Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Help - win32 Trojan
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-25-2007, 10:14 AM   #1 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Exclamation Help - win32 Trojan
Hi Bob . . . . .
Here's another opportunity for you to excell at your chosen "Profession".
I think this machine has been infected with the Win32ask virus. Here's the HJT log. Please help if you can.
J. Ross

Logfile of HijackThis v1.99.1
Scan saved at 12:05:20 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\vwsrv.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\v7.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\System32\vwsrv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-25-2007, 10:29 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Hi again -

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\System32\vwsrv.exe

  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply..

---------------------------------------------------------------------------------------------


Create an uninstall list:
  • Open HiJackThis
  • Click on the button " Open the Misc Tools section"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-25-2007, 12:05 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Can't get SmitFraudFix. When I try to download it gets to 99% and quits. When I try to copy from my thumb drive, it deletes the program from the drive. But here is the HJT Uninstall list and the results from VirusTotal.

Thanks for all you do

---------------
HJT Uninstall List

2003 United Guaranty's Tax Analysis
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Advanced Networking Pack for Windows XP
Agere Systems AC'97 Modem
ATI Control Panel
ATI Display Driver
BlackBerry Desktop Software 4.0
BlackBerry Desktop Software 4.0
Broadcom Gigabit Integrated Controller
CBA DirectLynk
Citrix ICA Web Client
Diagnostics for Windows
DirectX 9 Hotfix - KB839643
D-Link AirPlus G Wireless Adapter
Easy CD & DVD Creator 6
eCombiner
FileNET Panagon Viewer 3.2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HP Integrated Wireless LAN W400-W500 Driver
HP Mobile Printing
hp psc 1200 series
Insight Management Agent
InterActual Player
Internet Explorer Security Plugin 2006
Internet Security Add-On
InterVideo WinDVD
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.1_05
Java Web Start
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
LockPoint Web Client 2.1
Macromedia Shockwave Player
MarketerPro 15.6.0 Release
MarketerPro 15.7.0 Release
MarketerPro 15.8.0 Release
MarketerPro Backup
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Access 2000 Runtime
Microsoft Data Access Components KB870669
Microsoft Office Live Meeting
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
O2Micro MemoryCardBus Windows Driver
OnDemand5
pdfFactory
PhotoParade Player
Pro Client
Public Messenger ver 2.03
Remote Diagnostics Enabling Agent
Remote Services Driver
SBA 2.2 Remote System
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
SoundMAX
Spybot - Search & Destroy 1.3
Symantec pcAnywhere
Synaptics Pointing Device Driver
TCNLink For Windows 7.0 SP2 Custom
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Safety Alert
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB897715
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485

----------------------------------

STATUS: FINISHEDComplete scanning result of "vwsrv.exe", received in VirusTotal at 04.25.2007, 19:28:18 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.26.0 04.25.2007 no virus found
AntiVir 7.4.0.15 04.25.2007 TR/Dldr.Sisdot
Authentium 4.93.8 04.24.2007 no virus found
Avast 4.7.981.0 04.25.2007 no virus found
AVG 7.5.0.464 04.25.2007 Downloader.Agent.KJC
BitDefender 7.2 04.25.2007 no virus found
CAT-QuickHeal 9.00 04.25.2007 TrojanDownloader.Agent.bnc
ClamAV devel-20070416 04.25.2007 Trojan.Downloader-5648
DrWeb 4.33 04.25.2007 BACKDOOR.Trojan
eSafe 7.0.15.0 04.25.2007 Win32.Agent.bnc
eTrust-Vet 30.7.3594 04.25.2007 no virus found
Ewido 4.0 04.25.2007 Downloader.Agent.bnc
FileAdvisor 1 04.25.2007 No threat detected
Fortinet 2.85.0.0 04.25.2007 W32/Agent.BNC!tr.dldr
F-Prot 4.3.2.48 04.24.2007 no virus found
F-Secure 6.70.13030.0 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
Ikarus T3.1.1.5 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
Kaspersky 4.0.2.24 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
McAfee 5017 04.25.2007 no virus found
Microsoft 1.2405 04.25.2007 no virus found
NOD32v2 2218 04.25.2007 no virus found
Norman 5.80.02 04.25.2007 W32/Malware.PLI
Panda 9.0.0.4 04.25.2007 Adware/DriveCleaner
Prevx1 V2 04.25.2007 Polynomial.Code.Exploit
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 VIPRE.Suspicious
Symantec 10 04.25.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.25.2007 no virus found
VirusBuster 4.3.7:9 04.25.2007 no virus found
Webwasher-Gateway 6.0.1 04.25.2007 Trojan.Dldr.Sisdot


Aditional Information
File size: 7168 bytes
MD5: d763131fd9b2d02faeab6d39e5232bf4
SHA1: afc6ef942132e1df1314260a819e0ea3d9e655f0
packers: PECOMPACT
Bit9 info: http://fileadvisor.bit9.com/services...ab6d39e5232bf4
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=c4e389519880
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-25-2007, 01:01 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
I restarted in safe mode and was able to run SmitFraudFix scan. Here is the log.
------------
SmitFraudFix v2.171

Scan done at 14:55:34.02, Wed 04/25/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\Uninstall.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1

C:\DOCUME~1\David\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyLocked\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-25-2007, 07:00 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
OK, John, here we go....

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

--------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • We'll use this later.

    ---------------------------------------------------------------------------------------------

    Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

    Quote:
    @echo off
    sc stop vwservice
    sc delete vwservice
    exit
    Double click FixServices.bat. A window will open and close. This is normal.

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.

    ---------------------------------------------------------------------------------------------

    Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

    O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
    O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
    O4 - HKLM\..\Run: [VaCtrls] v7
    O4 - Global Startup: Uninstall.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


    Close HijackThis now.

    ---------------------------------------------------------------------------------------------

    Go to My Computer->Tools->Folder Options->View tab:
    * Under the Hidden files and folders heading, select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Also make sure there is no checkmark beside Hide file extensions for known file types
    * Click Yes to confirm and then click OK.


    Delete the following if they exist:

    C:\WINDOWS\System32\v7.exe
    C:\WINDOWS\System32\vwsrv.exe
    C:\Program Files\Common Files\WinAntiVirus Pro 2007

    ---------------------------------------------------------------------------------------------

    Double-click smitfraudfix.exe to start the tool.
    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    ---------------------------------------------------------------------------------------------

    Clean out your Temporary Internet files.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall" or something similar
Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, it is Java 2 Runtime Environment Standard Edition v1.3.1_02, and Java 2 Runtime Environment, SE v1.4.1_05
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.
  • After the install is complete, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------

Spybot Search and Destroy is outdated. Uninstall version 1.3, then do this:

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot.

