Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant RS32.Net Registry Key


  • This topic is locked This topic is locked
27 replies to this topic

#1 Merasya

Merasya

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 21 February 2009 - 10:01 AM

History:

I inadvertently picked up MS Anti Spyware on my desktop. All the google searches recommended SpyZooka and SpyHunter for removing it. SpyZooka did not remove it, and SpyHunter would not even run. SpyZooka Tech Support response was to run SmitFraudFix. Prior to running SmitFraudFix I could surf the net in a limited fashion. After running it though, just opening IE6 resulted in at one point 25 instances of IE running, all opening the same Spyware, Malware, Virus page. It took me ten minutes to get IE6 closed. However, the damage was done. Infection counts according to SpyZooka went from 6 to thirty something. SpyZooka also deleted Run32.DLL. I am guessing by what I saw in DSS I only patched Run32.DLL (I expanded the file out from SP2) instead of fixing it. More on this later.

I downloaded the trial version of Nod32. On it's first run it found 93 or 96 infections. I opened a ticket because the trial version shuts down my laptop during scans. A rep replied with downloading Sys Inspector, Avenger, and Mabm. I was so impressed with the response I called Eset, hijacking the ticket for my desktop instead, since the laptop is clean (the laptop was running an older version of Nod32).

After NUMEROUS runs of Avenger, Mabm, ComboFix, and Nod32 all report a clean bill of health. After the removal of Run32.DLL I still had networking and internet capabilities. I assume handle by all the spyware, malware, and viruses on the system. Now that almost all trace of the bad stuff is gone my Network Connection is marked with a red X, and WinXP says the hardware is removed. Yes, I deleted the network card and WinXP replaced it without doing anything, so no network or internet connection.

At a couple points I lost the active desktop for the user and admin accounts. The User account was denied priveleges of running Task Manager. I was able to run mabm from the Task Manager for the first time on the Admin account. This revived the active desktop on both accounts. Originally Eset Tech Support thought the Policies were altered or something, and then later thought they were fixed. However, it is most likely only some were fixed, but it is not known if this is totally true, for reasons I will get to shortly.

Remaining Problems (which includes no working network or internet connections)

Attempting to reinstall WinXP - SP2 fails as soon as it accesses the registry with an Access Denied error message. Opening two folders, moving a file from one to the other leaves the moved file in the original folder until a refresh is done (I view this as an active desktop issue, so included it to help you identify the problem - I assume this is covered in the DSS log as well). When I attempted to replace Run32.DLL without expanding XP did not like it and requested the XP-SP2 CD. Windows Update has loaded all the patches since SP1a. The window did not give me a browse option either. So I had to cancel the window.

The last remaining problem is kind of worrisome, and one Eset HAS to investigate, for it may be a new mutation. The following key is in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | rs32.net

Avenger has deleted this key, the logs say so. I run Ad-Aware 6, with Ad-Watch 3. Ad-Watch 3 is a godsend. Anyway, I ran RegSupreme, deleting the key. Upon closing RegSupreme Ad-Watch flags the registry write attempt to restore the key. I select block, of course, but the write is done anyway. The ComboFix log shows no active rootkits.

I know I can just reinstall, but I really do not want to spend my vacation (which started today, Saturday, for a week) doing so unless I have absolutely no choice. Besides, reinstalling would take me weeks (I moved, and already can't find the Audigy 2 setup cd - who knows what other cd's might be hiding in only God knows where locations), not to mention I would never get it just like it was.

