View Full Version : I think my computer has been hijacked
vidapura
2008-09-21, 16:06
Hello, I am a newbie and this is my first post.
I have tried to follow the instructions for posting to this malware forum.
I updated hijack this to 2.0.2
I confirmed that I have windows xp SP2
I updated and scanned with spybot, in safe mode. The scan showed nothing.
I followed the instructions for copying the HJT log file here using notepad and unchecked "word wrap" but it looks like it still wrapped, sorry.
The reason I think my computer?, browser? may have been hijacked is because when I access the task manager it shows applications running which I did not choose to run, eg. OneGamePlace, MonsterMarketPlace.com, wwwkkexecom, etc.. I ended those, but when I go to processes and end iexplore.exe it keeps coming back.
I am concerned because I do quite a bit of online shopping for my business and I have also downloaded a few different, supposedly, anti-spyware programs to scan my computer.
Any assistance in determining if I have a virus or malware, and getting my computer cleaned up and better protected would be greatly appreciated.
My anti-virus software is Norton 2002 which won't let me update. My firewall is Sygate personal firewall pro, which I have not updated for some time.
Thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:31 AM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\spoolsv.exe
c:\temps\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\explorer.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINNT\System32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINNT\System32\hkcmd.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [NAV Agent] "C:\PROGRA~1\NORTON~1\navapw32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] "C:\WINNT\system32\rundll32.exe" sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] "C:\WINNT\UpdReg.EXE"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINNT\system32\inf\svchoct.exe C:\WINNT\wftadfi16_080828a.dll tanlt88
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe (file missing)
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.real.com
O16 - DPF: {093500E9-F79F-4C52-A9B5-D8C7E4B3023E} (ParallelGraphics Installer Class) - http://www.outline3d.com/main/installer.cab?key=6bf0
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {810B649C-CEAE-4AC9-BF26-81341B49E913} (ParallelGraphics PlanEditor Control) - http://www.outline3d.com/main/pecontrol.cab?key=d035
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab?key=49d7
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94D067A0-E9AB-4540-85FD-094E0AE2F987}: NameServer = 205.188.146.145
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Internet Service - Unknown owner - C:\WINNT\smss.exe (file missing)
O23 - Service: TCP IP Service (Messager) - Unknown owner - c:\temps\svchost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
--
End of file - 11682 bytes
Hi
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
vidapura
2008-09-27, 16:44
Hi Blade81,
thanks for your assistance. I followed all the directions as per your reply and followed all the links to install the Windows Recovery Console and ComboFix.
I disabled the Antivirus, Antispyware, and Firewall programs and re-enabled them after ComboFix was completed. I uninstalled Uniblue Registry Booster prior to all this. I had downloaded and scanned using Malwarebytes anti-malware prior to your reply. It found and I let it delete 63 issues. I did not include a copy of the report here, but did save it if you want me to post that log in the future.
Here is the ComboFix log and the HJT log
I look forward to your reply.
ComboFix 08-09-26.01 - Owner 2008-09-27 8:11:03.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Owner\LOCALS~1\Temp\WowInitcode.dll
C:\Documents and Settings\LocalService\Cookies\system@searchportal.information[1].txt
C:\WINNT\system32\drivers\secdrv.sys
C:\WINNT\system32\KarnaDrv.dll
C:\WINNT\system32\mywfhit.ini
C:\WINNT\system32\mywfhit.ini.tmp
C:\WINNT\system32\rtl60.bpl
C:\WINNT\system32\syspilog.pil
C:\WINNT\tawisys.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_INTERNET_SERVICE
-------\Legacy_PANDRV
-------\Legacy_SEICTRL
-------\Service_6to4
-------\Service_Pandrv
-------\Service_seictrl
((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.
2008-09-26 18:39 . 2008-09-26 18:45 <DIR> d-------- C:\XPSETUP
2008-09-22 07:50 . 2008-09-22 07:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-22 07:49 . 2008-09-22 07:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 07:49 . 2008-09-22 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 07:49 . 2008-09-10 00:04 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-22 07:49 . 2008-09-10 00:03 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-09-22 05:46 . 2004-08-04 03:56 388,608 --a------ C:\WINNT\system32\tmpacj2.exe
2008-09-17 08:43 . 2008-09-17 08:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\System Tweaker
2008-09-17 08:41 . 2008-09-22 07:13 <DIR> d-------- C:\Program Files\Uniblue
2008-09-17 07:41 . 2008-09-17 07:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-09-17 06:57 . 2008-09-22 13:10 <DIR> d--hs---- C:\temps
2008-08-29 08:56 . 2008-08-29 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-27 07:32 . 2008-08-27 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 07:20 . 2008-09-09 19:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-27 07:20 . 2008-08-30 07:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 11:16 --------- d-----w C:\Program Files\America Online 8.0
2008-09-27 11:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-20 12:59 --------- d-----w C:\Program Files\Trend Micro
2008-09-17 10:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 10:59 --------- d-----w C:\Program Files\Google
2008-09-15 11:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 23:10 --------- d-----w C:\Program Files\AdSubtract
2008-09-09 23:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-29 13:02 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-08-28 10:09 164 ----a-w C:\install.dat
2008-08-27 10:27 --------- d-----w C:\Program Files\BHODemon 2
