Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Hacktool.rootkit Infection


  • Please log in to reply
8 replies to this topic

#1 maganar

maganar

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 07 November 2007 - 12:16 PM

Two weekends ago, we seem to have picked up a trojan/rootkit infection on one of our home computers. Within a few minutes after startup, we get a notice from Norton Anti-Virus about Hacktool.Rootkit. Although NAV tries to zap it when it crops up after startup, it doesnít seem to be able to remove it completely on its own, and it sometimes pops back up later on during a session, and always comes back after every startup.

I had seen something like this thing once before, and went about trying to manually remove its different components throughout the system:

I deleted all instances of autorun.inf
I removed avpo.exe, avpo0.dll and avpo1.dll in the windows\system32 folder
I removed the avpa registry entry under windows/run
I removed all instances of ntde1ect throughout the registry

This did the trick in my earlier encounter, but this time, after having done these things several times over, after doing a system scan with NAV and a system scan with SpyBot Search & Destroy, I still get the notice of Hacktool.Rootkit from NAV within a few minutes after boot up.

I have an HP pavilion with a C: hard drive and a D: read-only hard drive thatís reserved as a system restore resource. I understand that this trojan can re-infect from other drives, but the C: drive seems to be the only one on my system that it would have access to.

I tried installing Ad-Aware as you recommended, but a cmd prompt always pops up to interrupt and abort the installation right at the end (I bet this is an action of this or some other malware). So I havenít been able to run Ad-Aware yet. I started an online scan from the Panda site, but it appeared that they werenít going to actually disinfect the files unless I subscribed, so I aborted it before it finished (I have a log file of the partial scan, however).

So Iím still stuck. Iíd greatly appreciate any help you could give me. I ran HijackThis and ComboFix, and have log files to post. Thank you for your time.

Here are my log files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:06 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GXSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

--
End of file - 12545 bytes

-----------------------------------------------------------------------------------
ComboFix log file

ComboFix 07-11-05.2 - HP_Administrator 2007-11-07 7:38:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.462 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 21:40 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-11-06 21:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-06 20:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 20:09 31,120 --------- C:\WINDOWS\system32\avpo0.dll
2007-11-04 15:50 <DIR> d-------- C:\KAV
2007-11-04 13:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 21:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-02 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-02 09:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 09:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-29 18:35 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller
2007-10-28 08:32 151,040 --a------ C:\WINDOWS\system\IR32.DLL
2007-10-28 08:32 77,664 --a------ C:\WINDOWS\system\IR21_R.DLL
2007-10-28 08:32 49,616 --a------ C:\WINDOWS\system\MSACM.DLL
2007-10-28 08:32 14,208 --a------ C:\WINDOWS\system\CTL3D.DLL
2007-10-28 08:32 12,800 --a------ C:\WINDOWS\system\ACMCMPRS.DLL
2007-10-28 08:32 7,168 --a------ C:\WINDOWS\system\DISPDIB.DLL
2007-10-28 08:31 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2007-10-28 08:31 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-10-28 08:31 12,800 --a------ C:\WINDOWS\system\WING32.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-07 06:59 --------- d-----w C:\Program Files\Lavasoft
2007-11-07 06:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 06:38 --------- d-----w C:\Program Files\Symantec
2007-11-07 06:36 --------- d-----w C:\Program Files\QuickTime
2007-11-07 06:28 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Adapter with SRX
2007-11-07 06:27 --------- d-----w C:\Program Files\iTunes
2007-11-07 06:23 --------- d-----w C:\Program Files\HP DigitalMedia Archive
2007-11-07 06:21 --------- d-----w C:\Program Files\Google
2007-11-07 06:20 --------- d-----w C:\Program Files\DISC
2007-11-07 06:16 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-07 05:45 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-11-07 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 19:22 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-31 05:08 127,488 ------w C:\WINDOWS\Help\2ACE4CFBAF2C.dll
2007-10-20 02:03 --------- d-----w C:\Program Files\Picasa2
2007-10-05 23:41 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Nexon
2007-09-29 21:45 62,568 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-26 22:50 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-26 22:50 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-26 22:50 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-26 22:50 10,676 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-21 23:24 --------- d--h--w C:\Documents and Settings\HP_Administrator\Application Data\ijjigame
2007-09-21 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
2007-09-16 07:44 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2007-09-14 00:41 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-14 00:41 --------- d-----w C:\Program Files\Common Files\Real
2007-08-28 00:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-28 00:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-22 12:55 96,256 ---h--w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ---h--w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ---h--w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ---h--w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ---h--w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ---h--w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ---h--w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ---h--w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ---h--w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ---h--w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ---h--w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ---h--w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ---h--w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ---h--w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ---h--w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ---h--w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ---h--w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ---h--w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ---h--w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ---h--w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ---h--w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-02-20 01:38 3,508,224 --sha-w C:\Program Files\ehthumbs.db
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-05_22.54.26.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-29 17:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-06 00:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 22:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 21:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-17 02:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 02:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 23:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 21:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 18:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 21:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 02:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-06 00:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 22:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 22:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 21:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 21:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 19:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 19:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 16:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 22:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 18:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 18:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-21 00:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 17:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 18:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 22:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 22:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 21:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 16:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 16:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-19 01:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 22:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 14:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-03-01 01:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 20:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2003-03-26 02:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 20:01]
"ftutil2"="ftutil2.dll" [2004-06-07 13:05 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 19:05 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 22:19 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 14:50]
"nwiz"="nwiz.exe" [2006-05-09 14:50 C:\WINDOWS\system32\nwiz.exe]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 08:05]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 21:14]
"PCDrProfiler"="" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 21:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 19:03]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-03-25 13:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 16:41]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 15:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 07:19]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"avpa"=C:\WINDOWS\system32\avpo.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-25 13:27:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-07 01:48:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0}"= C:\WINDOWS\HELP\2ACE4CFBAF2C.dll [2007-10-30 21:08 127488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

R1 ISODrive;ISO CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R2 WMP54GXSVC;WMP54GXSVC;"C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe" "WMP54GX.exe"
R3 Airgo;Wireless-G PCI Adapter with SRX Driver;C:\WINDOWS\system32\DRIVERS\WniHdd51.sys
S3 iCheat1;iCheat1;\??\C:\Documents and Settings\HP_Administrator\Desktop\EmertPackv2\EmertPackv2\ICHEAT\nvid999.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms
S3 W8335XP;NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335);C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\Shell\AutoRun\command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\Shell\explore\Command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\Shell\open\Command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\Shell\AutoRun\command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\Shell\explore\Command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\Shell\open\Command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb1d68aa-bf9b-11db-852e-0018f3d2153e}]
\Shell\AutoRun\command - J:\setupSNK.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job"
"2007-01-29 05:48:46 C:\WINDOWS\Tasks\Warranty Reminder 11 month.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 07:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 7:44:58
C:\ComboFix2.txt ... 2007-11-05 22:55
.
--- E O F ---


-------------------------------------------------------------------------------------------
Partial results from Panda ActiveScan


Incident Status Location

Virus:Trj/Lineage.GDH Disinfected Operating system
Virus:Trj/Lineage.GDH Disinfected Operating system
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.com.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\00bab2n8.default\cookies.txt[ad.yieldmanager.com/]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-10b9b7ed-691a5cfe.zip[Dvnny.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-10b9b7ed-691a5cfe.zip[Dex.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-10b9b7ed-691a5cfe.zip[Dix.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-10b9b7ed-691a5cfe.zip[Dux.class]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.pointroll[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adserver.easyad[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@azjmp[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bs.serving-sys[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cgi-bin[4].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@enhance[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@i.screensavers[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@serving-sys[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@target[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tickle[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tribalfusion[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@web.tickle[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstbeacon[1].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.web-stat[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@xiti[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL

BC AdBot (Login to Remove)

 


#2 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:01:02 AM

Posted 24 November 2007 - 04:24 AM

Hi maganar, Welcome to the forum,

We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like. If you still require help please post a new HijackThis log into this topic and I'd be happy to assist.

Thanks

Andy

#3 maganar

maganar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 25 November 2007 - 02:01 AM

Hi Andy,
Thanks for the reply. But after having installed and run SpyBot, AdAware, Hijack This and a few other utilities, over several cycles of identifying the "avpo" entries and having it fixed, it seems to have finally disappeared. I tried everything, and unfortunately, I can't say for sure what it was that finally did the trick. I've done a few more Hijack This scans and have seen no remaining traces. I'm no longer getting the Hacktool.Rootkit warnings from Norton Anti-Virus, and the scans with SpyBot and AdAware are also coming up clean. So I think that's it, unless you recommend any further actions.

Thank you for getting back to me . . . I know you've been busy. Take care!

--maganar

#4 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:01:02 AM

Posted 01 December 2007 - 10:50 AM

Hi maganar, Thanks for your patience,

It's nice to hear the alerts have stopped but with it detecting a rootkit file though its really best to run some extra scans to make sure there is no remaining malware or hidden files on the pc

Download Blacklight HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the fsbl.exe file.


Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save and post back the Kaspersky report.

Please then post back the Blacklight log if it detects any hidden files on the system, the Kaspersky log and a new HijackThis log.

Thanks

Andy

Edited by AndyManchesta, 01 December 2007 - 10:51 AM.


#5 maganar

maganar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 02 December 2007 - 01:08 AM

Hi Andy,
OK, I followed your instructions and scanned with Black Light and Kaspersky. The Black Light scan was clean; nothing was detected. Kaspersky picked up quite a few infected items (most of them seem to be located in the Norton Anti-Virus Quarantine folder, which I guess is a good thing), and I saved the log file which I'm uploading to you. I'll be interested to see what you find. Thanks for your help!

Best Regards,
maganar

Attached Files



#6 maganar

maganar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 02 December 2007 - 01:12 AM

HERE'S THE HIJACKTHIS LOG . . . almost forgot!

Attached Files



#7 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:01:02 AM

Posted 03 December 2007 - 08:58 AM

Thanks Maganar

The HijackThis log looks good, just one leftover entry to fix, the Kaspersky log shows there's been alot of trojans on the system though and some of them will steal infomation so you will have to change passwords for any confidential sites you use and if you might have payed for any goods online or done any banking while it was active you should contact the banks and notify them so they can issue new cards if applicable and monitor the account.

Run HijackThis and choose Do A System Scan then place a check next to this entry

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all open browser and other windows except for HijackThis and press the Fix Checked button

If it still shows next time you scan then please disable Spybot's TeaTimer protection and have HijackThis fix it again,

Remove the items in Nortons Quarantine as described Here

Next update Java as some older versions can be vulnerable to infections, goto the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove any versions of Java Runtime Environment (J2SE) such as the version 1.5.0_06 thats showing in the log, once they are removed download the latest version from Sun's website here

http://www.java.com/en/download/index.jsp

Download Ccleaner from Here. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run Ccleaner and press the Run Cleaner button to remove temp files from the system then exit Ccleaner.

Finally download the Flash_Disinfector.exe from here

http://www.techsupportforum.com/sectools/s...Disinfector.exe

Run the file and follow the on screen prompts, it will only take a minute or two to complete

Can you then run Combofix again and post back the log

Cheers

#8 maganar

maganar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 December 2007 - 01:10 AM

Hi Again, Andy,
I was tied up for a couple of days, but managed to follow your latest set of instructions this evening. I did all that you recommended and am posting the ComboFix log here. I did catch a glimpse of the old "ntde1ect" file somewhere in there, which I'm afraid might mean that I've still got something. One thing to consider (and I'll have to ask them to find out) is that the other members of my family who mostly use this computer may have flash drives that could potentially reinfect it. In any case, I'll leave you to your verdict. Thanks a million for the help.

Attached Files



#9 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:01:02 AM

Posted 05 December 2007 - 05:15 PM

Thanks Maganar

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8407452f-c05b-11db-852f-0018f3d2153e}]

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg (or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

Can you then set Windows to show hidden files and folders.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Please then check if this file exists,

C:\WINDOWS\HELP\2ACE4CFBAF2C.dll

Its likely that it isnt still there but please delete it if you do find it,

Regarding reinfection, the flash disinfector you used earlier should prompt for removable drives to be inserted when it runs, please follow those prompts as it will then create a hidden folder named autorun.inf on each partition and any USB drive you plug in, these dummy autorun.inf files will help protect your PC from reinfection because if the infected flash drive is then inserted, autorun looks for autorun.inf which would normally run the worm but that will be prevented by the dummy autorun.inf that is created by Flash Disinfector as long as the flash drive is inserted when running the tool.

Also consider disabling the Autorun feature on USB drives as another method of prevention.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
Uncheck the drives you want to disable AutoPlay on and click on Apply.
Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
Uncheck the box to disable Autoplay for a particular type of drive.
Click Apply.

See Disable Autorun/AutoPlay for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has a malicious autorun.inf in its root directory may still activate Autorun so be careful. Always scan Flash Drives after they have been used in other systems to help reduce the chances of problems. An easy way to do this is to download ClamWin Portable as it can be installed on the USB Flash Drive then all you need to do is update its definition files and perform a scan.


Apart from that the logs are looking good but let us know how its running and if there's any remaining problems on the PC,

Thanks

Andy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users