---------------------------------------------------------------------------------------------

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
DSS logs (main.txt and extra.txt0
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2007, 09:57 AM   #6 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Okay! I'm up to the point where I have just run AVG Antivirus and saved the log. I rebooted into normal mode and tried to run Smitfraudfix. It was instantly deleted. Can I run option 3 of Smitfraudfix in safe mode or do you want to skip this step?

I'm posting the Rapport.txt from the earlier scan that was done in safe mode, as well as the AVG log and a current HJT log for you.

John
-----------------

_SmitFraudFix v2.171

Scan done at 10:03:33.09, Thu 04/26/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\David\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\SpyLocked\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

_____________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:09 AM 4/26/2007

+ Scan result:



C:\Program Files\Common Files\Companion Wizard\WapCHK.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061747.exe -> Adware.SpyLocked : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP452\A0061665.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061695.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061729.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061754.exe -> Downloader.Agent.bnc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060003.dll -> Downloader.Zlob.ato : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060007.exe -> Downloader.Zlob.atx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060010.exe -> Downloader.Zlob.atx : Cleaned with backup (quarantined).
C:\QUARANTINE\winupd_KB21542167.exe.Vir -> Logger.Bancos.aam : Cleaned with backup (quarantined).
C:\Documents and Settings\David\Application Data\winantiviruspro2007freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP427\A0059963.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\QUARANTINE\winupd_KB00016252.exe.Vir -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svehost.exe -> Trojan.Agent.kq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\888111253.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winupd_KB68791722.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\QUARANTINE\botm[1].exe.Vir -> Worm.Limar : Cleaned with backup (quarantined).
C:\QUARANTINE\module.exe.Vir -> Worm.Limar : Cleaned with backup (quarantined).


::Report end

-------------------------

Note: Internet Explorer was open when I ran this HJT scan.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:49 AM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\ie_updater.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\clcl6.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2007, 10:09 AM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Hold off on the online scan for now....these instructions supercede any previous....

We'll take another route. Some other nasties have reared their head. Might be best to keep the machine disconnected from the network and internet, and transport tools from a clean machine.

Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Download this file:

http://downloads.malwareremoval.com/Nel/FixP.zip

extract and double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

---------------------------------------------------------------------------------------------


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------


Delete the following if they exist:

C:\WINDOWS\System32\clcl6.exe

---------------------------------------------------------------------------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:
  2. Double click on ComboFix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HJT log.

So, I need logs from:

SDFix
ComboFix
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 04-26-2007 at 10:11 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-26-2007, 01:34 PM   #8 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Okay! So far so good . . .

Per your instructions:
I've disconnected the infected machine from the Internet.
Here are the logs you requested. I noticed that combofix also created a quarantine log so I attached it also.

John
------------

SDFix: Version 1.79

Run by David - Thu 04/26/2007 - 14:42:13.08

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NDnet1
Runtime

ImagePath:
\??\C:\WINDOWS\System32\ksys.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

NDnet1 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\7_exception.nls - Deleted
C:\WINDOWS\system32\ksys.sys - Deleted
C:\WINDOWS\system32\rpcc.exe - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Remaining Files:
---------------
C:\WINDOWS\system32\ksys.sys Found
C:\WINDOWS\system32\rpcc.exe Found
C:\WINDOWS\system32\RunOnce2.t__ Found
C:\WINDOWS\system32\RunOnce2.tm_ Found

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\InterActual\InterActual Player\iti8.tmp
C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem10.inf
C:\WINDOWS\LastGood.Tmp\INF\oem10.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem11.inf
C:\WINDOWS\LastGood.Tmp\INF\oem11.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem12.inf
C:\WINDOWS\LastGood.Tmp\INF\oem12.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem13.inf
C:\WINDOWS\LastGood.Tmp\INF\oem13.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem14.inf
C:\WINDOWS\LastGood.Tmp\INF\oem14.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem15.inf
C:\WINDOWS\LastGood.Tmp\INF\oem15.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem16.inf
C:\WINDOWS\LastGood.Tmp\INF\oem16.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem17.inf
C:\WINDOWS\LastGood.Tmp\INF\oem17.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem18.inf
C:\WINDOWS\LastGood.Tmp\INF\oem18.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem19.inf
C:\WINDOWS\LastGood.Tmp\INF\oem19.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem8.inf
C:\WINDOWS\LastGood.Tmp\INF\oem8.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem9.inf
C:\WINDOWS\LastGood.Tmp\INF\oem9.PNF

Finished
--------------------
Combofix log

"David" - 07-04-26 14:54:47 Service Pack 1
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\David\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\888111253.exe
C:\WINDOWS\system32\winupd_KB12931930.exe
C:\WINDOWS\system32\winupd_KB89914297.exe
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\rpcc.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\NDnet1
-------\Runtime
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-26 to 2007-04-26 ))))))))))))))))))))))))))))))))))