2008-08-26 11:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-13 17:20 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-13 17:20 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-04-17 12:37 63,128 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-09-25 04:02 11,473,724 -c--a-w C:\Program Files\videoeditmagic.exe
2005-09-23 18:05 9,199,616 -c--a-w C:\Program Files\ng_dl_v3_prod.exe
2005-07-28 20:50 5,271,552 -c--a-w C:\Program Files\PStory.msi
2005-01-28 01:24 130 -c--a-w C:\Documents and Settings\Owner\AutoUpdate.dat
2000-02-02 00:01 40,960 --sh--r C:\WINNT\system32\Karna1Drv.dll
2000-02-02 00:01 40,960 --sh--r C:\WINNT\system32\Karna2Drv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2004-06-25 147456]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 15360]
"Uniblue ProcessQuickLink 2"="C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" [2008-04-02 655640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2002-05-14 155648]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 114688]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-24 684032]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 75384]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-04-01 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"CTSysVol"="C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 90112]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-11 180269]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-08 C:\WINNT\system32\sbusbdll.dll]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
America Online Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2006-04-12 36939]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-04-09 598150]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-01-22 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AdSubtract\\adsub.exe"=
"C:\\WINNT\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys [2000-06-06 6736]
R3 sbusb;Sound Blaster USB Audio Driver;C:\WINNT\system32\DRIVERS\sbusb.sys [2004-07-27 1643648]
S2 Ias;Ias;C:\WINNT\System32\svchost.exe [2004-08-04 14336]
S3 dwusbdnt;dwusbdnt;C:\WINNT\system32\DRIVERS\dwusbdnt.sys [2002-05-24 10368]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys [ ]
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMREDRV
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.aol.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {093500E9-F79F-4C52-A9B5-D8C7E4B3023E} - hxxp://www.outline3d.com/main/installer.cab?key=6bf0
C:\WINNT\Downloaded Program Files\installer.inf
C:\WINNT\Downloaded Program Files\cortona_installer.dll
O16 -: {0F04992B-E661-4DB9-B223-903AB628225D} - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
C:\WINNT\Downloaded Program Files\DoMoreRunExe.INF
C:\WINNT\System32\MSSTKPRP.DLL
C:\WINNT\System32\msvbvm60.dll
C:\WINNT\System32\OLEAUT32.DLL
C:\WINNT\System32\OLEPRO32.DLL
C:\WINNT\System32\ASYCFILT.DLL
C:\WINNT\System32\STDOLE2.TLB
C:\WINNT\System32\COMCAT.DLL
C:\WINNT\System32\COMDLG32.OCX
C:\Program Files\Common Files\Symantec Shared\Script Blocking\wshom.ocx
C:\WINNT\Downloaded Program Files\DoMoreRunExe.ocx
O16 -: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k42037/sb02b.cab
C:\WINNT\Downloaded Program Files\SbCIe02b.inf
C:\WINNT\Downloaded Program Files\SbCIe02b.dll
O16 -: {810B649C-CEAE-4AC9-BF26-81341B49E913} - hxxp://www.outline3d.com/main/pecontrol.cab?key=d035
C:\WINNT\Downloaded Program Files\pecontrol.inf
C:\WINNT\Downloaded Program Files\pecontrol.dll
O16 -: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - hxxp://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
C:\WINNT\Downloaded Program Files\cdtool.inf
C:\WINNT\Downloaded Program Files\cdTool.dll
O16 -: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} - hxxp://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab
C:\WINNT\Downloaded Program Files\CtORWebClient.inf
C:\WINNT\System32\CtORWebClient.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 08:18:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\CTSVCCDA.EXE
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.bin
C:\WINNT\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-27 8:27:50 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-27 12:27:44
Pre-Run: 38,902,927,360 bytes free
Post-Run: 38,823,673,856 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
216 --- E O F --- 2008-09-12 11:32:10
----------------------------------------------------------------
New HijackThis log
----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:11 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINNT\System32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINNT\System32\hkcmd.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] "C:\WINNT\system32\rundll32.exe" sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] "C:\WINNT\UpdReg.EXE"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe (file missing)
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.real.com
O16 - DPF: {093500E9-F79F-4C52-A9B5-D8C7E4B3023E} (ParallelGraphics Installer Class) - http://www.outline3d.com/main/installer.cab?key=6bf0
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {810B649C-CEAE-4AC9-BF26-81341B49E913} (ParallelGraphics PlanEditor Control) - http://www.outline3d.com/main/pecontrol.cab?key=d035
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab?key=49d7
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94D067A0-E9AB-4540-85FD-094E0AE2F987}: NameServer = 205.188.146.145
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
--
End of file - 11589 bytes
Best Regards
Hi again
Upload following files to http://www.virustotal.com and post back the results:
C:\WINNT\system32\tmpacj2.exe
Are you familiar with C:\temps folder contents?
Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report & a fresh hjt log.
vidapura
2008-09-27, 18:25
Hello,
Thanx for the quick response.
No, I am not very familiar with C:\temps folder contents.
I will Uninstall old Adobe Reader and get the latest one, I will download ATF Cleaner to desktop and I will run an online scan with Kaspersky and post back its report and a fresh HJT log soon.
I uploaded the tmpacj2.exe file to virustotal using their SSL option.
They stated that this file has already been analysed on 4/2/07.
I clicked on Show Last Report this is what came up :
They give an option to reanalyse file now. Should I do that as well and post results?
