Hi, I'm new here.

I have no symptoms at all of a rootkit, but yesterday I removed some adware and some trojans using the guide in your wiki.

I'm on XP Pro, and I just yesterday started using Outpost firewall and NOD32 antivirus.

Anyway, I was looking around this forum and I decided to download and run icedemon.

The only processes that show up as red when I click SSDT are ewido and outpost. So I took two screenshots and attached them here.

Are ewido and outpost supposed to show up in red like that and have different before and after addresses?

Btw, I dunno if this is relevant but the trojans/adware I removed yesterday are here (this is a copy/paste from outpost):

7/17/2006 8:48:14 PM Quarantine Adware Media-Motor
7/17/2006 8:48:14 PM Quarantine Adware Delfin
7/17/2006 8:48:01 PM Object Detected Adware Delfin
7/17/2006 8:48:01 PM Object Detected Adware Media-Motor
7/17/2006 5:25:09 PM Quarantine Adware IPInsight
7/17/2006 5:25:09 PM Quarantine Adware MyWay
7/17/2006 5:25:09 PM Quarantine Adware WeatherBug
7/17/2006 5:25:09 PM Quarantine Adware Aws
7/17/2006 5:25:09 PM Quarantine Trojan Lmir
7/17/2006 5:25:09 PM Quarantine Adware BHO SideFind
7/17/2006 5:25:09 PM Quarantine Adware iSearch desktop search
7/17/2006 5:25:09 PM Quarantine Adware Dollar Revenue
7/17/2006 5:25:09 PM Quarantine Adware Best Offers
7/17/2006 5:25:09 PM Quarantine System monitoring PC Tattletale
7/17/2006 5:25:09 PM Quarantine Adware WebSearch Toolbar
7/17/2006 5:24:08 PM Object Detected System monitoring PC Tattletale
7/17/2006 5:24:08 PM Object Detected Adware BHO SideFind
7/17/2006 5:24:08 PM Object Detected Adware WebSearch Toolbar
7/17/2006 5:24:08 PM Object Detected Adware WebSearch Toolbar
7/17/2006 5:24:08 PM Object Detected Adware WeatherBug
7/17/2006 5:24:08 PM Object Detected Adware IPInsight
7/17/2006 5:24:08 PM Object Detected Adware Aws
7/17/2006 5:24:08 PM Object Detected Trojan Lmir
7/17/2006 5:24:08 PM Object Detected Adware MyWay
7/17/2006 5:24:08 PM Object Detected Adware iSearch desktop search
7/17/2006 5:24:08 PM Object Detected Adware Dollar Revenue
7/17/2006 5:24:08 PM Object Detected Adware Best Offers
7/17/2006 5:24:08 PM Object Detected Adware Best Offers
7/17/2006 5:24:08 PM Object Detected Adware Best Offers
7/17/2006 5:24:08 PM Object Detected Adware Best Offers
7/17/2006 5:24:08 PM Object Detected Adware MyWay
7/17/2006 5:24:08 PM Object Detected System monitoring PC Tattletale
7/17/2006 5:24:08 PM Object Detected Adware Best Offers

Anyway, thanks for any help/advice you can give...I really appreciate the service and community you guys provide here.

cheebus2.JPG
Description:
Filesize:	246.16 KB
Viewed:	85 Time(s)

cheebus1.JPG
Description:
Filesize:	246.88 KB
Viewed:	76 Time(s)

Hi vault,

It is completely normal and desirable for your Firewall and AV to hook the SSDT to protect your system.

You should worry about red entries in the Process or Win32 Services function displays of IceSword. However, security programs that innocently hook the SSDT will show up in red using IceSword's Kernel Module function, so those red entries are not diagnostic for a rootkit.

As far as the rest of your findings go, why not complete the Malware Removal and Prevention procedure and afterwards, you can post a HijackThis log to verify that all infections have been removed. The directions for doing that are in the MRP. Many of the Adware programs listed in your scan results should be removable via the Add/Remove Programs feature in the Control Panel. That step is also part of the MRP, and you can use Uninstall Malware via Add/Remove Programs by chaslang as a reference to guide you along.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Ok good to know that it's normal for outpost/ewido.