2007-04-26 14:52 24,064 --a------ C:\WINDOWS\system32\winupd_KB65919063.exe
2007-04-26 14:47 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-26 14:46 7,296 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-04-26 14:46 11,776 --a------ C:\WINDOWS\system32\winupd_KB58620628.exe
2007-04-26 14:33 20,061 --a------ C:\WINDOWS\system32\winupd_KB69412836.exe
2007-04-26 14:27 20,061 --a------ C:\WINDOWS\system32\winupd_KB08494134.exe
2007-04-26 14:22 20,061 --a------ C:\WINDOWS\system32\winupd_KB26431806.exe
2007-04-26 14:10 20,061 --a------ C:\WINDOWS\system32\winupd_KB56829756.exe
2007-04-26 14:05 20,061 --a------ C:\WINDOWS\system32\winupd_KB59303473.exe
2007-04-26 13:59 20,061 --a------ C:\WINDOWS\system32\winupd_KB70645686.exe
2007-04-26 13:53 20,061 --a------ C:\WINDOWS\system32\winupd_KB08471726.exe
2007-04-26 13:36 20,061 --a------ C:\WINDOWS\system32\winupd_KB90069443.exe
2007-04-26 13:31 20,061 --a------ C:\WINDOWS\system32\winupd_KB90004561.exe
2007-04-26 13:19 20,061 --a------ C:\WINDOWS\system32\winupd_KB44318973.exe
2007-04-26 13:14 20,061 --a------ C:\WINDOWS\system32\winupd_KB78434668.exe
2007-04-26 13:08 20,061 --a------ C:\WINDOWS\system32\winupd_KB85131081.exe
2007-04-26 13:02 20,061 --a------ C:\WINDOWS\system32\winupd_KB17264537.exe
2007-04-26 12:57 20,061 --a------ C:\WINDOWS\system32\winupd_KB89378022.exe
2007-04-26 12:51 20,061 --a------ C:\WINDOWS\system32\winupd_KB77786317.exe
2007-04-26 12:39 20,061 --a------ C:\WINDOWS\system32\winupd_KB98221393.exe
2007-04-26 12:34 20,061 --a------ C:\WINDOWS\system32\winupd_KB81204801.exe
2007-04-26 12:28 20,061 --a------ C:\WINDOWS\system32\winupd_KB72117528.exe
2007-04-26 12:22 20,061 --a------ C:\WINDOWS\system32\winupd_KB18003240.exe
2007-04-26 12:16 20,061 --a------ C:\WINDOWS\system32\winupd_KB11901888.exe
2007-04-26 12:11 20,061 --a------ C:\WINDOWS\system32\winupd_KB92021998.exe
2007-04-26 12:05 20,061 --a------ C:\WINDOWS\system32\winupd_KB40754700.exe
2007-04-26 11:53 20,061 --a------ C:\WINDOWS\system32\winupd_KB56869449.exe
2007-04-26 11:47 20,061 --a------ C:\WINDOWS\system32\winupd_KB94184285.exe
2007-04-26 09:49 2,637 --a------ C:\WINDOWS\system32\winupd_KB04080293.exe
2007-04-26 09:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-26 09:17 974,914 --a------ C:\WINDOWS\system32\RC48E140.DLL
2007-04-26 09:17 77,824 --a------ C:\WINDOWS\system32\RCPRINT.dll
2007-04-26 09:17 69,632 --a------ C:\WINDOWS\system32\TIFmtA.dll
2007-04-26 09:17 61,440 --a------ C:\WINDOWS\system32\TrackID.dll
2007-04-26 09:17 61,440 --a------ C:\WINDOWS\system32\rdrvlog.dll
2007-04-26 09:17 57,344 --a------ C:\WINDOWS\system32\rdrvinf.dll
2007-04-26 09:17 53,248 --a------ C:\WINDOWS\system32\RICDB32.dll
2007-04-26 09:17 49,152 --a------ C:\WINDOWS\system32\TIBase64.dll
2007-04-26 09:17 37,376 --a------ C:\WINDOWS\system32\MFRICRES.dll
2007-04-26 09:17 32,768 --a------ C:\WINDOWS\system32\rc4mon.dll
2007-04-26 09:17 32,768 --a------ C:\WINDOWS\system32\RC00C140.dll
2007-04-26 09:17 27,136 --a------ C:\WINDOWS\system32\RCINST.dll
2007-04-26 09:17 262,364 --a------ C:\WINDOWS\system32\rpcsecl.dll
2007-04-26 09:17 221,184 --a------ C:\WINDOWS\system32\RICJC32.dll
2007-04-26 09:17 167,936 --a------ C:\WINDOWS\system32\JCUI.exe
2007-04-26 09:17 126,976 --a------ C:\WINDOWS\system32\Rc4manNT.dll
2007-04-26 09:17 1,236,992 --a------ C:\WINDOWS\system32\MP450dat.dll
2007-04-26 09:17 <DIR> d--h----- C:\_rpcs
2007-04-25 14:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-25 14:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-25 14:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-25 14:55 2,552 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-25 12:00 <DIR> d-------- C:\Program Files\Hijack This
2007-04-08 20:58 <DIR> d-------- C:\DOCUME~1\David\APPLIC~1\MSN6


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-26 14:47 -------- d--h----- C:\Program Files\windowsupdate
2007-03-23 09:59 -------- d-------- C:\DOCUME~1\David\APPLIC~1\winantivirus pro 2007


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"888111253.exe"="C:\\WINDOWS\\System32\\888111253.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-Link\\AIRPLU~1\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fppdis2a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /source=HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ip6FwHlp"=dword:00000003
"cpqWebDmi"=dword:00000002
"CPQALERT"=dword:00000002
"awhost32"=dword:00000003
"Ati HotKey Poller"=dword:00000002
"ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-26 15:03:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????I??p?????????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-26 15:03:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-26 15:03

------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:04:16 PM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [888111253.exe] C:\WINDOWS\System32\888111253.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
Attached Files
File Type: txt ComboFix-quarantined-files.txt (1.6 KB, 2 views)
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 12:35 AM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Well, you've caught a pile of nasty there, John....

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Assuming the infected machine is still offline (and off network, if there is one)...

We'll download some tools using a clean machine, and carry them to the infected machine.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
We'll use this shortly.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop. We'll use this later.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. We'll use this later.

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop. We'll use this later.

---------------------------------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:
@echo off
sc stop "Microsoft IE Updater_2"
sc delete "Microsoft IE Updater_2"
exit
Double click FixServices.bat. A window will open and close. This is normal.

---------------------------------------------------------------------------------------------

Run OTMoveIt
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\winupd_KB65919063.exe
    C:\WINDOWS\system32\winupd_KB58620628.exe
    C:\WINDOWS\system32\winupd_KB69412836.exe
    C:\WINDOWS\system32\winupd_KB08494134.exe
    C:\WINDOWS\system32\winupd_KB26431806.exe
    C:\WINDOWS\system32\winupd_KB56829756.exe
    C:\WINDOWS\system32\winupd_KB59303473.exe
    C:\WINDOWS\system32\winupd_KB70645686.exe
    C:\WINDOWS\system32\winupd_KB08471726.exe
    C:\WINDOWS\system32\winupd_KB90069443.exe
    C:\WINDOWS\system32\winupd_KB90004561.exe
    C:\WINDOWS\system32\winupd_KB44318973.exe
    C:\WINDOWS\system32\winupd_KB78434668.exe
    C:\WINDOWS\system32\winupd_KB85131081.exe
    C:\WINDOWS\system32\winupd_KB17264537.exe
    C:\WINDOWS\system32\winupd_KB89378022.exe
    C:\WINDOWS\system32\winupd_KB77786317.exe
    C:\WINDOWS\system32\winupd_KB98221393.exe
    C:\WINDOWS\system32\winupd_KB81204801.exe
    C:\WINDOWS\system32\winupd_KB72117528.exe
    C:\WINDOWS\system32\winupd_KB18003240.exe
    C:\WINDOWS\system32\winupd_KB11901888.exe
    C:\WINDOWS\system32\winupd_KB92021998.exe
    C:\WINDOWS\system32\winupd_KB40754700.exe
    C:\WINDOWS\system32\winupd_KB56869449.exe
    C:\WINDOWS\system32\winupd_KB94184285.exe
    C:\WINDOWS\system32\winupd_KB04080293.exe
    C:\WINDOWS\System32\888111253.exe
    C:\Documents and Settings\ie_updater.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [888111253.exe] C:\WINDOWS\System32\888111253.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------


To run FileFind, please do the following:
  • Click on FileFind.exe
  • Leave the Directory set to C:
  • In the box labeled "File"
    • Enter ip6fw.sys
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"

---------------------------------------------------------------------------------------------

Now, let's run DSS:
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Double-click gmer.exe

Run the program and select the Rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

---------------------------------------------------------------------------------------------

Please do this next:

Zip up c:\_OTMoveIt\MovedFiles (right click, send to>compressed file) and submit it here:

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
and include a link to this topic in the message.