File cmd.exe received on 09.26.2008 06:36:11 (CET)
Current status: finished
Result: 0/36 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.25 -
AntiVir 7.8.1.34 2008.09.25 -
Authentium 5.1.0.4 2008.09.25 -
Avast 4.8.1195.0 2008.09.25 -
AVG 8.0.0.161 2008.09.25 -
BitDefender 7.2 2008.09.26 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6108 2008.09.26 -
Ewido 4.0 2008.09.25 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 -
Fortinet 3.113.0.0 2008.09.25 -
GData 19 2008.09.26 -
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.473 2008.09.25 -
Kaspersky 7.0.0.125 2008.09.26 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3472 2008.09.26 -
Norman 5.80.02 2008.09.25 -
Panda 9.0.0.4 2008.09.25 -
PCTools 4.4.2.0 2008.09.25 -
Prevx1 V2 2008.09.26 -
Rising 20.63.40.00 2008.09.26 -
Sophos 4.34.0 2008.09.26 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.26 -
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1393 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.25 -
Webwasher-Gateway 6.6.2 2008.09.25 -
Additional information
File size: 388608 bytes
MD5...: eeb024f2c81f0d55936fb825d21a91d6
SHA1..: dd47ff16176412ec2e170cda441b4a220ff52f46
SHA256: c8e419248e33efa206c3f66595118d876c36b6fe27c379174d46c770d1d198ab
SHA512: 3e486fea67e4ab8f02cc03012fef6fa489f8bfba58f958fd78cf640663bcd79a
bf93bf8a3cfc5bb20591961583be4310b5f5c1e4833e7dc6cf96dced39784f35
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4ad05056
timedatestamp.....: 0x41107ebe (Wed Aug 04 06:14:22 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f5e0 0x1f600 6.59 d7c5acc9dd906d146fc6ee708b87e8e6
.data 0x21000 0x1ca24 0x1ca00 0.17 f475a5d8db410678faa8b459e2a5fdb4
.rsrc 0x3e000 0x228b0 0x22a00 3.83 65c9f70c1dd2290a8a577394f7468c81
( 3 imports )
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eeb024f2c81f0d55936fb825d21a91d6
Hi
Better delete C:\temps folder then.
They give an option to reanalyse file now. Should I do that as well and post results?
Yes, please.
vidapura
2008-09-28, 01:25
Hello,
I am trying to post the scan results from virustotal.com, but I must be doing something wrong. I select, copy and paste to this post but it does not paste what I copied! I tried it once using iexplore and once using AOL but same problem, both were different reports than what I'm seeing on my screen? Is there another way to send a copy?
I went to take a look at c:\temps folder. I only seem to have a c:\temp not temp(s) folder. There are six similar .ini configuration settings in my temp folder.
I downloaded ATF Cleaner to my desktop and emptied those selected as directed.
I uninstalled the old "Adobe" Reader and downloaded 9.0.
I also uninstalled "Acrobat" Reader by accident...I thought it was an even older version. I did not realize they are different readers. Do I need both?
I tried to do a Kaspersky scan, but had some problems. It took 3 hrs. to do 25,000 of the 130,00 files. It said I could use another web browser to work while it scanned so I opened AOL, which promptly closed down my computer and rebooted, stopping the Kasp scan. I had made sure to disable Norton antivirus which, I think, is my only antivirus. Is there anything else that may be hindering Kaspersky from running properly? I have since changed my home page at iexplore to www.microsoft.com instead of aol.com maybe that will help. I also disabled teatimer. I will try again to use the Kaspersky Online Scanner and will post its report and a HJT log as well.
Thanks for your assistance!
virustotal From iexplore:
-------------------
File tmpacj2.exe received on 09.27.2008 23:26:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.27 -
Authentium 5.1.0.4 2008.09.27 -
Avast 4.8.1195.0 2008.09.27 -
AVG 8.0.0.161 2008.09.27 -
BitDefender 7.2 2008.09.27 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.27 -
Fortinet 3.113.0.0 2008.09.27 -
GData 19 2008.09.27 -
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.473 2008.09.25 -
Kaspersky 7.0.0.125 2008.09.27 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3477 2008.09.27 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.27 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.27 -
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.27 -
Sophos 4.34.0 2008.09.27 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.27 -
TheHacker 6.3.0.9.095 2008.09.27 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1393 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.25 -
Additional information
File size: 388608 bytes
MD5...: eeb024f2c81f0d55936fb825d21a91d6
SHA1..: dd47ff16176412ec2e170cda441b4a220ff52f46
SHA256: c8e419248e33efa206c3f66595118d876c36b6fe27c379174d46c770d1d198ab
SHA512: 3e486fea67e4ab8f02cc03012fef6fa489f8bfba58f958fd78cf640663bcd79a
bf93bf8a3cfc5bb20591961583be4310b5f5c1e4833e7dc6cf96dced39784f35
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4ad05056
timedatestamp.....: 0x41107ebe (Wed Aug 04 06:14:22 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f5e0 0x1f600 6.59 d7c5acc9dd906d146fc6ee708b87e8e6
.data 0x21000 0x1ca24 0x1ca00 0.17 f475a5d8db410678faa8b459e2a5fdb4
.rsrc 0x3e000 0x228b0 0x22a00 3.83 65c9f70c1dd2290a8a577394f7468c81
( 3 imports )
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eeb024f2c81f0d55936fb825d21a91d6