We already tried to fix the winsock, but that failed as well. XP-SP2 reinstall and removing the network card and drivers, forcing XP to reload may fix the network and internet connection, but since XP-SP2 is denied registry access I would guess so is the desktop as it is already running XP-SP2.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Timothy L. Palmer at 9:19:32.89 on Sat 02/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.604 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSdotNET\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Ad-aware 6\Ad-watch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Timothy L. Palmer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = hxxp://www.viewsonic.com/forms/warrantyreg.cfm
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RcMan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [kmw_run.exe] kmw_run.exe
mRun: [Daemon14] c:\progra~1\micros~2\gameco~1\strate~1\daemon14.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [Ad-watch] "c:\program files\ad-aware 6\Ad-watch.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSWheel]
mRun: [rs32net] c:\windows\system32\rs32net.exe
StartupFolder: c:\docume~1\timoth~1.pal\startm~1\programs\startup\restar~1.lnk - e:\viewsonic.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\colori~1.lnk - c:\program files\e-color\colorific\hgcctl95.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\sonnreg.lnk - c:\program files\e-color\registration\SonnReg.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\truein~1.lnk - c:\program files\e-color\true internet color\TICIcon.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-19 9458]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-2-9 8576]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 MSSQL$VSdotNET;MSSQL$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSdotNET [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-12-31 18840]
S0 ati7xdxx;ati7xdxx;c:\windows\system32\drivers\ati7xdxx.sys --> c:\windows\system32\drivers\ati7xdxx.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 SQLAgent$VSdotNET;SQLAgent$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSdotNET [?]
S4 Vssstucdecpr;Vssstucdecpr; [x]

=============== Created Last 30 ================

2009-02-20 03:51 0 a------- c:\windows\system32\SndDrv32x.ini
2009-02-20 02:35 <DIR> --d----- c:\program files\RegSupreme
2009-02-20 00:26 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-19 23:40 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-18 14:28 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2009-02-18 14:28 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-18 00:04 161,792 a------- c:\windows\SWREG.exe
2009-02-18 00:04 98,816 a------- c:\windows\sed.exe
2009-02-17 21:43 <DIR> --d----- c:\docume~1\timoth~1.pal\applic~1\Malwarebytes
2009-02-17 21:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 21:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 21:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 21:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-02-17 14:57 2 a------- C:\209414804
2009-02-17 14:57 26,624 a------- C:\pfkik.exe
2009-02-15 23:47 0 a------- c:\windows\system32\UACmurdhdat.Vdll
2009-02-15 23:37 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-15 23:37 1,409 a------- c:\windows\QTFont.for
2009-02-15 02:21 302,592 a------- c:\windows\system32\nnnliHYo.dll.vir
2009-02-15 00:12 302,592 a------- c:\windows\system32\nnnmmmKe1.dll
2009-02-13 02:28 <DIR> --d----- c:\program files\ESET
2009-02-11 01:22 <DIR> --d----- c:\program files\IsoBuster
2009-02-09 16:18 <DIR> --d----- c:\program files\Bin File Viewer
2009-02-09 16:17 <DIR> --d----- c:\program files\Bin Converter
2009-02-09 15:59 8,576 a------- c:\windows\system32\drivers\VCdRom.sys
2009-02-09 15:38 31,812 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,812 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,440 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,440 a------- c:\windows\system32\BMXState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.BAK
2009-02-09 15:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF
2009-02-09 14:49 54 a------- c:\windows\system32\ctzapxx.ini
2009-02-09 14:11 65,536 a------- c:\windows\system32\ctdvda32.dll
2009-02-09 14:05 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 14:00 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-09 14:00 <DIR> --d----- c:\program files\common files\Creative
2009-02-09 03:22 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-07 21:21 <DIR> --d----- c:\program files\AskTBar
2009-02-07 21:20 4,757 a------- c:\windows\Irremote.ini
2009-02-07 20:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-07 20:51 14,048 a------- c:\windows\system32\spmsg2.dll
2009-02-05 20:52 <DIR> --d----- C:\divx
2009-02-03 18:49 <DIR> --d----- c:\program files\common files\3DO Shared
2009-02-03 18:49 <DIR> --d----- c:\program files\3DO
2009-01-30 19:29 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\HipSoft

==================== Find3M ====================

2009-02-20 14:31 7,304 a------- c:\windows\TMP0001.TMP
2009-02-17 20:41 14,336 a------- c:\windows\system32\svchost.exe
2009-01-12 11:22 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 21:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 21:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 15:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 a------- c:\windows\system32\ati2sgag.exe
2006-12-07 13:55 19,560 a------- c:\docume~1\timoth~1.pal\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 9:20:10.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:33 AM

Posted 04 March 2009 - 02:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 04 March 2009 - 07:22 PM

Run32.DLL has been fixed, which has fixed the network and internet connections as well as folder refreshes. Mbam still finds no malicious threats. Combofix still reports no active rootkits. The persistant RS32.Net registry entry still exists (which is the only thing left).