---------------------------------------------------------------------------------------------

So, logs from:

OTMoveIt
FileFind
DSS (main.txt and extra.txt)
gmer
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 08:04 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Hi John -

In addition to my previous instructions, please do this:

Download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
C:\WINDOWS\system32\drivers\ip6fw.sys
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

Once it's been submitted, you can delete the .cab file
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 08:54 AM   #11 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
I was in the process of responding with the requested logs when I got your last post. I'm not sure if you wanted the link before or after the upload. Anyway, here they are: http://www.bleepingcomputer.com/pf.php
http://www.bleepingcomputer.com/subm....php?channel=4.
I'll post the other file as soon as I finish this post.

Oops! Looks like I used the second link to bleepingcomputer to post the first compressed file of moved files.

So, I went to the first link and posted the same file. Please forgive me . . . I'm old, confused and confounded by you guys.

Here are the logs:

Extra.txt is attached

--------------
OTMoveit

C:\WINDOWS\system32\winupd_KB65919063.exe moved successfully.
C:\WINDOWS\system32\winupd_KB58620628.exe moved successfully.
C:\WINDOWS\system32\winupd_KB69412836.exe moved successfully.
C:\WINDOWS\system32\winupd_KB08494134.exe moved successfully.
C:\WINDOWS\system32\winupd_KB26431806.exe moved successfully.
C:\WINDOWS\system32\winupd_KB56829756.exe moved successfully.
C:\WINDOWS\system32\winupd_KB59303473.exe moved successfully.
C:\WINDOWS\system32\winupd_KB70645686.exe moved successfully.
C:\WINDOWS\system32\winupd_KB08471726.exe moved successfully.
C:\WINDOWS\system32\winupd_KB90069443.exe moved successfully.
C:\WINDOWS\system32\winupd_KB90004561.exe moved successfully.
C:\WINDOWS\system32\winupd_KB44318973.exe moved successfully.
C:\WINDOWS\system32\winupd_KB78434668.exe moved successfully.
C:\WINDOWS\system32\winupd_KB85131081.exe moved successfully.
C:\WINDOWS\system32\winupd_KB17264537.exe moved successfully.
C:\WINDOWS\system32\winupd_KB89378022.exe moved successfully.
C:\WINDOWS\system32\winupd_KB77786317.exe moved successfully.
C:\WINDOWS\system32\winupd_KB98221393.exe moved successfully.
C:\WINDOWS\system32\winupd_KB81204801.exe moved successfully.
C:\WINDOWS\system32\winupd_KB72117528.exe moved successfully.
C:\WINDOWS\system32\winupd_KB18003240.exe moved successfully.
C:\WINDOWS\system32\winupd_KB11901888.exe moved successfully.
C:\WINDOWS\system32\winupd_KB92021998.exe moved successfully.
C:\WINDOWS\system32\winupd_KB40754700.exe moved successfully.
C:\WINDOWS\system32\winupd_KB56869449.exe moved successfully.
C:\WINDOWS\system32\winupd_KB94184285.exe moved successfully.
C:\WINDOWS\system32\winupd_KB04080293.exe moved successfully.
File/Folder C:\WINDOWS\System32\888111253.exe not found.
C:\Documents and Settings\ie_updater.exe moved successfully.
File/Folder not found.

Created on 04/27/2007 09:59:41

end
------------

Filefind

C:\WINDOWS\system32\drivers\ip6fw.sys - 7296 Bytes

end
---------

DSS Main

Deckard's System Scanner v20070423.42
Run by David on 2007-04-27 at 10:07:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2007-04-27 14:07:55 UTC - RP457 - Deckard's System Scanner Restore Point
52: 2007-04-27 07:00:53 UTC - RP456 - Installed Windows XP KB898461.
51: 2007-04-27 07:00:29 UTC - RP455 - Software Distribution Service 2.0
50: 2007-04-26 19:25:50 UTC - RP454 - System Checkpoint
49: 2007-04-25 18:30:32 UTC - RP453 - System Checkpoint


-- First Restore Point --
1: 2007-01-27 14:04:31 UTC - RP405 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:08:51 AM, on 4/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\David.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070426-095717-187 O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
backup-20070426-095717-270 O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
backup-20070426-095717-362 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070426-095717-734 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070426-095717-967 O4 - HKLM\..\Run: [VaCtrls] v7
backup-20070426-143921-850 O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe
backup-20070427-100311-496 O4 - HKLM\..\Run: [888111253.exe] C:\WINDOWS\System32\888111253.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Verified; Mylex Corporation; Mylex Disk Array Controller Driver; 6.00-21; 6.00-21 (XPClient.010817-1148)>
R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere; 10.5.0; 10.5.0>
R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere; 9.2.1; 9.2.1>
R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8 built by: WinDDK>
R1 ClntMgmt (HP Client Management Driver) - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Hewlett-Packard; Client Management Driver; 2.00.H1; 2,0,8,1>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan; 8.0.0; 8.0.0.266>
R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 UdfReadr_xp - c:\windows\system32\drivers\udfreadr_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8 built by: WinDDK>
R2 cpqdfw (Diagnostics Driver) - c:\windows\system32\drivers\cpqdfw.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9; 2.3.1.9; 2.3.1.9>
R3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Verified; Intel Corporation; Intel(r) Integrated Controller Hub Audio Driver; 5.10.3523; 5.10.3523 built by: WinDDK>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept; 8.0.0; 8.0.0.277>
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Verified; LT; LT V.92 Data+Fax Modem Version 8.23; 8.23; 8.23>
R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan; 8.0.0; 8.0.0.276>
R3 NSCIRDA (NSC Infrared Device Driver) - c:\windows\system32\drivers\nscirda.sys <Verified; National Semiconductor Corporation; NSC Fast Infrared Driver.; 1,0,0,0; 5,01,00,006 (xpclient.010817-1148)>
R3 RimSerPort (RIM Virtual Serial Port) - c:\windows\system32\drivers\rimserial.sys <Verified; Research in Motion Ltd; RIM Modem; 1.1.0.2; 1.1.0.2>