----------------------------------------------------------------
I tried it again here using aol versus iexplore
_______________________________________________________
| עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File tmpacj2.exe received on 09.27.2008 23:43:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.27 -
Authentium 5.1.0.4 2008.09.27 -
Avast 4.8.1195.0 2008.09.27 -
AVG 8.0.0.161 2008.09.27 -
BitDefender 7.2 2008.09.27 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.27 -
Fortinet 3.113.0.0 2008.09.27 -
GData 19 2008.09.27 -
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.473 2008.09.25 -
Kaspersky 7.0.0.125 2008.09.27 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3477 2008.09.27 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.27 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.27 -
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.27 -
Sophos 4.34.0 2008.09.27 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.27 -
TheHacker 6.3.0.9.095 2008.09.27 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1393 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.25 -
Additional information
File size: 388608 bytes
MD5...: eeb024f2c81f0d55936fb825d21a91d6
SHA1..: dd47ff16176412ec2e170cda441b4a220ff52f46
SHA256: c8e419248e33efa206c3f66595118d876c36b6fe27c379174d46c770d1d198ab
SHA512: 3e486fea67e4ab8f02cc03012fef6fa489f8bfba58f958fd78cf640663bcd79a
bf93bf8a3cfc5bb20591961583be4310b5f5c1e4833e7dc6cf96dced39784f35
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4ad05056
timedatestamp.....: 0x41107ebe (Wed Aug 04 06:14:22 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f5e0 0x1f600 6.59 d7c5acc9dd906d146fc6ee708b87e8e6
.data 0x21000 0x1ca24 0x1ca00 0.17 f475a5d8db410678faa8b459e2a5fdb4
.rsrc 0x3e000 0x228b0 0x22a00 3.83 65c9f70c1dd2290a8a577394f7468c81
( 3 imports )
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eeb024f2c81f0d55936fb825d21a91d6
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
File tmpacj2.exe received on 09.27.2008 23:49:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.27 -
Authentium 5.1.0.4 2008.09.27 -
Avast 4.8.1195.0 2008.09.27 -
AVG 8.0.0.161 2008.09.27 -
BitDefender 7.2 2008.09.27 -
CAT-QuickHeal 9.50 2008.09.27 -
ClamAV 0.93.1 2008.09.27 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.27 -
F-Prot 4.4.4.56 2008.09.27 -
F-Secure 8.0.14332.0 2008.09.27 -
Fortinet 3.113.0.0 2008.09.27 -
GData 19 2008.09.27 -
Ikarus T3.1.1.34.0 2008.09.27 -
K7AntiVirus 7.10.476 2008.09.27 -
Kaspersky 7.0.0.125 2008.09.27 -
McAfee 5393 2008.09.27 -
Microsoft 1.3903 2008.09.27 -
NOD32 3477 2008.09.27 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.27 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.27 -
Rising 20.63.52.00 2008.09.27 -
SecureWeb-Gateway 6.7.6 2008.09.27 -
Sophos 4.34.0 2008.09.27 -
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.09.27 -
TheHacker 6.3.0.9.095 2008.09.27 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.27 -
ViRobot 2008.9.26.1394 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.26 -
Additional information
File size: 388608 bytes
MD5...: eeb024f2c81f0d55936fb825d21a91d6
SHA1..: dd47ff16176412ec2e170cda441b4a220ff52f46
SHA256: c8e419248e33efa206c3f66595118d876c36b6fe27c379174d46c770d1d198ab
SHA512: 3e486fea67e4ab8f02cc03012fef6fa489f8bfba58f958fd78cf640663bcd79a
bf93bf8a3cfc5bb20591961583be4310b5f5c1e4833e7dc6cf96dced39784f35
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4ad05056
timedatestamp.....: 0x41107ebe (Wed Aug 04 06:14:22 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f5e0 0x1f600 6.59 d7c5acc9dd906d146fc6ee708b87e8e6
.data 0x21000 0x1ca24 0x1ca00 0.17 f475a5d8db410678faa8b459e2a5fdb4
.rsrc 0x3e000 0x228b0 0x22a00 3.83 65c9f70c1dd2290a8a577394f7468c81
( 3 imports )
> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eeb024f2c81f0d55936fb825d21a91d6
I also uninstalled "Acrobat" Reader by accident...I thought it was an even older version. I did not realize they are different readers. Do I need both?
Acrobat Reader was earlier used name for Adobe Reader. You did right by uninstalling those too :)
To speed up Kaspersky online scanner you could defrag your hard drives before doing the scan.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINNT\system32\Karna1Drv.dll
C:\WINNT\system32\Karna2Drv.dll
Folder::
C:\temps
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Post also Kaspersky online scanner report & a fresh hjt log when ready.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
vidapura
2008-09-28, 16:08
Hi Blade81,
Thanks for working with me on this thru the weekend. I can't imagine how I would have done this during my work week.
I'll have to do a search for C:\temps, I dont't know where to find it.
When I go to My computer and double click on Local Disk (C:) the page that opens only has a folder named "Temp".
I will follow your instructions on copying the text in the quotebox to ComboFix
whether or not I locate the C:\temps folder, and will post the resultant log in my next reply. Should I also post an updated HJT log?
I finally have a Kaspersky Oline Scan report to post. The last 2 items listed in the report are the same 2 which you want my to copy to ComboFix.
