/2003 10:00 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 3/20/2003 1:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/20/2003 1:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{2A3D2958-1FFC-43DB-A16C-9CBFEB447AE5}* 10/15/2004 12:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 3/20/2003 1:04 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{7FB03B61-56CE-4DB1-92AA-017892F81173}* 5/27/2004 11:52 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{988A797B-FED8-416A-8362-7535C43CD01E}* 6/13/2003 10:34 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{A23F2C02-BAEB-4001-9586-A0F1C98D9D1C}* 6/13/2003 10:35 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{BDB5FB11-E00D-434C-8D1A-7AACBB863CC8}* 6/13/2003 10:33 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{BEF902EB-032D-4968-8B94-DA57914E7D2D}* 6/20/2004 4:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C9A1FE85-84AD-4DB9-B9DD-7DFB937A2083}* 3/24/2003 7:08 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{CCC38ECE-37B7-4783-9185-9E63665C0D76}* 6/17/2005 10:46 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{F5757399-B70D-4925-8370-99FAEEEF9044}* 6/28/2004 10:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{FA528AC6-C048-4A73-8ACB-1FF6C0544087}* 3/30/2006 12:26 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd* 3/20/2003 1:03 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:a2873dfc-a9d9-482a-bd7a-6f6c1a0ab5ab* 3/20/2003 1:03 PM 0 bytes Key name contains embedded nulls (*)
C:\Program Files\Internet Explorer\Connection Wizard\zewgsfej.dll 3/28/2007 8:54 PM 36.35 KB Hidden from Windows API.
C:\Program Files\Internet Explorer\Connection Wizard\zewgsfej.sys 3/28/2007 8:54 PM 7.25 KB Hidden from Windows API.


IceSword Process:

Process:

System Idle Process
System
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\CSRSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LLSSRV.EXE
D:\PROGRA~1\MICROS~1\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\mstask.exe
D:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
D:\Program Files\Dantz\Client\REMOTSVC.EXE
D:\Program Files\Dantz\Client\Retroclient.exe
C:\WINNT\system32\SNMP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\userdump.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\PROGRA~1\MICROS~1\MSSQL\Binn\sqlagent.exe
C:\IISDebugTools\_IISCHAgent.exe
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\DLLHOST.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\DLLHOST.EXE
C:\Documents and Settings\Administrator\Desktop\IceSword.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Ice sword kernel:

Kernel Module:

\WINNT\System32\ntoskrnl.exe
\WINNT\System32\hal.dll
\WINNT\System32\BOOTVID.dll
rkhdrv31.sys
ACPI.sys
\WINNT\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINNT\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
Diskperf.sys
dmload.sys
dmio.sys
PartMgr.sys
atapi.sys
disk.sys
\WINNT\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\System32\DRIVERS\e1000nt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\ati2mpad.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\openhci.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\parallel.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\EFS.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\AvgAsCln.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
\SystemRoot\System32\Drivers\ASPI32.SYS
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\??\C:\WINNT\system32\win32k.sys
\SystemRoot\System32\ati2drad.dll
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\??\C:\WINNT\system32\SVKP.sys
\SystemRoot\System32\drivers\termdd.sys
\??\C:\WINNT\system32\drivers\tmcomm.sys
\SystemRoot\system32\drivers\userdump.sys
\??\C:\PROGRAM FILES\INTERNET EXPLORER\CONNECTION WIZARD\zewgsfej.sys
\SystemRoot\System32\drivers\spud.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\Drivers\IsDrv120.sys
\WINNT\system32\NTDLL.DLL

So now that I did my scans, and had the nasty there and active I had an excuse to take the server down, and put it into safe mode.

Got it there, and checked IceSword. No hidden svchost. Excellent.

So next up was the AVG scan, which found all sorts of fun stuff:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:42:39 PM 3/29/2007

+ Scan result:



C:\WINNT\system32\Updatar.exe -> Backdoor.Bifrost : Cleaned.
C:\WINNT\G_Server.DLL -> Backdoor.Hupigon.aqw : Cleaned.
C:\WINNT\G_Server.exe -> Backdoor.Hupigon.ccy : Cleaned.
C:\WINNT\G_SERVERKEY.DLL -> Backdoor.Hupigon.eez : Cleaned.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\B5YUP2FI\gl[1].exe -> Backdoor.PcClient : Cleaned.
C:\Documents and Settings\bioinfo\Local Settings\Temporary Internet Files\Content.IE5\B5YUP2FI\gl[1].exe -> Backdoor.PcClient : Cleaned.
C:\Program Files\Internet Explorer\Connection Wizard\zewgsfej.ime -> Backdoor.PcClient.it : Cleaned.
C:\WINNT\system32\oylbkqgg.d1l -> Backdoor.PcClient.ye : Cleaned.
C:\Program Files\TrojanHunter 4.6\Quarantine\O0dUo.dat -> Backdoor.RAdmin.c : Cleaned.
C:\Documents and Settings\bioinfo\Cookies\bioinfo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\bioinfo\Cookies\bioinfo@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@techrepublic.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Default User\Cookies\system@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Administrator\Cookies\root@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