Yeah, I've already removed all the malware I could with Ad Aware, Microsoft's thing, Outpost's anti-spyware thing, nod32, trojanhunter and I ran TheCleaner as well. I had to manually delete sagnt.exe though...

Anyway, here is my hijackthis log, thanks:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:31 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\StatsRemote\StatsRemote.exe
C:\WINDOWS\system32\jdbgmgr.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\CCleaner\ccleaner.exe
F:\Utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {521DE235-2988-11D7-816B-00409530B8B6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.5\THGuard.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/091a30b768c8bcb1c205/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147236100196
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe (file missing)
O23 - Service: WUSB54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)

Hi vault,

I thought you were going to post the HJT log in the HJT forum, but that is OK, I'll take care of it here.

First, you will have to Temporarily Disable Real Time Monitoring Programs listed here, while we complete the fixes.

Click 'Scan' to perform a HijackThis scan and place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

O3 - Toolbar: (no name) - {521DE235-2988-11D7-816B-00409530B8B6} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/091a30b768c8bcb1c205/netzip/RdxIE601.cab

Only if you have the the open system32 folder problem described here, you can also check and fix the following entry in HJT:
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

Close HijackThis

Next, you need to update your Sun Java Runtime Environment (JRE) to Version 5.0 Update 7, since older versions of the JRE which remain on your computer are known to contain vulnerabilities.
1. First, remove any older versions of the Sun Java Platform from the Add/Remove Programs screen
2. Reboot your system
3. Download a new version at the Java website by selecting the Windows (Offline Installation) option.
4. Verify that the current version is installed properly by clicking here

After installing the latest version of the JRE, you should also delete the program folders for the older versions of Java which are still present on your system but which you are no longer using in C:\program files\java\

Choose between ewido and TrojanHunter active protection components (TrojanGuard and the ewido guard), but don't use both.

Your log shows that you have the the Microsoft Debugger Registrar for Java running. This is probably fine, but just to verify that it is the real Windows version of the file, please upload the following file and test it at one of these scanners:
C:\WINDOWS\system32\jdbgmgr.exe

1. Virus Total Scanner
2. Jotti malware scan page
3. Virus.Org Rogue File Scanning Service

There is more information in this link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993

Please read this material on how to Prevent Reinfection It will describe how to flush your system restore points, and provide other important tips on surfing safely.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Ok thanks negster, I've done all that, and I downloaded the Dell utility from the link you gave to fix the
\system32\ issue (which has been that way for a couple years heh).

jdbgmgr.exe didn't show any viruses on the two sites I tried.

So my only question now is...which spyware/trojan thing should I leave?

I already have NOD32 and Outpost running for antivirus and firewall. Is there another lightweight program with real-time spyware protection that I should use...like a-squared or spysweeper or something? I don't mind paying for one.

thanks again

nod32 will protect you against most trojans and viruses.

I have used by TH and ewido active protection, and I found my AV (nod) always got to any trojan intruder before either of them did.

If you want light on resources, then use WinPatrol but it is not true real time protection, it cycles at a preset time interval and so does TH.

Both CounterSpy and SpySweeper are rated very highy as on demand scanners, but I don't know how resource heavy SS is. I personally use CS but its active protection is not light on resource usage. However, if you have the resources to spare it is OK, and it self-adjusts according to the resource demands placed upon the system by other programs. I know that sounds impossible, but I have studied it, and it does.

You can always try trial versions of AS programs and check their usage stats using Process Explorer. If I had to augment my AV active protection and I was willing to pay for it, I would probably go with a HIPs program like ProcessGuard. I know ProcessGuard was intentionally designed to be light on resources, and it is worth the protection it affords. Also, PG uses a kernel level driver that enables it to function seamlessy and efficiently, while effectively protecting you from threats. The Diamond developers have incorporated their vast knowledge of trojan mechanics (remember TDS-3) into the design of PG.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008