I did another virustotal report and copied it a different way. I will post it here.
I will post a HJT log now as well.
_________________________________________________
Kaspersky Report
_________________________________________________
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, September 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 27, 2008 21:37:01
Records in database: 1266526
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Files scanned: 95968
Threat name: 17
Infected objects: 35
Suspicious objects: 0
Duration of the scan: 06:09:18
File name / Threat name / Threats count
C:\Documents and Settings\Owner\My Documents\AVI to MP4\Download_iPodConvSuit11.exe Infected: not-a-virus:Downloader.Win32.SpyNoMore.a 1
C:\QooBox\Quarantine\C\DOCUME~1\Owner\LOCALS~1\Temp\WowInitcode.dll.vir Infected: Trojan-GameThief.Win32.WOW.bvz 1
C:\QooBox\Quarantine\C\WINNT\system32\drivers\secdrv.sys.vir Infected: Trojan-GameThief.Win32.OnLineGames.sjsc 1
C:\QooBox\Quarantine\C\WINNT\system32\KarnaDrv.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP962\A0174766.dll Infected: Trojan-GameThief.Win32.OnLineGames.sovd 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP962\A0174819.sys Infected: Trojan.Win32.Dialer.aqj 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175251.dll Infected: Trojan-Spy.Win32.Pophot.ccy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175252.dll Infected: Trojan-Spy.Win32.Pophot.ccy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175253.exe Infected: Trojan-Spy.Win32.Pophot.ccx 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175320.scr Infected: Trojan-Spy.Win32.Pophot.cdk 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175325.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175326.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175327.exe Infected: Trojan-Spy.Win32.Pophot.cdk 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP964\A0175370.exe Infected: Trojan-Downloader.Win32.Agent.adxf 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175381.exe Infected: Trojan-Downloader.Win32.Agent.adxf 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175414.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175415.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175416.scr Infected: Trojan-Spy.Win32.Pophot.cdy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175417.exe Infected: Trojan-Spy.Win32.Pophot.cdy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP965\A0175447.sys Infected: Trojan.Win32.Dialer.aqj 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP966\A0175464.dll Infected: Trojan.Win32.Agent.yhk 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP966\A0175465.dll Infected: Trojan.Win32.Dialer.aqm 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP966\A0175466.dll Infected: Trojan.Win32.Dialer.aqm 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP968\A0176602.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP973\A0177625.exe Infected: Trojan.Win32.Agent.aefo 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP977\A0177694.dll Infected: Trojan-Downloader.Win32.Agent.ahcp 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP983\A0178040.exe Infected: Trojan.Win32.Agent.aefo 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP983\A0178041.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP983\A0178042.scr Infected: Trojan-Spy.Win32.Pophot.cdy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP983\A0178043.dll Infected: Trojan-Spy.Win32.Pophot.cdu 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP983\A0178044.exe Infected: Trojan-Spy.Win32.Pophot.cdy 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP986\A0179240.dll Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP986\A0179241.sys Infected: Trojan-GameThief.Win32.OnLineGames.sjsc 1
C:\WINNT\system32\Karna1Drv.dll Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
C:\WINNT\system32\Karna2Drv.dll Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
The selected area was scanned.
______________________________________________________
virustotal.com results
_______________________________________________________
File tmpacj2.exe received on 09.28.2008 14:28:18 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.27 -
Authentium 5.1.0.4 2008.09.28 -
Avast 4.8.1195.0 2008.09.27 -
AVG 8.0.0.161 2008.09.27 -
BitDefender 7.2 2008.09.28 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.28 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.28 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.28 -
Fortinet 3.113.0.0 2008.09.28 -
GData 19 2008.09.28 -
Ikarus T3.1.1.34.0 2008.09.28 -
K7AntiVirus 7.10.473 2008.09.25 -
Kaspersky 7.0.0.125 2008.09.28 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.28 -
NOD32 3478 2008.09.28 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.28 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.28 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.09.28 -
Sophos 4.34.0 2008.09.28 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.28 -
TheHacker 6.3.0.9.095 2008.09.27 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1393 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.28 -
Additional information
File size: 388608 bytes
MD5...: eeb024f2c81f0d55936fb825d21a91d6
SHA1..: dd47ff16176412ec2e170cda441b4a220ff52f46
SHA256: c8e419248e33efa206c3f66595118d876c36b6fe27c379174d46c770d1d198ab
SHA512: 3e486fea67e4ab8f02cc03012fef6fa489f8bfba58f958fd78cf640663bcd79a<BR>bf93bf8a3cfc5bb20591961583be4310b5f5c1e4833e7dc6cf96dced39784f35
PEiD..: -
TrID..: File type identification<BR>Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x4ad05056<BR>timedatestamp.....: 0x41107ebe (Wed Aug 04 06:14:22 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x1f5e0 0x1f600 6.59 d7c5acc9dd906d146fc6ee708b87e8e6<BR>.data 0x21000 0x1ca24 0x1ca00 0.17 f475a5d8db410678faa8b459e2a5fdb4<BR>.rsrc 0x3e000 0x228b0 0x22a00 3.83 65c9f70c1dd2290a8a577394f7468c81<BR><BR>( 3 imports ) <BR>> msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper<BR>> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime<BR>> USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation<BR><BR>( 0 exports ) <BR>
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eeb024f2c81f0d55936fb825d21a91d6
_______________________________________________
New HJT log
_______________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:59 AM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.aol.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINNT\System32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINNT\System32\hkcmd.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] "C:\WINNT\system32\rundll32.exe" sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] "C:\WINNT\UpdReg.EXE"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe (file missing)
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.real.com
O16 - DPF: {093500E9-F79F-4C52-A9B5-D8C7E4B3023E} (ParallelGraphics Installer Class) - http://www.outline3d.com/main/installer.cab?key=6bf0
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {810B649C-CEAE-4AC9-BF26-81341B49E913} (ParallelGraphics PlanEditor Control) - http://www.outline3d.com/main/pecontrol.cab?key=d035
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab?key=49d7
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
--
End of file - 10629 bytes
Hi
I'll have to do a search for C:\temps, I dont't know where to find it.
