Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KARNA.DAT?


  • This topic is locked This topic is locked
22 replies to this topic

#1 alleymad

alleymad

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 26 October 2008 - 10:03 PM

So, I have my brother's computer at my house. I have ran Spybot and A-Squared from a USB stick as I cannot run any anti-virus or similar programs from the computer itself - they are blocked immediately, if I am even able to get them to install. For example, installing AVG Free took 14 re-boots by itself. Neither IE nor Firefox are able to connect to the internet properly. For example, any search for terms like "SPYBOT", "ADAWARE", "AVG", are re-directed. Even attempting to open this web page on that computer is not possible. I always get re-directed. The integrated update features of the various programs (spybot, adaware, windows update, spywareblaster, etc.) are all blocked from accessing the internet. I have booted into safe mode where I ran spybot as well as A-squared (multiple times). I installed an ancient copy of sygate firewall onto the computer simply to stop the incessant internet traffic that was going on. I am at the point where the programs I have been able to install and run are no longer finding anything, even with the most recent updates. I manually downloaded the Spybot update and installed it. The A-Squared updater seems to work fine, but it finds nothing. The only thing I see that is immediately odd is the KARNA.DAT entry at 20. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:09 PM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1170571136\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\DOCUMENTS AND SETTINGS\JOSHUA STEPHENS\DESKTOP\ASQUARED\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Joshua Stephens\Desktop\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170571136\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\DOCUMENTS AND SETTINGS\JOSHUA STEPHENS\DESKTOP\ASQUARED\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9286 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 08:28 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.


Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 09:54 AM

OK. I have not touched the computer since the night I created the HJT logfile. That being said, the computer has done several interesting thinngs while it has been sitting there. It shut off and restarted twice. Mind you, it did this by itself. On the last restart, I got the blue screen of death: SESSION3_INITIALIZATION_FAILED followed by this: STOP 0x0000006f (0xc0000020, 0x00000000, 0x00000000, 0x00000000).

That being said, I cannot start windows normally on the computer. I am able to start in safe mode however. Please advise on what you want me to do.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 10:00 AM

Hello.

Please try to start it in Safe Mode and run OTScanIt.

Transfer the file over with a portable drive, or use Safe Mode with Networking.

With Regards,
The Panda

Edited by PropagandaPanda, 01 November 2008 - 10:01 AM.


#5 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 10:13 AM

OTScanIT Log is attached. I changed the settings that you indicated in your original response.

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 10:37 AM

Hello alleymad.