S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Verified; Andrea Electronics Corporation; Andrea Audio Driver; 3.0.2.36; 3.0.2.36>
S3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Verified; Agere Systems; Agere SoftModem Driver; 2.1.36 2.1.36 11/19/2003 15:41:15; 2.1.36 2.1.36 11/19/2003 15:41:15>
S3 AR5211 (D-Link Adapter) - c:\windows\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter; 2.2.4.32; 2.2.4.32>
S3 CONAN - c:\windows\system32\drivers\o2mmb.sys <Verified; O2 Micro; o2mmb; 1, 0, 0, 0; 1, 0, 4, 701>
S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
S3 MbxStby - c:\windows\system32\drivers\mbxstby.sys <Verified; O2 Micro; o2mmb; 1, 0, 0, 0; 1, 0, 0, 4>
S3 RimUsb (RIM Handheld) - c:\windows\system32\drivers\rimusb.sys <Verified; Research In Motion Limited; RIM handheld driver; 1.1.0.2; 1.1.0.2>
S3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys <Verified; SMC; Fast Infrared Miniport Driver; 5.1.2462.0; 5.1.2462.0>
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver; 5.12.01.3890; 5.12.01.3890>
S3 WLAN_400_500_SERVICE (HP WLAN W400/W500 Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter; 2.2.4.32; 2.2.4.32>
S4 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere; 10.5; 10.5.1.497>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cpqdmi - c:\progra~1\compaq\compaq~1\cpqdmi.exe <Not Verified; Compaq Computer Corporation; Compaq Management Agents; 5.00 K1; 5.0.9.1>
R2 DfwWebAgent (Remote Diagnostics Enabling Agent) - c:\windows\cpqdiag\cpqdfwag.exe <Not Verified; Hewlett-Packard; Remote Diagnostics Enabling Agent; 3.02; 3.02.2005>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework; ; 3.5.0.412>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise; 8.0.0; 8.0.0.912>
R2 SoundMAX Agent Service (default) (SoundMAX Agent Service) - c:\program files\analog devices\soundmax\smagent.exe <Not Verified; Analog Devices, Inc.; SoundMAX service agent; 3, 2, 6, 0; 3, 2, 6, 0>
R2 WIN32SL - c:\program files\compaq\compaq management agents\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0 SDK; 2, 0, 0, 54; 2, 0, 0, 54>

S2 SP Software Installer - c:\program files\accessmanager\pmac\sp_swins.exe (file missing)
S4 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe (file missing)
S4 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere; 10.5; 10.5.1.505>
S4 CPQALERT (Insight Local Alerter) - c:\program files\compaq\compaq management agents\cpqalert.exe <Not Verified; Hewlett-Packard Company; Insight Management Agent; 5.00 K1; 5.0.9.1>
S4 cpqWebDmi (Insight Web Agent) - c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe <Not Verified; Hewlett-Packard Company; Insight Management Agent; 5.00 K1; 5.0.9.1>


-- Files created between 2007-03-27 and 2007-04-27 -----------------------------

2007-04-27 03:00:55 0 d-------- C:\WINDOWS\System32\PreInstall
2007-04-26 15:03:43 49152 --a------ C:\WINDOWS\nircmd.exe <Not Verified; NirSoft; NirCmd; 1.85; 1.85>
2007-04-26 14:47:50 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2007-04-26 14:47:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-04-26 14:46:56 7296 --a------ C:\WINDOWS\System32\drivers\ip6fw.sys
2007-04-26 09:40:30 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver; 1.0.0.14; 1.0.0.14>
2007-04-26 09:17:58 974914 --a------ C:\WINDOWS\System32\RC48E140.DLL <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.00; 7.3.0>
2007-04-26 09:17:58 32768 --a------ C:\WINDOWS\System32\RC00C140.dll <Not Verified; RICOH CO., LTD.; RC00C140; 7.3.0; 7.3.0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\TrackID.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 1; 1, 0, 4, 1>
2007-04-26 09:17:57 69632 --a------ C:\WINDOWS\System32\TIFmtA.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 0; 1, 0, 4, 0>
2007-04-26 09:17:57 49152 --a------ C:\WINDOWS\System32\TIBase64.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 1, 0; 1, 0, 1, 0>
2007-04-26 09:17:57 262364 --a------ C:\WINDOWS\System32\rpcsecl.dll <Not Verified; RICOH; RICOH RPCS Printer Driver Module rpcsecl; 3, 3, 3, 0; 3, 3, 3, 0>
2007-04-26 09:17:57 221184 --a------ C:\WINDOWS\System32\RICJC32.dll <Not Verified; RICOH CO.,Ltd.; RICJC32; 1, 3, 4, 0; 1, 3, 4, 0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\rdrvlog.dll <Not Verified; RICOH; RICOH rdrvlog; 0, 3, 7, 0; 0, 3, 7, 0>
2007-04-26 09:17:57 57344 --a------ C:\WINDOWS\System32\rdrvinf.dll <Not Verified; RICOH Co.,Ltd.; RICOH RPDL Driver; 6, 3, 1, 0; 6, 3, 1, 0>
2007-04-26 09:17:57 77824 --a------ C:\WINDOWS\System32\RCPRINT.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.3.1.0; 1.3.1.0>
2007-04-26 09:17:57 126976 --a------ C:\WINDOWS\System32\Rc4manNT.dll <Not Verified; RICOH CO., LTD.; RC4MAN; 4, 0, 5, 0; 4, 0, 5, 0>
2007-04-26 09:17:57 167936 --a------ C:\WINDOWS\System32\JCUI.exe <Not Verified; Ricoh Co.,Ltd.; JCUI; 1, 3, 3, 0; 1, 3, 3, 0>
2007-04-26 09:17:56 53248 --a------ C:\WINDOWS\System32\RICDB32.dll <Not Verified; RICOH CO.,Ltd.; RICDB; 1, 1, 3, 0; 1, 1, 3, 0>
2007-04-26 09:17:56 27136 --a------ C:\WINDOWS\System32\RCINST.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 0, 2, 0, 2; 2.0.2>
2007-04-26 09:17:56 32768 --a------ C:\WINDOWS\System32\rc4mon.dll <Not Verified; RICOH CO.,Ltd.; RC4MON; 3, 3, 1, 0; 3, 3, 1, 0>
2007-04-26 09:17:56 1236992 --a------ C:\WINDOWS\System32\MP450dat.dll <Not Verified; RICOH CO., LTD.; MP450dat.dll; 1, 0, 0, 0; 1, 0, 0, 0>
2007-04-26 09:17:56 37376 --a------ C:\WINDOWS\System32\MFRICRES.dll <Not Verified; RICOH CO.,Ltd.; MFRICRES; 1, 0, 3, 0; 1, 0, 3, 0>
2007-04-26 09:17:56 0 d--h----- C:\_rpcs
2007-04-25 14:55:37 2552 --a------ C:\WINDOWS\System32\tmp.reg
2007-04-25 14:55:09 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS; ; >
2007-04-25 14:55:09 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility; 2, 0, 0, 0; 2, 0, 0, 0>
2007-04-25 14:55:09 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-04-25 12:00:08 0 d-------- C:\Program Files\Hijack This
2007-04-08 20:58:22 0 d-------- C:\Documents and Settings\David\Application Data\MSN6


-- Find3M Report ---------------------------------------------------------------

2007-04-26 14:47:52 0 d--h----- C:\Program Files\WindowsUpdate
2007-04-26 11:37:58 0 d-------- C:\Program Files\Common Files\Companion Wizard
2007-04-08 20:03:07 0 d-------- C:\Documents and Settings\David\Application Data\PhotoParade
2007-03-23 10:02:42 0 d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-03-23 09:59:54 0 d-------- C:\Documents and Settings\David\Application Data\WinAntiVirus Pro 2007


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-Link\\AIRPLU~1\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fppdis2a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /source=HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ip6FwHlp"=dword:00000003
"cpqWebDmi"=dword:00000002
"CPQALERT"=dword:00000002
"awhost32"=dword:00000003
"Ati HotKey Poller"=dword:00000002
"ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-27 at 10:09:48 ---------

GMER

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-27 10:23:07
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT 82335109 ZwCreateThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll

---- EOF - GMER 1.0.12 ----
Attached Files
File Type: txt dss extra.txt (10.0 KB, 2 views)
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 09:15 AM   #12 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Here is the link to the .cab file you requested.
http://www.bleepingcomputer.com/pf.php

In addition, I have a HJT log from a computer on the same network as the infected one. Should I post it here or as a new thread?

Thanks again,

John
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 09:25 AM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Thanks for the uploads, John. You're doing great. Let's keep this machine offline still, if possible.

Can you tell me what ctxuser account is used for on this machine? I should view a HJT log from it as well. Post one in your next reply, but please label it as ctxuser, so I don't forget...


We should start a new thread for the next machine, to help keep things orderly.

If you suspect that one's infected, take it offline now if you've not already done so.



Run OTMoveIt
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\drivers\ip6fw.sys
    C:\Program Files\Common Files\WinAntiVirus Pro 2007
    C:\Documents and Settings\David\Application Data\WinAntiVirus Pro 2007

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here, at the end of this round.

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------

Once that's done, delete c:\_OTMoveIt\MovedFiles

---------------------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.1_05

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Use your clean machine to download the Java installer I linked you to above, and carry it to the infected (but looking much better) machine, then install it. It would be good to have that installed before going back online.

---------------------------------------------------------------------------------------------


Using your clean machine, download this next tool, and carry it to the infected machine.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 09:28 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
John -

Change of order....

Run DrWeb before installing new Java.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 09:59 AM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
One more question....do you know what created this folder?

C:\QUARANTINE

Take a peek inside, and let me know what's there, if anything.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:16 AM   #16 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Re: CTX User - The CTX User account is an old one and no longer in use. It can be deleted. The only user is "David".

Re: Quarantine folder The "Quarantine" folder was created on April 11, 2007 by a program unknown. It contains over a hundred files. Most of them have the same filename as the windows update files we deleted only with the extension added ".vir. There is a log in the folder that contains all the filenames. Do you want the log?

DrWeb is scanning now and looks like it will take awhile. I need to run out to the bank. I'll be back in 30 - 45 minutes.

Thanks again,

John
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:20 AM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
AV progs usually claim their own Quarantine folders, but it may be related to NetworkAssociates/McAfee

Yes, let's see the log.

It's quite possible DrWeb will run happily through that folder and remove .vir files.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:28 AM   #18 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Here's the log from the "Quarantine" file:
________________________________
C:\WINDOWS\system32\winupd_KB21542167.exe => winupd_KB21542167.exe.Vir
C:\WINDOWS\system32\winupd_KB00016252.exe => winupd_KB00016252.exe.Vir
C:\WINDOWS\system32\winupd_KB19301856.exe => winupd_KB19301856.exe.Vir
C:\WINDOWS\system32\winupd_KB94184285.exe => winupd_KB94184285.exe.Vir
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C7ETAN63\botm[1].exe => botm[1].exe.Vir
C:\WINDOWS\system32\module.exe => module.exe.Vir
C:\Documents and Settings\David\Desktop\SmitfraudFix.exe => SmitfraudFix.exe.Vir
C:\WINDOWS\system32\winupd_KB62074855.exe => winupd_KB62074855.exe.Vir
C:\WINDOWS\system32\winupd_KB06281259.exe => winupd_KB06281259.exe.Vir
C:\WINDOWS\system32\winupd_KB83647438.exe => winupd_KB83647438.exe.Vir
C:\WINDOWS\system32\winupd_KB93427757.exe => winupd_KB93427757.exe.Vir
C:\WINDOWS\system32\winupd_KB26583367.exe => winupd_KB26583367.exe.Vir
C:\WINDOWS\system32\winupd_KB83879238.exe => winupd_KB83879238.exe.Vir
C:\WINDOWS\system32\winupd_KB36285409.exe => winupd_KB36285409.exe.Vir
C:\WINDOWS\system32\winupd_KB69778977.exe => winupd_KB69778977.exe.Vir
C:\WINDOWS\system32\winupd_KB02580498.exe => winupd_KB02580498.exe.Vir
C:\WINDOWS\system32\winupd_KB05724457.exe => winupd_KB05724457.exe.Vir
C:\WINDOWS\system32\winupd_KB40820388.exe => winupd_KB40820388.exe.Vir
C:\WINDOWS\system32\winupd_KB61903845.exe => winupd_KB61903845.exe.Vir
C:\WINDOWS\system32\winupd_KB53379655.exe => winupd_KB53379655.exe.Vir
C:\WINDOWS\system32\winupd_KB92784527.exe => winupd_KB92784527.exe.Vir
C:\WINDOWS\system32\winupd_KB95488542.exe => winupd_KB95488542.exe.Vir
C:\WINDOWS\system32\winupd_KB92438604.exe => winupd_KB92438604.exe.Vir
C:\WINDOWS\system32\winupd_KB57856840.exe => winupd_KB57856840.exe.Vir
C:\WINDOWS\system32\winupd_KB85806683.exe => winupd_KB85806683.exe.Vir
C:\WINDOWS\system32\winupd_KB49411633.exe => winupd_KB49411633.exe.Vir
C:\WINDOWS\system32\winupd_KB80152655.exe => winupd_KB80152655.exe.Vir
C:\WINDOWS\system32\winupd_KB78485085.exe => winupd_KB78485085.exe.Vir
C:\WINDOWS\system32\winupd_KB70682198.exe => winupd_KB70682198.exe.Vir
C:\WINDOWS\system32\winupd_KB69765365.exe => winupd_KB69765365.exe.Vir
C:\WINDOWS\system32\winupd_KB94625724.exe => winupd_KB94625724.exe.Vir
C:\WINDOWS\system32\winupd_KB00023738.exe => winupd_KB00023738.exe.Vir
C:\WINDOWS\system32\winupd_KB95329594.exe => winupd_KB95329594.exe.Vir
C:\WINDOWS\system32\winupd_KB39369057.exe => winupd_KB39369057.exe.Vir
C:\WINDOWS\system32\winupd_KB19066508.exe => winupd_KB19066508.exe.Vir
C:\WINDOWS\system32\winupd_KB63394477.exe => winupd_KB63394477.exe.Vir
C:\WINDOWS\system32\winupd_KB80858368.exe => winupd_KB80858368.exe.Vir
C:\WINDOWS\system32\winupd_KB50542013.exe => winupd_KB50542013.exe.Vir
C:\WINDOWS\system32\winupd_KB87246020.exe => winupd_KB87246020.exe.Vir
C:\WINDOWS\system32\winupd_KB08344358.exe => winupd_KB08344358.exe.Vir
C:\WINDOWS\system32\winupd_KB51645150.exe => winupd_KB51645150.exe.Vir
C:\WINDOWS\system32\winupd_KB06704740.exe => winupd_KB06704740.exe.Vir
C:\WINDOWS\system32\winupd_KB32836621.exe => winupd_KB32836621.exe.Vir
C:\WINDOWS\system32\winupd_KB65319118.exe => winupd_KB65319118.exe.Vir
C:\WINDOWS\system32\winupd_KB83385594.exe => winupd_KB83385594.exe.Vir
C:\WINDOWS\system32\winupd_KB39286483.exe => winupd_KB39286483.exe.Vir
C:\WINDOWS\system32\winupd_KB63691602.exe => winupd_KB63691602.exe.Vir
C:\WINDOWS\system32\winupd_KB61121512.exe => winupd_KB61121512.exe.Vir
C:\WINDOWS\system32\winupd_KB39371595.exe => winupd_KB39371595.exe.Vir
C:\WINDOWS\system32\winupd_KB58482257.exe => winupd_KB58482257.exe.Vir
C:\WINDOWS\system32\winupd_KB73927933.exe => winupd_KB73927933.exe.Vir
C:\WINDOWS\system32\winupd_KB17787168.exe => winupd_KB17787168.exe.Vir
C:\WINDOWS\system32\winupd_KB34342738.exe => winupd_KB34342738.exe.Vir
C:\WINDOWS\system32\winupd_KB31204061.exe => winupd_KB31204061.exe.Vir
C:\WINDOWS\system32\winupd_KB38415189.exe => winupd_KB38415189.exe.Vir
C:\WINDOWS\system32\winupd_KB58719816.exe => winupd_KB58719816.exe.Vir
C:\WINDOWS\system32\winupd_KB78257402.exe => winupd_KB78257402.exe.Vir
C:\WINDOWS\system32\winupd_KB34134510.exe => winupd_KB34134510.exe.Vir
C:\WINDOWS\system32\winupd_KB10942151.exe => winupd_KB10942151.exe.Vir
C:\WINDOWS\system32\winupd_KB10946889.exe => winupd_KB10946889.exe.Vir
C:\WINDOWS\system32\winupd_KB85136502.exe => winupd_KB85136502.exe.Vir
C:\WINDOWS\system32\winupd_KB55997963.exe => winupd_KB55997963.exe.Vir
C:\WINDOWS\system32\winupd_KB58644168.exe => winupd_KB58644168.exe.Vir
C:\WINDOWS\system32\winupd_KB56796748.exe => winupd_KB56796748.exe.Vir
C:\WINDOWS\system32\winupd_KB07462877.exe => winupd_KB07462877.exe.Vir
C:\WINDOWS\system32\winupd_KB85967489.exe => winupd_KB85967489.exe.Vir
C:\WINDOWS\system32\winupd_KB00206001.exe => winupd_KB00206001.exe.Vir
C:\WINDOWS\system32\winupd_KB55589433.exe => winupd_KB55589433.exe.Vir
C:\WINDOWS\system32\winupd_KB25170239.exe => winupd_KB25170239.exe.Vir
C:\WINDOWS\system32\winupd_KB58407150.exe => winupd_KB58407150.exe.Vir
C:\WINDOWS\system32\winupd_KB92810471.exe => winupd_KB92810471.exe.Vir
C:\WINDOWS\system32\winupd_KB07955160.exe => winupd_KB07955160.exe.Vir
C:\WINDOWS\system32\winupd_KB98996755.exe => winupd_KB98996755.exe.Vir
C:\WINDOWS\system32\winupd_KB64108303.exe => winupd_KB64108303.exe.Vir
C:\WINDOWS\system32\winupd_KB88124763.exe => winupd_KB88124763.exe.Vir
C:\WINDOWS\system32\winupd_KB80952726.exe => winupd_KB80952726.exe.Vir
C:\WINDOWS\system32\winupd_KB03699964.exe => winupd_KB03699964.exe.Vir
C:\WINDOWS\system32\winupd_KB97803482.exe => winupd_KB97803482.exe.Vir
C:\WINDOWS\system32\winupd_KB76608188.exe => winupd_KB76608188.exe.Vir
C:\WINDOWS\system32\winupd_KB50418131.exe => winupd_KB50418131.exe.Vir
C:\WINDOWS\system32\winupd_KB61911992.exe => winupd_KB61911992.exe.Vir
C:\WINDOWS\system32\winupd_KB66857360.exe => winupd_KB66857360.exe.Vir
C:\WINDOWS\system32\winupd_KB67844862.exe => winupd_KB67844862.exe.Vir
C:\WINDOWS\system32\winupd_KB62931535.exe => winupd_KB62931535.exe.Vir
C:\WINDOWS\system32\winupd_KB18586743.exe => winupd_KB18586743.exe.Vir
C:\WINDOWS\system32\winupd_KB50258544.exe => winupd_KB50258544.exe.Vir
C:\WINDOWS\system32\winupd_KB64693993.exe => winupd_KB64693993.exe.Vir
C:\WINDOWS\system32\winupd_KB75855185.exe => winupd_KB75855185.exe.Vir
C:\WINDOWS\system32\winupd_KB88027774.exe => winupd_KB88027774.exe.Vir
C:\WINDOWS\system32\winupd_KB46176142.exe => winupd_KB46176142.exe.Vir
C:\WINDOWS\system32\winupd_KB75374936.exe => winupd_KB75374936.exe.Vir
C:\WINDOWS\system32\winupd_KB57204231.exe => winupd_KB57204231.exe.Vir
C:\WINDOWS\system32\winupd_KB37088003.exe => winupd_KB37088003.exe.Vir
C:\WINDOWS\system32\winupd_KB60550488.exe => winupd_KB60550488.exe.Vir
C:\WINDOWS\system32\winupd_KB15245041.exe => winupd_KB15245041.exe.Vir
C:\WINDOWS\system32\winupd_KB91454359.exe => winupd_KB91454359.exe.Vir
C:\WINDOWS\system32\winupd_KB39346850.exe => winupd_KB39346850.exe.Vir
C:\WINDOWS\system32\winupd_KB37543312.exe => winupd_KB37543312.exe.Vir
C:\WINDOWS\system32\winupd_KB59215993.exe => winupd_KB59215993.exe.Vir
C:\WINDOWS\system32\winupd_KB21034596.exe => winupd_KB21034596.exe.Vir
C:\WINDOWS\system32\winupd_KB22850466.exe => winupd_KB22850466.exe.Vir
C:\WINDOWS\system32\winupd_KB94937474.exe => winupd_KB94937474.exe.Vir
C:\WINDOWS\system32\winupd_KB42507638.exe => winupd_KB42507638.exe.Vir
C:\WINDOWS\system32\winupd_KB68190125.exe => winupd_KB68190125.exe.Vir
C:\WINDOWS\system32\winupd_KB21246055.exe => winupd_KB21246055.exe.Vir
C:\WINDOWS\system32\winupd_KB00595362.exe => winupd_KB00595362.exe.Vir
C:\WINDOWS\system32\winupd_KB93949556.exe => winupd_KB93949556.exe.Vir
C:\WINDOWS\system32\winupd_KB23828724.exe => winupd_KB23828724.exe.Vir
C:\WINDOWS\system32\winupd_KB40009515.exe => winupd_KB40009515.exe.Vir
C:\WINDOWS\system32\winupd_KB50309663.exe => winupd_KB50309663.exe.Vir
C:\WINDOWS\system32\winupd_KB40003426.exe => winupd_KB40003426.exe.Vir
C:\WINDOWS\system32\winupd_KB64141295.exe => winupd_KB64141295.exe.Vir
C:\WINDOWS\system32\winupd_KB29215830.exe => winupd_KB29215830.exe.Vir
C:\WINDOWS\system32\winupd_KB22900692.exe => winupd_KB22900692.exe.Vir
C:\WINDOWS\system32\winupd_KB96798831.exe => winupd_KB96798831.exe.Vir
C:\WINDOWS\system32\winupd_KB10329381.exe => winupd_KB10329381.exe.Vir
C:\WINDOWS\system32\winupd_KB91065197.exe => winupd_KB91065197.exe.Vir
C:\WINDOWS\system32\winupd_KB55890919.exe => winupd_KB55890919.exe.Vir
C:\WINDOWS\system32\winupd_KB80974405.exe => winupd_KB80974405.exe.Vir
C:\WINDOWS\system32\winupd_KB66599943.exe => winupd_KB66599943.exe.Vir
C:\WINDOWS\system32\winupd_KB76901843.exe => winupd_KB76901843.exe.Vir
C:\WINDOWS\system32\winupd_KB13215285.exe => winupd_KB13215285.exe.Vir
C:\WINDOWS\system32\winupd_KB71072833.exe => winupd_KB71072833.exe.Vir
C:\WINDOWS\system32\winupd_KB16506898.exe => winupd_KB16506898.exe.Vir
C:\WINDOWS\system32\winupd_KB46012135.exe => winupd_KB46012135.exe.Vir
C:\WINDOWS\system32\winupd_KB69574958.exe => winupd_KB69574958.exe.Vir
C:\WINDOWS\system32\winupd_KB31678801.exe => winupd_KB31678801.exe.Vir
C:\WINDOWS\system32\winupd_KB03449245.exe => winupd_KB03449245.exe.Vir
C:\WINDOWS\system32\winupd_KB29728510.exe => winupd_KB29728510.exe.Vir
C:\WINDOWS\system32\winupd_KB84200959.exe => winupd_KB84200959.exe.Vir
C:\WINDOWS\system32\winupd_KB63434888.exe => winupd_KB63434888.exe.Vir
C:\WINDOWS\system32\winupd_KB37915256.exe => winupd_KB37915256.exe.Vir
C:\WINDOWS\system32\winupd_KB80440450.exe => winupd_KB80440450.exe.Vir
C:\WINDOWS\system32\winupd_KB44211985.exe => winupd_KB44211985.exe.Vir
C:\WINDOWS\system32\winupd_KB34910030.exe => winupd_KB34910030.exe.Vir
C:\WINDOWS\system32\winupd_KB60537712.exe => winupd_KB60537712.exe.Vir
C:\WINDOWS\system32\winupd_KB44778745.exe => winupd_KB44778745.exe.Vir
C:\WINDOWS\system32\winupd_KB68731342.exe => winupd_KB68731342.exe.Vir
C:\WINDOWS\system32\winupd_KB38810001.exe => winupd_KB38810001.exe.Vir
C:\WINDOWS\system32\winupd_KB57455861.exe => winupd_KB57455861.exe.Vir
C:\WINDOWS\system32\winupd_KB22749102.exe => winupd_KB22749102.exe.Vir
C:\WINDOWS\system32\winupd_KB33521207.exe => winupd_KB33521207.exe.Vir
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8RANCJ8R\botm[1].exe => botm[1].exe.Vir
C:\WINDOWS\system32\module.exe => module.exe.Vir
C:\WINDOWS\system32\winupd_KB28540910.exe => winupd_KB28540910.exe.Vir
C:\WINDOWS\system32\winupd_KB77897703.exe => winupd_KB77897703.exe.Vir
C:\WINDOWS\system32\winupd_KB58049887.exe => winupd_KB58049887.exe.Vir
C:\WINDOWS\system32\winupd_KB72445773.exe => winupd_KB72445773.exe.Vir
C:\WINDOWS\system32\winupd_KB82038842.exe => winupd_KB82038842.exe.Vir
C:\Documents and Settings\David\Desktop\SmitfraudFix\Reboot.exe => Reboot.exe.Vir
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061703.exe => A0061703.exe.Vir
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061704.exe => A0061704.exe.Vir
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061796.exe => A0061796.exe.Vir
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061944.exe => A0061944.exe.Vir
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:29 AM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Ok, you can delete the contents of that folder.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:57 AM   #20 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Hmmmm . . . I think I missed a step with DrWeb. You said to move the incureable files and I blew right past that one. Anyway, here is the DrWeb report. Let me know if I need to re-run it.



John
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:11 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85