No need to do that since ComboFix will remove it if the folder is found. Just create that CFScript.txt file and feed it to ComboFix as shown in the screenshot :)
tmpacj2.exe file seems to be ok so let's leave it now.
I'll wait for that ComboFix resultant log.
vidapura
2008-09-28, 18:54
Hi Blade81,
As per your instructions I copy and pasted the quotebox and dropped it into ComboFix which did a scan and also deleted those 3 items.
I then re-enabled norton antivirus 2002, which I think is my only antivirus software, I don't know if it does any good because it is an older version which is not updateable.
I am posting the ComboFix log and a new HJT log here
Thank you for your continued assistance
___________________________________________________
ComboFix 08-09-26.01 - Owner 2008-09-28 10:26:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINNT\system32\Karna1Drv.dll
C:\WINNT\system32\Karna2Drv.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temps
C:\WINNT\system32\Karna1Drv.dll
C:\WINNT\system32\Karna2Drv.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.
2008-09-26 18:39 . 2008-09-26 18:45 <DIR> d-------- C:\XPSETUP
2008-09-22 07:50 . 2008-09-22 07:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-22 07:49 . 2008-09-22 07:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 07:49 . 2008-09-22 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 07:49 . 2008-09-10 00:04 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-22 07:49 . 2008-09-10 00:03 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-09-22 05:46 . 2004-08-04 03:56 388,608 --a------ C:\WINNT\system32\tmpacj2.exe
2008-09-17 08:43 . 2008-09-17 08:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\System Tweaker
2008-09-17 08:41 . 2008-09-22 07:13 <DIR> d-------- C:\Program Files\Uniblue
2008-09-17 07:41 . 2008-09-17 07:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-08-29 08:56 . 2008-08-29 08:56 <DIR> d-------- C:\VundoFix Backups
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 21:42 --------- d-----w C:\Program Files\America Online 8.0
2008-09-27 21:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-27 15:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 12:59 --------- d-----w C:\Program Files\Trend Micro
2008-09-17 10:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 10:59 --------- d-----w C:\Program Files\Google
2008-09-15 11:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 23:25 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-09 23:10 --------- d-----w C:\Program Files\AdSubtract
2008-09-09 23:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-30 11:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-29 13:02 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-08-28 10:09 164 ----a-w C:\install.dat
2008-08-27 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 10:27 --------- d-----w C:\Program Files\BHODemon 2
2008-08-26 11:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-13 17:20 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-13 17:20 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-04-17 12:37 63,128 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-09-25 04:02 11,473,724 -c--a-w C:\Program Files\videoeditmagic.exe
2005-09-23 18:05 9,199,616 -c--a-w C:\Program Files\ng_dl_v3_prod.exe
2005-07-28 20:50 5,271,552 -c--a-w C:\Program Files\PStory.msi
2005-01-28 01:24 130 -c--a-w C:\Documents and Settings\Owner\AutoUpdate.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2004-06-25 147456]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 15360]
"Uniblue ProcessQuickLink 2"="C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" [2008-04-02 655640]
"Uniblue RegistryBooster 2009"="C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2002-05-14 155648]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 114688]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-24 684032]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 75384]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-04-01 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"CTSysVol"="C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 90112]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-11 180269]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-08 C:\WINNT\system32\sbusbdll.dll]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2006-04-12 36939]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-04-09 598150]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-01-22 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AdSubtract\\adsub.exe"=
"C:\\WINNT\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys [2000-06-06 6736]
R3 sbusb;Sound Blaster USB Audio Driver;C:\WINNT\system32\DRIVERS\sbusb.sys [2004-07-27 1643648]
S2 Ias;Ias;C:\WINNT\System32\svchost.exe [2004-08-04 14336]
S3 dwusbdnt;dwusbdnt;C:\WINNT\system32\DRIVERS\dwusbdnt.sys [2002-05-24 10368]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys [ ]
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMREDRV
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 10:30:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\DOCUME~1\Owner\LOCALS~1\Temp\RGI5C.tmp
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-09-28 10:38:02
ComboFix-quarantined-files.txt 2008-09-28 14:37:59
ComboFix2.txt 2008-09-27 12:27:51
Pre-Run: 38,897,340,416 bytes free
Post-Run: 38,927,171,584 bytes free
137 --- E O F --- 2008-09-12 11:32:10
______________________________________________________
New HJT log
______________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:06 AM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINNT\System32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINNT\System32\hkcmd.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] "C:\WINNT\system32\rundll32.exe" sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] "C:\WINNT\UpdReg.EXE"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe (file missing)
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINNT\system32\cachepal.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.real.com
O16 - DPF: {093500E9-F79F-4C52-A9B5-D8C7E4B3023E} (ParallelGraphics Installer Class) - http://www.outline3d.com/main/installer.cab?key=6bf0
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {810B649C-CEAE-4AC9-BF26-81341B49E913} (ParallelGraphics PlanEditor Control) - http://www.outline3d.com/main/pecontrol.cab?key=d035
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab?key=49d7
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINNT\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
--
End of file - 10883 bytes
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\DOCUME~1\Owner\LOCALS~1\Temp\RGI5C.tmp
Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. How's the system running?
vidapura
2008-09-28, 19:33
Hi,
Did as instructed here's what I pasted from OTMoveIt2.