After AVG cleaned up all that stuff, I booted back to normal mode. svchost still there, IE still there. I had forgot to delete that zewgsfej.dll file while I had it in safe mode. Also forgot to check the autoruns.
So back to safe mode and did that.
I had run the autorunsb4.log yesterday when things were quiet. This is what it looked like then:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Service Manager.lnk SQL Server Service Manager (Not verified) Microsoft Corporation c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ CRLUpdate UPDCRL (Not verified) Microsoft Corporation c:\winnt\system32\updcrl.exe
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\winnt\system32\mscories.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ sasseh.dll ShellExecuteHook (Not verified) SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Display Panning CPL Extension File not found: deskpan.dll
+ EditPlus Context Menu Handler d:\program files\editplus 2\eppshell.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\winnt\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\winnt\system32\dfshim.dll
+ TrojanHunter Menu Shell Extension c:\program files\trojanhunter 4.6\contmenu.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
HKLM\System\CurrentControlSet\Services
+ AppMgSvc Processes application Management Service for applications as the c:\program files\common files\microsoft shared\msinfo\msinfo.msi
+ MSSEARCH Creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data (Not verified) Microsoft Corporation c:\program files\common files\system\mssearch\bin\mssearch.exe
+ MSSQLSERVER SQL Server Windows NT (Not verified) Microsoft Corporation d:\program files\microsoft sql server\mssql\binn\sqlservr.exe
+ Persits Software EmailAgent EmailAgent 5.0.0.2 Service (Not verified) Persits Software, Inc. d:\program files\persits software\aspemail\bin\emailagent.exe
+ Retrospect Client Retrospect Client service (Not verified) Dantz Development Corporation d:\program files\dantz\client\remotsvc.exe
+ SQLSERVERAGENT Microsoft SQL Server Agent (Not verified) Microsoft Corporation d:\program files\microsoft sql server\mssql\binn\sqlagent.exe
+ udmpsvc User Dump Service/Command-Line App (Not verified) Microsoft Corporation c:\winnt\system32\userdump.exe
HKLM\System\CurrentControlSet\Services
+ gmer GMER Driver http://www.gmer.net (Not verified) GMER c:\winnt\system32\drivers\gmer.sys
+ kvpndev kvpndrv.sys (Not verified) Kerio Technologies c:\winnt\system32\drivers\kvpndrv.sys
+ oylbkqgg c:\winnt\system32\drivers\oylbkqgg.sys
+ PCDRDRV File not found: C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\modules\PCDRDRV.sys
+ PcdrNt File not found: C:\WINNT\System32\drivers\PcdrNt.sys
+ SASDIFSV SASDIFSV c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SuperAntiSpyware (Not verified) SuperAdBlocker, Inc. c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS c:\program files\superantispyware\saskutil.sys
+ tmcomm TrendMicro Common Module (Verified) Trend Micro, Inc. c:\winnt\system32\drivers\tmcomm.sys
+ udmpdrvr User Dump Service Kernel Mode Helper Device Driver (Not verified) Microsoft Corporation c:\winnt\system32\drivers\userdump.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ (NONE) File not found: (NONE)
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ HP Internet Printer Connection Port HP Internet Printing Connection Port Monitor DLL (Not verified) Hewlett Packard c:\winnt\system32\hpjippmn.dll


