Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan-downloader.win32.delf.gas


  • Please log in to reply
5 replies to this topic

#1 arthasmenethil

arthasmenethil

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 09 April 2008 - 09:34 AM

Hey

I consider myself a very experienced user, and hence can usually get rid of most stuff on my own but this time I seem to have come across a particularly elusive virus/trojan on my system. Yes I got it from P2P file sharing and I understand the risks involved.

Anyway, I noticed this first start when I opened a keygen -- Kaspersky noticed the virus and tried to stop it -- and then a mysterious processes tried to start sending data and I used Kaspersky to disallow that and to terminate the processes. However -- it's unable to keep the processes terminated permanently....the process just restarts itself again and trys to get through. So what I get is a fight between my anti-virus and this trojan for a period of a few minutes and then the trojan goes inactive for an unknown interval before it tries to fight Kaspersky again. The reason why kaspersky and the virus "fight" is because I told it to perform the same action (terminate and deny internet access) everytime it detected the trojan.

Also of note: Ive seen mozilla firefox open a window on its own a few times (not often) but thats all that happens.

I am going to post my kaspersky log as well as the logs in the "pre-post" instructions because I think the kaspersky notes will be helpful.

KASPERSKY LOGS

deleted: Trojan program Trojan-Downloader.Win32.Zlob.knt File: C:\Users\Brian\AppData\Local\Mozilla\Firefox\Profiles\93x9ahv1.default\Cache\EC46F395d01
deleted: Trojan program Trojan-Downloader.Win32.Delf.gas File: C:\Program Files\Internet Explorer\svchost.exe
detected: riskware Hidden data sending Running process: C:\Windows\system32\Indt2.sys

4/9/2008 1:05:26 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:26 AM Process C:\Windows\system32\Indt2.sys (PID 5936) successfully completed.
4/9/2008 1:05:26 AM C:\Windows\system32\Indt2.sys quarantined.
4/9/2008 1:05:32 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:32 AM Process C:\Windows\system32\Indt2.sys (PID 4200) successfully completed.
4/9/2008 1:05:32 AM C:\Windows\system32\Indt2.sys quarantined.
4/9/2008 1:05:35 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:35 AM Process C:\Windows\system32\Indt2.sys (PID 4476) successfully completed.
4/9/2008 1:05:35 AM C:\Windows\system32\Indt2.sys quarantined.
4/9/2008 1:05:38 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:38 AM Process C:\Windows\system32\Indt2.sys (PID 3168) successfully completed.
4/9/2008 1:05:38 AM C:\Windows\system32\Indt2.sys quarantined.
4/9/2008 1:05:41 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:41 AM Process C:\Windows\system32\Indt2.sys (PID 3792) successfully completed.
4/9/2008 1:05:41 AM C:\Windows\system32\Indt2.sys quarantined.
4/9/2008 1:05:44 AM Running process C:\Windows\system32\Indt2.sys: detected modification of riskware 'Hidden data sending'.
4/9/2008 1:05:44 AM Process C:\Windows\system32\Indt2.sys (PID 5352) successfully completed.
4/9/2008 1:05:44 AM C:\Windows\system32\Indt2.sys quarantined.

etc. (omitted most of this part of the log since it just repeats for a few minutes on a 3 second interval)

DSS - Main.txt log

Deckard's System Scanner v20071014.68
Run by Brian on 2008-04-09 01:44:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
16: 2008-04-09 05:05:54 UTC - RP423 - Language Pack Removal
15: 2008-04-09 01:52:47 UTC - RP422 - Windows Update
14: 2008-04-09 01:42:08 UTC - RP421 - Language Pack Removal
13: 2008-04-08 23:02:32 UTC - RP419 - Language Pack Removal
12: 2008-04-08 21:58:29 UTC - RP418 - Configured PartitionMagic


-- First Restore Point --
1: 2008-04-02 04:38:50 UTC - RP403 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-09 01:52:23
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Users\Brian\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: hpzsetup.LNK = D:\HPZstub.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/b...heckControl.cab
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\System32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\System32\perfs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\System32\routing.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe


--
End of file - 8938 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>

S3 WDC_SAM (WD SCSI Pass Thru driver) - c:\windows\system32\drivers\wdcsam.sys <Not Verified; Western Digital Technologies; WD External Storage>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 perfmons (perfmons Service) - c:\windows\system32\perfs.exe
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 Routing (Routing Service) - c:\windows\system32\routing.exe

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0004
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0004
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4363&SUBSYS_2054161F&REV_12\4&285A031C&0&00E0
Manufacturer: Marvell
Name: Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4363&SUBSYS_2054161F&REV_12\4&285A031C&0&00E0
Service: yukonwlh


-- Scheduled Tasks -------------------------------------------------------------

2008-04-08 01:22:27 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{2E2D60B3-78D3-4D61-91AE-D8BD3B537EC7}.job


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-08 18:00:42 40 --a------ C:\Windows\system32\drmgs.sys
2008-04-08 18:00:40 262144 --a------ C:\Windows\system32\andt.sys
2008-04-07 20:43:28 0 d-------- C:\Program Files\PowerQuest
2008-04-07 20:40:26 0 d-------- C:\tempPM
2008-04-07 17:34:51 0 d-------- C:\Users\All Users\Memeo
2008-04-06 15:45:34 0 d-------- C:\tempusbdrive
2008-04-05 22:52:02 0 d-------- C:\Program Files\iPod
2008-04-05 22:52:00 0 d-------- C:\Program Files\iTunes
2008-04-01 17:32:48 0 d-------- C:\ajs music
2008-04-01 17:17:35 0 d-------- C:\Temp
2008-03-29 21:40:08 0 d-------- C:\Program Files\ISO Recorder
2008-03-29 20:56:53 0 d-------- C:\external hd wd stuff
2008-03-29 19:22:46 0 d-------- C:\network driver
2008-03-22 22:23:26 0 d-------- C:\Program Files\Java
2008-03-22 22:22:58 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

2008-04-09 01:04:59 87355 --a------ C:\Users\Brian\AppData\Roaming\nvModes.001
2008-04-09 00:58:20 17408 --a------ C:\Windows\system32\rpcnetp.exe
2008-04-09 00:58:18 17408 --a------ C:\Windows\system32\rpcnetp.dll
2008-04-09 00:58:18 41584 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-04-08 23:00:35 12 --a------ C:\Windows\bthservsdp.dat
2008-04-08 00:42:23 0 d-------- C:\Users\Brian\AppData\Roaming\uTorrent
2008-04-08 00:11:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-08 00:11:01 0 d-------- C:\Program Files\Common Files
2008-04-07 19:40:25 541452 --a------ C:\Windows\system32\prfh0816.dat
2008-04-07 19:40:25 91946 --a------ C:\Windows\system32\prfc0816.dat
2008-04-07 19:40:25 475122 --a------ C:\Windows\system32\perfh01F.dat
2008-04-07 19:40:25 547682 --a------ C:\Windows\system32\perfh015.dat
2008-04-07 19:40:25 488772 --a------ C:\Windows\system32\perfh00E.dat
2008-04-07 19:40:25 387646 --a------ C:\Windows\system32\perfh00D.dat
2008-04-07 19:40:25 593334 --a------ C:\Windows\system32\perfh008.dat
2008-04-07 19:40:25 86818 --a------ C:\Windows\system32\perfc01F.dat
2008-04-07 19:40:25 92400 --a------ C:\Windows\system32\perfc015.dat
2008-04-07 19:40:25 102330 --a------ C:\Windows\system32\perfc00E.dat
2008-04-07 19:40:25 75902 --a------ C:\Windows\system32\perfc00D.dat
2008-04-07 19:40:24 484836 --a------ C:\Windows\system32\perfh005.dat
2008-04-07 19:40:24 471758 --a------ C:\Windows\system32\perfh001.dat
2008-04-07 19:40:24 97698 --a------ C:\Windows\system32\perfc008.dat
2008-04-07 19:40:24 86846 --a------ C:\Windows\system32\perfc005.dat
2008-04-07 19:40:24 85722 --a------ C:\Windows\system32\perfc001.dat
2008-04-07 17:30:43 364544 --a------ C:\Windows\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2008-04-06 23:35:54 0 d-------- C:\Users\Brian\AppData\Roaming\.purple
2008-04-05 23:03:13 0 d-------- C:\Program Files\Foxit Software
2008-04-05 22:50:15 0 d-------- C:\Program Files\QuickTime
2008-04-05 22:46:22 0 d-------- C:\Program Files\World of Warcraft
2008-04-05 20:23:09 87355 --a------ C:\Users\Brian\AppData\Roaming\nvModes.dat
2008-04-01 17:16:12 0 d-------- C:\Program Files\Xilisoft
2008-04-01 17:11:41 0 d-------- C:\Users\Brian\AppData\Roaming\tunebite
2008-03-30 23:07:00 0 d-------- C:\Users\Brian\AppData\Roaming\SURA
2008-03-30 17:31:23 0 d-------- C:\Program Files\Western Digital Technologies
2008-03-28 20:03:20 0 d-------- C:\Users\Brian\AppData\Roaming\U3
2008-03-28 18:44:42 0 d-------- C:\Users\Brian\AppData\Roaming\Image Zone Express
2008-03-22 14:08:29 0 d-------- C:\Users\Brian\AppData\Roaming\Vso
2008-03-14 17:43:18 0 d-------- C:\Program Files\Windows Mail
2008-02-26 23:17:11 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-02-14 23:08:01 0 d-------- C:\Users\Brian\AppData\Roaming\Ruckus Network
2008-02-13 20:15:10 0 d-------- C:\Program Files\PDFCreator
2008-02-13 18:35:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 14:52:28 0 d-------- C:\Program Files\Cheat Engine
2008-01-24 10:36:20 1310 --a------ C:\Windows\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [09/08/2007 11:23 PM]
"RtHDVCpl"="RtHDVCpl.exe" [02/06/2007 05:50 PM C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/17/2006 01:58 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/23/2006 03:10 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 10:55 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [06/28/2007 12:51 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\Windows\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"WD Button Manager"="WDBtnMgr.exe" [04/07/2008 05:30 PM C:\Windows\System32\WDBtnMgr.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/23/2007 09:15 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/23/2007 09:15 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/23/2007 09:15 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 05:45 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [06/22/2007 08:45 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 08:34 AM]
"CurseClient"="C:\Program Files\Curse\CurseClient.exe" [01/30/2008 04:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:33 AM]

C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [1/19/2007 7:51:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PDFCreator.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PDFCreator.lnk
backup=C:\Windows\pss\PDFCreator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19c9c1d0-6231-11dc-a7fd-001641de4fff}]
AutoRun\command- E:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c714ebe-fd0d-11dc-9aac-001641de4fff}]
AutoRun\command- H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c0ef83-0411-11dd-9a9f-001641de4fff}]
AutoRun\command- G:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7902 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-09 01:55:01 ------------



Also attached is an EXTRA.TXT that came from the DSS -- says to attach to my post so I will.



Thank you for your help all

Attached Files



BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 09 April 2008 - 01:13 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 arthasmenethil

arthasmenethil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 09 April 2008 - 05:02 PM

Hey Charles thanks for helping me with my issue
However after running combofix I can no longer boot into vista.
this started happening right after combofix completed and I noticed that it found several problems and deleted files
Trying to boot with last known good config doesnt work either
it basically just stalls after the bios for a minute and then reboots with the windows error options presented after the bios

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 10 April 2008 - 03:26 PM

If you hit F8 when booting up, do you get the option of Safe Mode?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 arthasmenethil

arthasmenethil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 11 April 2008 - 09:16 PM

Sorry for the delayed response;

As I mentioned I'm a power user and despite numerous attempts to manually restore my registry with windows recovery mode's system restore (all restore attempts failed with "access denied" as the reason) I ended up just dumping the entire petition and reformatting/reinstalling.

I popped in an Ubuntu LiveCD, mounted my hard drive and usb external storage drive and transferred the files I needed off so I didn't really lose much.

I appreciate your attempt to help me with this virus, it was probably for the better that I had to format as I was noticing already sluggish/bleepty performance (fragmented pagefile eh?)

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 13 April 2008 - 03:02 PM

I'm sorry you had to resort to that drastic measure, but perhaps it was the best thing to do. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users