You've got a nasty infection there.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\] > -> HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "brastk" -> %SystemRoot%\system32\brastk.exe [brastk.exeles%]
    < RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    YN -> "" -> []
    < Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "brastk" -> %SystemRoot%\system32\brastk.exe [C:\WINDOWS\system32\brastk.exe]
    < Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "brastk" -> %SystemRoot%\system32\brastk.exe [C:\WINDOWS\system32\brastk.exe]
    < CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    YN -> \\"InstallVisualStyle" -> %SystemRoot%\Resources\Themes\Royale\Royale.mss [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles]
    YN -> \\"InstallTheme" -> %SystemRoot%\Resources\Themes\Royale.the [C:\WINDOWS\Resources\Themes\Royale.theme]
    < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
    < Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
    < Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
    < Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\] > -> HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> karna.datS\system3 -> 
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    YN -> "C:\Program Files\Pando Networks\Pando\pando.exe" -> C:\Program Files\Pando Networks\Pando\pando.exe [C:\Program Files\Pando Networks\Pando\pando.exe:*:Enabled:Pando Application]
    YN -> "C:\Program Files\Yahoo!\Messenger\YPager.exe" -> C:\Program Files\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
    [Files/Folders - Created Within 30 Days]
    NY -> 6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> karna.dat -> %SystemRoot%\karna.dat
    NY -> delself.bat -> %SystemRoot%\System32\delself.bat
    NY -> zts2.exe -> %SystemRoot%\zts2.exe
    NY -> vcmgcd32.dll -> %SystemRoot%\System32\vcmgcd32.dll
    NY -> systems.txt -> %SystemRoot%\System32\systems.txt
    NY -> rundll16.exe -> %SystemRoot%\rundll16.exe
    NY -> rundl132.dll -> %SystemRoot%\rundl132.dll
    NY -> logo1_.exe -> %SystemRoot%\logo1_.exe
    NY -> iifgfgf.dll -> %SystemRoot%\System32\iifgfgf.dll
    NY -> Lic.xxx -> %SystemRoot%\Lic.xxxb
    NY -> saje.dl -> %SystemRoot%\saje.dl
    NY -> iexplore.iss -> %AppData%\iexplore.iss
    NY -> difufeb.db -> %SystemRoot%\System32\difufeb.db
    NY -> pylaperuj.pif -> %UserProfile%\Local Settings\Application Data\pylaperuj.pif
    NY -> ixocex.vbs -> %AllUsersProfile%\Documents\ixocex.vbs
    NY -> fotarexive._sy -> %CommonProgramFiles%\fotarexive._sy
    NY -> fode.dl -> %SystemRoot%\fode.dl
    NY -> wajedi._sy -> %SystemRoot%\wajedi._sy
    NY -> osynunito.bin -> %SystemRoot%\System32\osynunito.bin
    NY -> epimetuva.pif -> %SystemRoot%\epimetuva.pif
    NY -> uheta._dl -> %SystemRoot%\System32\uheta._dl
    NY -> piwyt.ban -> %SystemRoot%\piwyt.ban
    NY -> vymewot.bat -> %SystemRoot%\vymewot.bat
    NY -> ovipofo.bat -> %CommonProgramFiles%\ovipofo.bat
    NY -> kotiry.bat -> %AllUsersProfile%\Application Data\kotiry.bat
    NY -> otyzufykew.reg -> %UserProfile%\Local Settings\Application Data\otyzufykew.reg
    NY -> exupe.vbs -> %AppData%\exupe.vbs
    NY -> oden.scr -> %SystemRoot%\oden.scr
    NY -> gamyc.bat -> %SystemRoot%\gamyc.bat
    NY -> wini10803.exe -> %SystemRoot%\System32\wini10803.exe
    NY -> karna.dat -> %SystemRoot%\System32\karna.dat
    NY -> av.dat -> %SystemRoot%\System32\av.dat
    NY -> smwin32.dll -> %SystemRoot%\System32\smwin32.dll
    NY -> uesiuqcr.exe -> %SystemRoot%\System32\uesiuqcr.exe
    NY -> GetModule -> %AppData%\GetModule
    NY -> GetModule -> %ProgramFiles%\GetModule
    NY -> wpv967.cpx -> %SystemRoot%\System32\wpv967.cpx
    NY -> wpv994.cpx -> %SystemRoot%\System32\wpv994.cpx
    NY -> msansspc.dll -> %SystemRoot%\System32\msansspc.dll
    NY -> afd.sys -> %SystemRoot%\System32\dllcache\afd.sys
    [Files/Folders - Modified Within 30 Days]
    NY -> karna.dat -> %SystemRoot%\System32\karna.dat
    NY -> brastk.exe -> %SystemRoot%\System32\brastk.exe
    NY -> brastk.exe -> %SystemRoot%\brastk.exe
    NY -> karna.dat -> %SystemRoot%\karna.dat
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.


Also take a new scan with OTScanIt, leaving the settings at default. Please attach the new OTscanIt log.

EDIT: Are you able to boot into Normal Mode now?

With Regards,
The Panda

Edited by PropagandaPanda, 01 November 2008 - 10:42 AM.


#7 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 11:08 AM

OK. I copied and pasted the fix you posted into OTScanIt. When I clicked "FIX" it ran for a bit and then generated a .txt file. No reboot was requested. I then ran OTScanIt again as requested. I am attaching the results of that scan as per your request.

Thank you.

p.s. - I still cannot boot into normal mode
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk deleted successfully.
C:\WINDOWS\system32\brastk.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk deleted successfully.
File C:\WINDOWS\system32\brastk.exe not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk not found.
File C:\WINDOWS\system32\brastk.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\InstallVisualStyle deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\InstallTheme deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
Registry value HKEY_USERS\S-1-5-21-1313246623-4226745934-2617176999-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:karna.datS\system3 .
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Pando Networks\Pando\pando.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\karna.dat moved successfully.
C:\WINDOWS\System32\delself.bat moved successfully.
C:\WINDOWS\zts2.exe folder moved successfully.
C:\WINDOWS\System32\vcmgcd32.dll folder moved successfully.
C:\WINDOWS\System32\systems.txt folder moved successfully.
C:\WINDOWS\rundll16.exe folder moved successfully.
C:\WINDOWS\rundl132.dll folder moved successfully.
C:\WINDOWS\logo1_.exe folder moved successfully.
C:\WINDOWS\System32\iifgfgf.dll folder moved successfully.
File C:\WINDOWS\Lic.xxxb not found!
C:\WINDOWS\saje.dl moved successfully.
C:\Documents and Settings\Joshua Stephens\Application Data\iexplore.iss moved successfully.
C:\WINDOWS\System32\difufeb.db moved successfully.
C:\Documents and Settings\Joshua Stephens\Local Settings\Application Data\pylaperuj.pif moved successfully.
C:\Documents and Settings\All Users\Documents\ixocex.vbs moved successfully.
C:\Program Files\Common Files\fotarexive._sy moved successfully.
C:\WINDOWS\fode.dl moved successfully.
C:\WINDOWS\wajedi._sy moved successfully.
C:\WINDOWS\System32\osynunito.bin moved successfully.
C:\WINDOWS\epimetuva.pif moved successfully.
C:\WINDOWS\System32\uheta._dl moved successfully.
C:\WINDOWS\piwyt.ban moved successfully.
C:\WINDOWS\vymewot.bat moved successfully.
C:\Program Files\Common Files\ovipofo.bat moved successfully.
C:\Documents and Settings\All Users\Application Data\kotiry.bat moved successfully.
C:\Documents and Settings\Joshua Stephens\Local Settings\Application Data\otyzufykew.reg moved successfully.
C:\Documents and Settings\Joshua Stephens\Application Data\exupe.vbs moved successfully.
C:\WINDOWS\oden.scr moved successfully.
C:\WINDOWS\gamyc.bat moved successfully.
C:\WINDOWS\System32\wini10803.exe moved successfully.
C:\WINDOWS\System32\karna.dat moved successfully.
C:\WINDOWS\System32\av.dat moved successfully.
C:\WINDOWS\System32\smwin32.dll moved successfully.
C:\WINDOWS\System32\uesiuqcr.exe moved successfully.
C:\Documents and Settings\Joshua Stephens\Application Data\GetModule folder moved successfully.
C:\Program Files\GetModule folder moved successfully.
C:\WINDOWS\System32\wpv967.cpx moved successfully.
C:\WINDOWS\System32\wpv994.cpx moved successfully.
C:\WINDOWS\System32\msansspc.dll moved successfully.
C:\WINDOWS\System32\dllcache\afd.sys moved successfully.
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\karna.dat not found!
File C:\WINDOWS\System32\brastk.exe not found!
C:\WINDOWS\brastk.exe moved successfully.
File C:\WINDOWS\karna.dat not found!
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.28b fix logfile created on 11012008_120256

Attached Files


Edited by PropagandaPanda, 01 November 2008 - 11:44 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 11:47 AM

Hello.

This one's tough. Let's bring out the big(ger) guns.

Install Recovery Console and Run ComboFix
Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

Posted Image

Download the file and save it as it's originally named onto your desktop.
Posted Image
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click Yes to run the full ComboFix scan.

    Posted Image
  • Please post back the C:\ComboFix.txt that will open on reboot.

Please post back with:
-the ComboFix log
-a new OTScanIt log (default settings)

With Regards,
The Panda

#9 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 12:35 PM

Just out of curiosity, where do I get combofix.exe?

EDIT: I found the file on bleepingcomputers.com. Doing the procedure now.

Edited by alleymad, 01 November 2008 - 12:37 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 12:46 PM

Hello.

Sorry.

Any of the links below.
Link 1, Link 2, Link 3

With Regards,
The Panda

#11 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 04:35 PM

OK. I am unable to get ComboFix to do anything by dragging the file that I downloaded from Microsoft onto the icon. It literally does nothing. I do not get an error message or any other indication that would let me provide you any additional feedback.

I am in safe mode on the administrator account, as this is still the only way I can boot the machine up.

EDIT: I re-named the file combofix.exe to CFX.exe and it allowed me to run it. I will post the logs when complete.

Edited by alleymad, 01 November 2008 - 11:22 PM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 01 November 2008 - 06:36 PM

Hello.

In that case, simply double click ComboFix to run it.

If ComboFix asks to download the Recovery Console answer Yes. Answer Yes again when asked to continue the scan for malware.

I am unsure if ComboFix's downloading works in Safe Mode.

If ComboFix reboots your machine, allow it to boot into Normal Mode, even if your computer blue screens. It may not be able to complete its routine if you boot into Safe Mode. Wait for the blue screen, if it still occurs, then shutdown and reboot into Safe Mode again.

With Regards,
The Panda

#13 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 09:18 PM

combofix.exe will not run. It will not run by dragging the .enu file onto the icon. It will not run by double clicking the icon. It will not run by right clicking the icon and selecting open. It will not run off of the usb stick.

I have downloaded from all three of the links you provided in the post and tried each method with all three of the downloads. None will work. I am at a loss.

EDIT: I re-named the file combofix.exe to CFX.exe and it allowed me to run it. I will post the logs when complete.

Edited by alleymad, 01 November 2008 - 11:23 PM.


#14 alleymad

alleymad
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 November 2008 - 11:47 PM

OK - I was able to run combofix by dragging the Microsoft download onto the re-named icon. It asked me to install the recovery console, which I could not do from safe mode. I continued with the scan. The computer was re-started by the program in normal mode. No blue screen of death appeared. The program did its thing and generated a log, which I am attaching. I then did another scan using the default settings on OTScanIt. That log is attached as well. The computer is currently booted into normal without an active internet connection (I did not plug the cable in - if this needs to be done at any point, just let me know).

Anyhow, I will be awaiting your response. Thank you very much.

ComboFix 08-11-01.01 - Joshua Stephens 2008-11-02 0:29:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.591 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Joshua Stephens\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\brastk.exe
C:\WINDOWS\karna.dat
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\_scui.cpl
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\TDSSarxx.dll
C:\WINDOWS\system32\TDSScfmm.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSScuhh.log
C:\WINDOWS\system32\TDSSkkai.log
C:\WINDOWS\system32\TDSSlxcp.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmtve.dat
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnmxq.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\TDSSrhym.log
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsahc.dll
C:\WINDOWS\system32\TDSSsihl.dll
C:\WINDOWS\system32\TDSSvkql.dll
C:\WINDOWS\system32\TDSSxhyf.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-01 12:02 . 2008-11-01 12:02 <DIR> d-------- C:\_OTScanIt
2008-10-27 17:20 . 2008-10-27 18:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-26 22:10 . 2008-10-26 22:30 <DIR> d-------- C:\HJT
2008-10-26 22:01 . 2008-10-26 22:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 12:34 . 2008-10-26 12:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-26 12:34 . 2008-10-26 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-26 12:20 . 2008-10-26 12:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-26 12:20 . 2008-10-26 12:20 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-26 12:20 . 2008-10-26 12:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-26 12:08 . 2008-10-26 12:08 <DIR> d-------- C:\Program Files\Sygate
2008-10-26 12:08 . 2008-10-26 12:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-26 12:08 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-26 12:08 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-26 12:08 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-26 12:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-26 12:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-26 12:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-26 12:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-26 11:49 . 2008-10-26 11:49 <DIR> d-------- C:\Program Files\AVG
2008-10-26 11:49 . 2008-10-27 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-26 11:47 . 2008-10-26 12:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 04:36 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-26 04:35 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-26 04:35 . 2008-05-08 10:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-26 02:57 . 2008-10-26 02:57 0 --a------ C:\23990098.$$$
2008-10-26 01:43 . 2008-10-26 01:43 27 --a------ C:\WINDOWS\Lic.xxx
2008-10-26 01:42 . 2008-10-26 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MicroWorld
2008-10-26 01:42 . 2008-04-13 20:12 146,432 --a------ C:\WINDOWS\R.COM
2008-10-26 01:42 . 2008-04-13 20:12 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-10-26 00:41 . 2008-10-26 00:41 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-26 00:41 . 2008-10-26 00:41 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-26 00:41 . 2008-10-26 00:41 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-26 00:41 . 2008-10-26 00:41 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-26 00:40 . 2008-10-26 00:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-26 00:37 . 2008-10-26 00:37 <DIR> d-------- C:\Documents and Settings\Joshua Stephens\Application Data\Motive
2008-10-26 00:17 . 2008-10-26 00:17 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-25 23:53 . 2008-10-25 23:53 <DIR> d-------- C:\New Folder
2008-10-25 23:31 . 2008-10-26 03:30 <DIR> d-------- C:\Program Files\mwav
2008-10-25 23:31 . 2008-10-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-25 23:12 . 2008-10-15 12:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-19 10:53 . 2008-10-19 10:53 22,528 --a------ C:\Documents and Settings\~.exe
2008-10-18 22:38 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-18 22:37 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-18 22:37 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-18 22:37 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-18 22:37 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-18 22:37 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-09 07:10 . 2008-10-09 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-26 21:18 --------- d-----w C:\Program Files\QuickTime
2008-10-26 21:18 --------- d-----w C:\Program Files\Common Files\Real
2008-10-26 21:16 --------- d-----w C:\Program Files\uTorrent
2008-10-26 21:16 --------- d-----w C:\Program Files\Dell
2008-10-26 21:16 --------- d-----w C:\Program Files\BroadJump
2008-10-26 21:07 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-10-26 17:32 --------- d-----w C:\Documents and Settings\Joshua Stephens\Application Data\LimeWire
2008-10-12 00:42 --------- d-----w C:\Documents and Settings\Joshua Stephens\Application Data\U3
2008-10-09 12:24 --------- d-----w C:\Program Files\Dl_cats
2008-10-09 11:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-28 20:22 --------- d-----w C:\Documents and Settings\Joshua Stephens\Application Data\AdobeUM
2008-09-19 22:40 --------- d-----w C:\Documents and Settings\Joshua Stephens\Application Data\Yahoo!
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-03-11 20:56 56 --sh--r C:\WINDOWS\system32\304275D46F.sys
2006-03-11 20:56 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-09-06 323216]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1170571136\ee\AOLSoftware.exe" [2006-09-25 50736]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-26 1234712]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-30 156784]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [2006-01-16 28200]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 151552]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-12-24 169472]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-03-27 217088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\AOL\\1170571136\\ee\\aolsoftware.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57290:TCP"= 57290:TCP:Pando P2P TCP Listening Port
"57290:UDP"= 57290:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-26 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79762788-9a8d-11dc-a750-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f84b52-639f-11dc-a745-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-TDSSmhlt.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Joshua Stephens\Application Data\Mozilla\Firefox\Profiles\u1fodra5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 00:35:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Joshua Stephens\Desktop\ASquared\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2008-11-02 0:39:25 - machine was rebooted [Joshua Stephens]
ComboFix-quarantined-files.txt 2008-11-02 04:39:18

Pre-Run: 73,460,228,096 bytes free
Post-Run: 73,474,330,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2008-10-27 07:00:20

Attached Files


Edited by PropagandaPanda, 02 November 2008 - 08:53 AM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 02 November 2008 - 08:54 AM

Hello.

Before we run any fixes, I want to check for any remaining parts of that rootkit ComboFix removed.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..


Please paste this log directly into your reply.

With Regards,
The panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users