And then in safe mode today, the after version:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Service Manager.lnk SQL Server Service Manager (Not verified) Microsoft Corporation c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ CRLUpdate UPDCRL (Not verified) Microsoft Corporation c:\winnt\system32\updcrl.exe
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\winnt\system32\mscories.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ AVG Anti-Spyware 7.5 AVG Anti-Spyware shellexecutehook (Not verified) Anti-Malware Development a.s. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
+ sasseh.dll ShellExecuteHook (Not verified) SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Display Panning CPL Extension File not found: deskpan.dll
+ EditPlus Context Menu Handler d:\program files\editplus 2\eppshell.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\winnt\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\winnt\system32\dfshim.dll
+ TrojanHunter Menu Shell Extension c:\program files\trojanhunter 4.6\contmenu.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
HKLM\System\CurrentControlSet\Services
+ AppMgSvc Processes application Management Service for applications as the File not found: C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi
+ AVG Anti-Spyware Guard AVG Anti-Spyware guard (Not verified) Anti-Malware Development a.s. c:\program files\grisoft\avg anti-spyware 7.5\guard.exe
+ MSSEARCH Creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data (Not verified) Microsoft Corporation c:\program files\common files\system\mssearch\bin\mssearch.exe
+ MSSQLSERVER SQL Server Windows NT (Not verified) Microsoft Corporation d:\program files\microsoft sql server\mssql\binn\sqlservr.exe
+ Persits Software EmailAgent EmailAgent 5.0.0.2 Service (Not verified) Persits Software, Inc. d:\program files\persits software\aspemail\bin\emailagent.exe
+ Retrospect Client Retrospect Client service (Not verified) Dantz Development Corporation d:\program files\dantz\client\remotsvc.exe
+ SQLSERVERAGENT Microsoft SQL Server Agent (Not verified) Microsoft Corporation d:\program files\microsoft sql server\mssql\binn\sqlagent.exe
+ Themes Provides user experience theme management File not found: C:\Program Files\Common Files\System\Themes.exe
+ udmpsvc User Dump Service/Command-Line App (Not verified) Microsoft Corporation c:\winnt\system32\userdump.exe
HKLM\System\CurrentControlSet\Services
+ AVG Anti-Spyware Driver c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
+ AvgAsCln AVG7 Clean Driver (Not verified) GRISOFT, s.r.o. c:\winnt\system32\drivers\avgascln.sys
+ gmer GMER Driver http://www.gmer.net (Not verified) GMER c:\winnt\system32\drivers\gmer.sys
+ kvpndev kvpndrv.sys (Not verified) Kerio Technologies c:\winnt\system32\drivers\kvpndrv.sys
+ oylbkqgg c:\winnt\system32\drivers\oylbkqgg.sys
+ PCDRDRV File not found: C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\modules\PCDRDRV.sys
+ PcdrNt File not found: C:\WINNT\System32\drivers\PcdrNt.sys
+ SASDIFSV SASDIFSV c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SuperAntiSpyware (Not verified) SuperAdBlocker, Inc. c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS c:\program files\superantispyware\saskutil.sys
+ SVKP File not found: C:\WINNT\system32\SVKP.sys
+ tmcomm TrendMicro Common Module (Verified) Trend Micro, Inc. c:\winnt\system32\drivers\tmcomm.sys
+ udmpdrvr User Dump Service Kernel Mode Helper Device Driver (Not verified) Microsoft Corporation c:\winnt\system32\drivers\userdump.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ (NONE) File not found: (NONE)
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ HP Internet Printer Connection Port HP Internet Printing Connection Port Monitor DLL (Not verified) Hewlett Packard c:\winnt\system32\hpjippmn.dll


There were several difference of note. Most AVG itself, since I'd run the before version, before installing it. However the other difference were the following lines:

HKLM\System\CurrentControlSet\Services
+ AppMgSvc Processes application Management Service for applications as the File not found: C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi
+ Themes Provides user experience theme management File not found: C:\Program Files\Common Files\System\Themes.exe
+ SVKP File not found: C:\WINNT\system32\SVKP.sys

Actually all the files were found at the time, I deleted all those files, and
ran it since. The appmgsvc one I wasn't sure about, but that file and a bunch of others in that directory(setupkey.dll, setupkey1.dll through setupkey6.dll) all had create times of 3/20/07. About when the issues started.

So deleted all of those.
Deleted the Themes.exe file.
Deleted the SVKP.sys file.

Rebooted normally.

This time I got a complaint about a service didn't start. Checked the event log and it was the SKVP service. No complaints about AppMgSvc or anything else.

But the best part of all, that nagging svchost process is gone!!

So I assume it was one of those three things. Icesword and Rkunhooker
show nothing hidden anymore. I reran AVG the second time I was in
safe mode to do the autoruns check and it didn't find anythign that time. The first time out it caught that zewgsfej.sys file, but not the dll along with
it.

Everything seems normal again now. But still not sure if that appmgsvc was something legit that i need to repair the registry for or not.

I'm gonna rerun the mrt.exe to see if that if that backdoor trojan is really really gone this time, but it appears to be gone.

Anything else I need to double check before sounding the all clear?

Hmm, well running the mrt found that trojan again.
Sitting here:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\L4FH9K1W\723b[1].exe

I deleted it by hand. Which worked fine. Dunno why nothing else seemed to not be able get rid of it.

But how come there is a cache of junk in Default User anyways? Is that what is used when that sneaky IE process was running? And would the contents of said cache give any clue as to where it was connecting to?

RKR log - significant entries: