Found and removed WORM_AGENT.DFFZ and xyzdyn.exe infections; are there others?

[arkoenig]

I believe I have found and removed two infections from my machine: WORM_AGENT.DFFZ (which drops files named D:\mplay.com) and xydzyh.exe. In both cases I hunted through the registry, found references to the infected files in what were clearly bogus registry keys, and removed them.

Before the removal, I was getting occasional odd popups and had lots of copies of iexplore.exe running; now I don't and there are no overt symptoms.

Nevertheless, I tried going through your preliminary steps and found something disturbing: Panda ActiveScan runs for about an hour, claiming to find something like 72 infected files in the process, and then abruptly terminates before I can get it to write a log. Not surprisingly, Norton AntiVirus finds nothing wrong.

So I can't run Panda ActiveScan. I can, however, run DSS, and I did so. The log is attached. I also installed SpywareBlaster.

Looking at the DSS log, I see (around line 488) that there was a timeout "waiting for the Indexing helps service to connect"). This suggests to me that some part of the xydzyh virus is still there, because I believe that "Indexing helps" is the malware service that xydzyh installed (and that I removed from the registry as part of getting rid of it).

However, I did check and that service is not still running, nor has xyzdyh.exe (or d:\mplay.com) returned to my machine.

So for starters, I would like to know how I can get Panda ActiveScan to complete, and what else I might to do verify the absence of infection.

[arkoenig]

Supplementary information:

1) Although Panda ActiveScan terminated before letting me save a log file, when I ran it a second time it told me about the status of the previous scan. It appears that all of the "infected files" it detected were cookies. I still do not know why it did not run to completion.

2) I tried to install the Windows Recovery Console, but could not do so because my Windows install CD is SP2 and I have installed SP3 on my machine. I am hunting for the Microsoft page that explains how to work around this problem, but wouldn't mind if someone can point me in the right direction.

[arkoenig]

More supplementary information:

3) When I ask Panda ActiveScan to run a "Smart Scan," it completes. All the infections it detected were cookies. When I ask Panda Active scan to scan my email and nothing else, it crashes. When I run Microsoft's "inbox repair tool" (c:\Program Files\Microsoft Office\Office12\Scanpst.exe) it finds no errors.

So apparently there's something weird about my Outlook.pst file that gets past both Outlook and the scanpst program, but crashes ActiveScan. Fortunately there doesn't seem to be anything that ActiveScan finds during its "smart scan."

[Ried]

Hello arkoenig,

Judging by your thread in Windows XP, you've been reading around HijackThis forums.

Do not run ComboFix until/unless directed to do so.

No worries about Panda scan right now.

Before I can prepare any sort of reply, the extra.txt you've posted is not enough to go by. I need to see the main.txt produced by dss.exe.

Please run a new scan with dss.exe and post that main.txt directly into the reply box.

[arkoenig]

OK, here's the output. Since my last messages, I have done the following (that I can recall):

Downloaded and run Kaspersky, which found some very old viruses in email inside my Outlook.pst files that to my knowledge I never opened. I deleted those messages anyway to be on the safe side.

Ran Kaspersky again to verify that there are no viruses.

Ran ad-aware, which found only tracking cookies.

Here's the resulting main.txt:

------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Run by ark on 2008-06-05 23:43:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as ark.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:37 PM, on 6/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\ark\My Documents\security\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ark.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1071107
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1071107
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - S-1-5-18 Startup: Emacs.lnk = C:\gnu\emacs-22.2\bin\runemacs.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Microsoft Office Outlook 2007.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Emacs.lnk = C:\gnu\emacs-22.2\bin\runemacs.exe (User 'Default user')
O4 - .DEFAULT Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Outlook 2007.lnk = ? (User 'Default user')
O4 - Startup: Emacs.lnk = C:\gnu\emacs-22.2\bin\runemacs.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c8...23/qboax10.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 13641 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 19:22:45 2147483647 --ahs---- D:\pagefile.sys
2008-06-05 19:18:27 0 d-------- C:\WINDOWS\setup.pss
2008-06-05 19:18:14 0 d-------- C:\WINDOWS\setupupd
2008-06-05 1624 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 1622 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-05 09:57:18 0 d-------- D:\Deckard
2008-06-05 09:48:48 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 09:48:43 0 d-------- C:\Program Files\SpywareBlaster
2008-06-05 02:03:49 0 d-------- C:\Program Files\Panda Security
2008-06-05 01:07:36 0 d-------- C:\Program Files\Trend Micro
2008-06-05 00:48:46 0 d-------- C:\Program Files\Lavasoft
2008-06-05 00:48:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-05 00:48:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 17:25:37 163840 --a------ C:\WINDOWS\system32\ArtFfct.dll <Not Verified; ; Bibliothèque de liaison dynamique FDlg>
2008-06-03 17:25:37 0 d-------- C:\Program Files\Arturia
2008-06-03 15:56:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\.emacs.d
2008-06-03 15:51:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\WTablet
2008-05-25 15:52:28 0 d-------- C:\Documents and Settings\ark\Application Data\EmuPatchMixDSP
2008-05-11 16:54:22 0 d-------- C:\Documents and Settings\ark\Application Data\Canon
2008-05-07 18:26:21 0 d-------- C:\WINDOWS\Prefetch
2008-05-07 18:19:52 0 d-------- C:\WINDOWS\system32\scripting
2008-05-07 18:19:52 0 d-------- C:\WINDOWS\l2schemas
2008-05-07 18:19:51 0 d-------- C:\WINDOWS\system32\en
2008-05-07 18:19:51 0 d-------- C:\WINDOWS\system32\bits
2008-05-07 18:16:23 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-06-05 23:30:57 0 d-------- C:\Documents and Settings\ark\Application Data\nView_Wallpaper
2008-06-05 23:30:48 0 d-------- C:\Documents and Settings\ark\Application Data\WTablet
2008-06-05 23:07:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-05 00:48:01 0 d-------- C:\Program Files\Common Files
2008-06-04 21:45:08 0 d-------- C:\Documents and Settings\ark\Application Data\Adobe
2008-06-04 21:18:31 0 d-------- C:\Program Files\VstPlugins
2008-06-03 09:02:23 0 d-------- C:\Program Files\Symantec
2008-06-03 08:22:46 0 d-------- C:\Documents and Settings\ark\Application Data\ZoomBrowser EX
2008-06-01 23:25:44 0 d-------- C:\Program Files\MIDI Maestro MM4
2008-05-25 15:52:58 0 d-------- C:\Program Files\Creative Professional
2008-05-25 15:41:29 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-25 15:41:29 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-05-15 09:49:36 0 d-------- C:\Program Files\Novation
2008-05-14 15:24:18 0 d-------- C:\Program Files\Ableton
2008-05-14 15:19:38 0 d-------- C:\Documents and Settings\ark\Application Data\Ableton
2008-05-07 18:20:22 0 d-------- C:\Program Files\Messenger
2008-05-07 18:19:51 0 d-------- C:\Program Files\Movie Maker
2008-05-07 18:15:51 0 d-------- C:\Program Files\Windows NT
2008-05-06 08:51:03 0 d-------- C:\Program Files\Chess Assistant 9.1
2008-04-25 19:04:00 0 d-------- C:\Program Files\BIAS
2008-04-24 15:13:05 0 d-------- C:\Program Files\Picasa2
2008-04-19 14:59:03 0 d-------- C:\Program Files\Safari
2008-04-19 14:57:57 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 13:28:56 0 d-------- C:\Program Files\RdDrv001
2008-04-15 21:10:45 0 d-------- C:\Program Files\YAMAHA
2008-04-15 21:10:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 15:50:09 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-05 14:21:03 0 d-------- C:\Documents and Settings\ark\Application Data\Apple Computer
2008-04-05 14:19:13 0 d-------- C:\Program Files\QuickTime
2008-03-27 11:01:38 7680 -----n--- C:\WINDOWS\system32\nvnusbaudio_coinst.dll <Not Verified; Novation DMS Ltd.; Novation USB Audio Driver>
2008-03-24 11:35:00 1626112 -----n--- C:\WINDOWS\system32\nwiz.exe
2008-03-24 11:35:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-03-24 11:35:00 1703936 -----n--- C:\WINDOWS\system32\nvwdmcpl.dll
2008-03-24 11:35:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-03-24 11:35:00 286720 -----n--- C:\WINDOWS\system32\nvnt4cpl.dll
2008-03-24 11:35:00 1482752 --a------ C:\WINDOWS\system32\nview.dll
2008-03-24 11:35:00 1339392 -----n--- C:\WINDOWS\system32\nvdspsch.exe
2008-03-24 11:35:00 442368 -----n--- C:\WINDOWS\system32\nvappbar.exe
2008-03-24 11:35:00 425984 -----n--- C:\WINDOWS\system32\keystone.exe
2008-03-20 15:36:48 43520 --a------ C:\WINDOWS\system32\CTBurst.dll <Not Verified; ; CTBurst Module>
2008-03-20 15:35:52 34816 --a------ C:\WINDOWS\system32\a3d.dll <Not Verified; ; a3dx5>
2008-03-20 15:35:38 27648 --a------ C:\WINDOWS\system32\ac3api.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:35:14 41472 --a------ C:\WINDOWS\system32\CTxfiBtn.dll <Not Verified; Creative Technology Ltd; CTXFIBTN Dynamic Link Library>
2008-03-20 15:35:14 2560 --a------ C:\WINDOWS\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2008-03-20 15:35:10 40960 --a------ C:\WINDOWS\system32\CTxfiSpk.dll <Not Verified; Creative Technology Ltd; Ctxfispk Dynamic Link Library>
2008-03-20 15:35:10 23552 --a------ C:\WINDOWS\system32\Ctxfihlp.exe <Not Verified; Creative Technology Ltd; CTXfiHlp Application>
2008-03-20 15:35:06 41472 --a------ C:\WINDOWS\system32\psconv.exe
2008-03-20 15:35:04 23040 --a------ C:\WINDOWS\system32\CTHELPER.EXE <Not Verified; Creative Technology Ltd; CtHelper Application>
2008-03-20 15:35:02 12800 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>
2008-03-20 15:35:00 38912 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL <Not Verified; Creative Technology Ltd; CtSpkHlp Dynamic Link Library>
2008-03-20 15:34:58 51200 --a------ C:\WINDOWS\system32\CTPCMCIA.DLL <Not Verified; Creative Technology Ltd; CTPCMCIA Dynamic Link Library>
2008-03-20 15:34:58 17920 --a------ C:\WINDOWS\system32\ctmmep.dll <Not Verified; Creative Technology Ltd; Ctmmep Dynamic Link Library>
2008-03-20 15:34:50 36864 --a------ C:\WINDOWS\system32\ctthxcal.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:50 8704 --a------ C:\WINDOWS\system32\ctpres.dll <Not Verified; Creative Technology Ltd; CtPanel Resource>
2008-03-20 15:34:48 46592 --a------ C:\WINDOWS\system32\ctscal.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:46 145408 --a------ C:\WINDOWS\system32\CTDCIFCE.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:46 343040 --a------ C:\WINDOWS\system32\ctdc0001.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:44 10240 --a------ C:\WINDOWS\system32\ctdcres.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:44 230400 --a------ C:\WINDOWS\system32\ctdc0000.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:34:44 10240 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:31:22 46592 --a------ C:\WINDOWS\system32\Ctxfireg.exe <Not Verified; Creative Technology Ltd; CTXFIREG>
2008-03-20 15:31:20 15360 --a------ C:\WINDOWS\system32\Ct20xspi.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:31:14 1119744 --a------ C:\WINDOWS\system32\CTxfispi.exe <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:25:22 46273 --a------ C:\WINDOWS\system32\ctdnlstr.dat
2008-03-20 15:25:22 325821 --a------ C:\WINDOWS\system32\ctdlang.dat
2008-03-20 15:24:54 114688 --a------ C:\WINDOWS\system32\ctemupia.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:50 22016 --a------ C:\WINDOWS\system32\ctedasio.dll <Not Verified; Creative Technology, Ltd; Creative Audio Product>
2008-03-20 15:22:48 50688 --a------ C:\WINDOWS\system32\ctasio.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:48 151040 --a------ C:\WINDOWS\system32\ct_oal.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:44 53248 --a------ C:\WINDOWS\system32\ctdproxy.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:30 74240 --a------ C:\WINDOWS\system32\ctosuser.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:28 10240 --a------ C:\WINDOWS\system32\SFMAN32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:26 108544 --a------ C:\WINDOWS\system32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:22:24 16384 --a------ C:\WINDOWS\system32\regplib.exe
2008-03-20 15:22:22 68608 --a------ C:\WINDOWS\system32\piaproxy.dll <Not Verified; Creative Technology Ltd; E-mu PIA>
2008-03-20 15:21:58 149838 --a------ C:\WINDOWS\system32\ctbas2w.dat
2008-03-20 15:20:12 274587 --a------ C:\WINDOWS\system32\ctsbas2w.dat
2008-03-20 15:20:02 115166 --a------ C:\WINDOWS\system32\CTBASICW.DAT
2008-03-20 15:20:00 241084 --a------ C:\WINDOWS\system32\CTSBASW.DAT
2008-03-20 15:19:44 313207 --a------ C:\WINDOWS\system32\ctstatic.dat
2008-03-20 15:19:44 53932 --a------ C:\WINDOWS\system32\ctdaught.dat
2008-03-20 15:19:42 7680 --a------ C:\WINDOWS\system32\enlocstr.exe
2008-03-20 15:19:40 12800 --a------ C:\WINDOWS\system32\killapps.exe <Not Verified; ; killapps>
2008-03-20 15:19:26 31232 --a------ C:\WINDOWS\system32\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-20 15:19:26 36864 --a------ C:\WINDOWS\system32\devreg.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-12 13:10:18 633344 -----n--- C:\WINDOWS\system32\gpprefcl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-05 20:16:23 356352 -----n--- C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
01/31/2008 10:19 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/26/2007 09:03 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 06:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 06:50 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 11:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 07:23 PM]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [05/24/2007 09:03 AM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"@"="" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM C:\WINDOWS\KHALMNPR.Exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/31/2008 02:15 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/25/2007 12:53 AM]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [03/19/2002 06:30 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/24/2008 11:35 AM]
"nwiz"="nwiz.exe" [03/24/2008 11:35 AM C:\WINDOWS\system32\nwiz.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [08/01/2007 03:52 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/24/2008 11:35 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [03/20/2008 03:35 PM C:\WINDOWS\system32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [03/20/2008 03:35 PM C:\WINDOWS\system32\Ctxfihlp.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"SetDefaultMIDI"="MIDIDef.exe" [03/20/2008 03:19 PM C:\WINDOWS\system32\MIDIDEF.EXE]

C:\Documents and Settings\ark\Start Menu\Programs\Startup\
Emacs.lnk - C:\gnu\emacs-22.2\bin\runemacs.exe [3/26/2008 2:57:58 PM]
Launch Internet Explorer Browser.lnk - C:\Program Files\Internet Explorer\iexplore.exe [8/11/2004 7:12:49 PM]
Microsoft Office Outlook 2007.lnk - C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe [11/12/2007 6:24:49 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/25/2008 12:27:28 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [5/31/2008 5:43:28 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 4:40:46 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 04:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 05/02/2008 02:42 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-05 23:45:25 ------------

[arkoenig]

By the way, I understand that I had not been instructed to do anything that requires the Recovery Console. Nevertheless I thought it would be a good idea to have it available anyway, in case I happened to need it in the future.

[Ried]

Absolutely--it's a great idea.

While it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future.

Apparently you've effectively erradicated the infection as your logs are clean.

What you'll want to do now is create a clean restore point (If you haven't already.)

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.

[Ried]

Oops..forgot to tell you....

The Recovery Console on your SP2 disc will work for SP3 as well.

[arkoenig]

Quote:

Originally Posted by Ried

Absolutely--it's a great idea.

While it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future.

I have, on occasion, resorted to removing the disk from a crashed machine and connecting it to a USB adapter on another machine so that I can get at its files.

Quote:

Apparently you've effectively erradicated the infection as your logs are clean.

Thanks -- I am gratified to hear the news. I've actually had a fair amount of system administration experience, just not on Windows.

Quote:

What you'll want to do now is create a clean restore point (If you haven't already.)

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.

Done--though I find it easier to right-click "My Computer" and select "Properties" than to type SYSDM.CPL into the Run dialog :-)

By the way, one thing I found interesting was that Norton Antivirus 2008 did not detect either of these infections, and when I contacted them for advice about how to deal with the first one I had found, they said they wanted me to install a remote access ActiveX control to give them control over my machine and pay them $100. I suggested to them that if their software was unable to detect the problem, I had little confidence that their people would be able to do so either, and I would rather hunt around for solutions by myself first.

That hunt is what led me to this forum. It's been an interesting education -- thanks! I might say something about it on my blog.

[Ried]

Quote:

Done--though I find it easier to right-click "My Computer" and select "Properties" than to type SYSDM.CPL into the Run dialog :-)

More than one way to skin a cat.

I am a bit surprised Norton didn't pick it up--Avira has it in it's database, as does TrendMicro.

For tidiness sake, run a scan with HijackThis.exe and 'check' the following orphaned entries:

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Click 'Fix Checked' and close HijackThis.

-----------------------------------------------

Best of luck to you, arkoenig.

[arkoenig]

Quote:

Originally Posted by Ried

More than one way to skin a cat.

I am a bit surprised Norton didn't pick it up--Avira has it in it's database, as does TrendMicro.

For tidiness sake, run a scan with HijackThis.exe and 'check' the following orphaned entries:

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Click 'Fix Checked' and close HijackThis.

I just did so and checked that they went away. Thanks again for the help!

[Ried]

You're welcome, take care.