System seems to be working better. I still saw a lot of junk when I did a Spybot scan today (I watched files as it scanned) I still see stuff like virtumonde, cydoor, FakeAlert.mhg, etc. why doesn't Sybot detect this stuff and get rid of it?
Was my computer hijacked? Why does msworks shareware? want to access my computer I don't use it.
Thanks for your continued support
______________________________________________________________
File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\RGI5C.tmp not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09282008_122122
I still saw a lot of junk when I did a Spybot scan today (I watched files as it scanned) I still see stuff like virtumonde, cydoor, FakeAlert.mhg, etc. why doesn't Sybot detect this stuff and get rid of it?
If you mean those shown during the scan then don't worry. Those shown during the scan are Spybot definitions that it compares to your system contents. If it finds some of those then it flags it. If Spybot final scan results are clean then there's nothing to detect and to get rid of.
Was my computer hijacked?
Your infection was this (http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99). It steals online game accounts, such as Lineage, Ragnarok online, Rohan, and Rexue Jianghu.
Why does msworks shareware? want to access my computer I don't use it.
It probably tried to check for updates.
vidapura
2008-09-28, 20:48
Hi Blade81,
Thanks again for your continued support.
Thanks for getting rid of the infection.
Did the OTMoveIt2 do what it was supposed to? file not found?
Are we done then?
Would you be so kind as to suggest which antivirus, antispyware, antimalware, and firewall softwares you advise using to help me keep my system secure.
Should I use some of them prior to doing a backup of my system?
Which of the tools/software that you had me download to my desktop should I keep? ATF Cleaner? OTMoveIt2.exe? ComboFix.exe? WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe?
Should I re-enable TeaTimer?
Which web browser do you think is most secure?
Should I update Windows with SP3? I have heard that it is nearly impossible to remove malware, viruses etc. which have infected the system if one has SP3.
Would you suggest that I change any of my passwords for miscellaneous online services I use?
Lastly, I can't thank you enough for all the assistance you've provided. I have donated to Spybot in the past and will continue to do so. Keep up the good work. You're awesome!
Best Regards
Which of the tools/software that you had me download to my desktop should I keep? ATF Cleaner? OTMoveIt2.exe? ComboFix.exe? WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe?
I recommend to keep ATF Cleaner and run it occasionally to get rid of temporary items. We'll remove OTMoveIt2 and ComboFix a bit later (instructions below). You may delete WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe file now.
Should I re-enable TeaTimer?
You may do so if you like. However, do following before it to reset TeaTimer:
* Right-click >here (http://downloads.subratam.org/ResetTeaTimer.bat)< and select "Save as" and save it without changing the name to your desktop
* Double click ResetTeaTimer.bat
* Open Spybot S&D
o Click Mode > check Advanced Mode
o Go to the left Panel and click Tools then, also in left panel, click Resident (OK any firewall prompts)
o Check the box labeled Resident Tea-Timer and OK any prompts
o Use File > Exit to terminate Spybot
* Reboot your machine for the changes to take effect
* You can now delete ResetTeaTimer.bat
Which web browser do you think is most secure?
At the moment I personally think Firefox (http://www.getfirefox.net/) is the most secure one.
Should I update Windows with SP3? I have heard that it is nearly impossible to remove malware, viruses etc. which have infected the system if one has SP3.
It's recommended to update. Some systems have had problems with it though. That's why I recommend to backup your important files before updating.
Would you suggest that I change any of my passwords for miscellaneous online services I use?
Doing so won't harm. Better safe than sorry as they say :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
vidapura
2008-09-29, 00:31
Hi
I wish I knew how to use "the reply with a quote" option, sorry.
as per your replies :
You may delete WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe file now.
(?)It is on my desktop, just right click and delete? or uninstall?
Quote:
Should I re-enable TeaTimer?
You may do so if you like. However, do following before it to reset TeaTimer:
(?) Do I need it?
At the moment I personally think Firefox is the most secure one.
(?) I use AOL most often, does AOL need iexploe to function?
(?) can I use AOL and Firefox independently until I become familiar with Firefox?
It's recommended to update. Some systems have had problems with it though. That's why I recommend to backup your important files before updating.
(?) I don't know how to backup my important files. I have an external hard drive which I have yet to install. I suppose I'll set that up after following your most recent directions but before updating WindowsXP. Are there any files I should backup before we continue?
Doing so won't harm. Better safe than sorry as they say
(!) I'll reset my passwords when we're done then, thanks
Let's reset system restore
Please note you need Administrator Access to do clean the restore points.
(?) how do I go about getting Administrator Access?
That's it for my questions to your responses.
_______________________________________
Your opinion is appreciated
Since my version of Norton antivirus 2002 is unupdateable and is, as far as I know, my only antivirus software, should I get the newest version or can you suggest a good antivirus software and at what point in this system cleansing and restoring process should I install it?
thanks for your continued assistance
You may delete WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe file now.
(?)It is on my desktop, just right click and delete? or uninstall?
Yes, just delete (remember to empty recycle bin afterwards).
Should I re-enable TeaTimer?
You may do so if you like. However, do following before it to reset TeaTimer:
(?) Do I need it?
Not necessarily. I've left that for every user to decide.
At the moment I personally think Firefox is the most secure one.
(?) I use AOL most often, does AOL need iexploe to function?
(?) can I use AOL and Firefox independently until I become familiar with Firefox?
I'm not familiar with AOL browser so can't say for sure. Anyway, AOL and Firefox can be used independently.
It's recommended to update. Some systems have had problems with it though. That's why I recommend to backup your important files before updating.
(?) I don't know how to backup my important files. I have an external hard drive which I have yet to install. I suppose I'll set that up after following your most recent directions but before updating WindowsXP. Are there any files I should backup before we continue?
Taking copies of important video, picture and music files is usually enough.
Let's reset system restore
Please note you need Administrator Access to do clean the restore points.
(?) how do I go about getting Administrator Access?
Administrator access is needed for example to install things. Since you've been able to do that you've got the access already.
Since my version of Norton antivirus 2002 is unupdateable and is, as far as I know, my only antivirus software, should I get the newest version or can you suggest a good antivirus software and at what point in this system cleansing and restoring process should I install it?
I don't personally recommend Norton. Anyway, if you decide to use Norton you should get newer version.
Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html) and
AVG Free Antivirus (http://free.grisoft.com/ww.download-avg-anti-virus-free-edition)
vidapura
2008-10-01, 14:40
Hi,
Thanks for the last response.
I'm still working on my system.
I've deleted the windows bootdisk file.
I've left TeaTimer turned off.
I have not switched to Firefox yet.
I still need to hook up my external backup harddrive so I can backup my important personal files, before updating to Windows SP3.
I did install some other Windows updates though and Windows required that I allow them to install an Activex Control. Is this OK?
I have followed your instructions on resetting system restore.
I have uninstalled ComboFix.
I removed OTMoveIt2.exe
I followed your instructions on making Internet Explorer more secure.
I have not yet done the work on Hosts File.
Should I do this prior to? or after? I download some? or all? of the antivirus software you referred to in your most recent response? Should I uninstall my Norton antivirus 2002 prior to? or after? downloading the other Antivirus software(s)? Defrag now or later? I'd like to get the antivirus portion done prior to installing my external backup hdd.
Which firewall do you like? I am using Sygate Personal Firewall Pro.
Thank you so much for walking me through all of this I greatly appreciate your help.
Best regards
I did install some other Windows updates though and Windows required that I allow them to install an Activex Control. Is this OK?
Yes, that's ok.
I have not yet done the work on Hosts File.
Should I do this prior to? or after?
Doesn't matter. You can do either way :)
I download some? or all? of the antivirus software you referred to in your most recent response? Should I uninstall my Norton antivirus 2002 prior to? or after? downloading the other Antivirus software(s)? Defrag now or later? I'd like to get the antivirus portion done prior to installing my external backup hdd.
Just one of those three antivirus programs I suggested. It's recommended to uninstall Norton before installing other antivirus program. You can do defragging prior or after but I recommend defragging after whole other install operation is done first.
Which firewall do you like? I am using Sygate Personal Firewall Pro.
There're different good ones. Sygate is one of those.
vidapura
2008-10-04, 15:40
Hi Blade81,
I'm back to working on my system. Thanks for your previous post.
I think I have uninstalled "most of" Norton AntiVirus 2002.
I have dowloaded, installed and scanned with Avast! to use as my antivirus software instead of Norton.
The only item which still remains is SNDMon.exe in C:\Program Files\Sym Net Drv\ SNDMon.exe, should I delete it as well? In researching this file I have seen it stated that this file may be added in the autorun registry.
Now that I have an up to date antivirus program I wanted to continue to cleanup my system prior to installing my external HDD this weekend. Then I will backup my files so that I can download WindowsXP SP3. Should I do the hosts file procedure as per your instructions prior to SP3?
I feel guilty for asking your advice, I'm sure there are more important tasks you are assisting with. I am grateful for all your help and advice. I have learned many things about my system and it's security features. I can't wait to get back to life as I knew it prior to the "infection".
Best regards
The only item which still remains is SNDMon.exe in C:\Program Files\Sym Net Drv\ SNDMon.exe, should I delete it as well? In researching this file I have seen it stated that this file may be added in the autorun registry.
Guess you mean C:\Program Files\SymNetDrv folder. Yes, it can be deleted.
Now that I have an up to date antivirus program I wanted to continue to cleanup my system prior to installing my external HDD this weekend. Then I will backup my files so that I can download WindowsXP SP3. Should I do the hosts file procedure as per your instructions prior to SP3?
Install hosts file after getting sp3.
I feel guilty for asking your advice, I'm sure there are more important tasks you are assisting with. I am grateful for all your help and advice.
No problem. It's been my pleasure to help :)
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.