BleepingComputer considers RS32Net.Exe a maliscious file. It stands to reason a persistant registry key associated with the file would also be a threat, even though the exe file has been removed. It also stands to reason that some file, dll perhaps, is forcing the persistance. As such I would consider such a file as a threat, as a possible backdoor in the future. Since Mbam does not find the file as a threat, and ComboFix does not find the file as an active rootkit I would have to think it is somehow a mutation. Consequently, I consider it a threat.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Timothy L. Palmer at 18:53:29.21 on Wed 03/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.568 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Ad-aware 6\Ad-watch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSdotNET\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Timothy L. Palmer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.viewsonic.com/forms/warrantyreg.cfm
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RcMan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [kmw_run.exe] kmw_run.exe
mRun: [Daemon14] c:\progra~1\micros~2\gameco~1\strate~1\daemon14.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [Ad-watch] "c:\program files\ad-aware 6\Ad-watch.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSWheel]
mRun: [rs32net] c:\windows\system32\rs32net.exe
StartupFolder: c:\docume~1\timoth~1.pal\startm~1\programs\startup\restar~1.lnk - e:\viewsonic.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\colori~1.lnk - c:\program files\e-color\colorific\hgcctl95.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\sonnreg.lnk - c:\program files\e-color\registration\SonnReg.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\truein~1.lnk - c:\program files\e-color\true internet color\TICIcon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-19 9458]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-2-9 8576]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 MSSQL$VSdotNET;MSSQL$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSdotNET [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-12-31 18840]
S0 ati7xdxx;ati7xdxx;c:\windows\system32\drivers\ati7xdxx.sys --> c:\windows\system32\drivers\ati7xdxx.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 SQLAgent$VSdotNET;SQLAgent$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSdotNET [?]
S4 Vssstucdecpr;Vssstucdecpr; [x]

=============== Created Last 30 ================

2009-02-28 23:35 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-28 23:35 1,409 a------- c:\windows\QTFont.for
2009-02-27 13:41 7,680 a--sh--- c:\windows\system32\Thumbs.db
2009-02-27 13:41 9,216 a--sh--- c:\windows\Thumbs.db
2009-02-21 16:00 <DIR> --d----- C:\XPSP2
2009-02-20 03:51 0 a------- c:\windows\system32\SndDrv32x.ini
2009-02-20 02:35 <DIR> --d----- c:\program files\RegSupreme
2009-02-20 00:26 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-19 23:40 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-18 14:28 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2009-02-18 14:28 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-18 00:04 161,792 a------- c:\windows\SWREG.exe
2009-02-18 00:04 98,816 a------- c:\windows\sed.exe
2009-02-17 21:43 <DIR> --d----- c:\docume~1\timoth~1.pal\applic~1\Malwarebytes
2009-02-17 21:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 21:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 21:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 21:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-02-17 14:57 2 a------- C:\209414804
2009-02-17 14:57 26,624 a------- C:\pfkik.exe
2009-02-15 23:47 0 a------- c:\windows\system32\UACmurdhdat.Vdll
2009-02-13 02:28 <DIR> --d----- c:\program files\ESET
2009-02-11 01:22 <DIR> --d----- c:\program files\IsoBuster
2009-02-09 16:18 <DIR> --d----- c:\program files\Bin File Viewer
2009-02-09 16:17 <DIR> --d----- c:\program files\Bin Converter
2009-02-09 15:59 8,576 a------- c:\windows\system32\drivers\VCdRom.sys
2009-02-09 15:38 31,812 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,812 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,440 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 31,440 a------- c:\windows\system32\BMXState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:38 4,958,588 -------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.BAK
2009-02-09 15:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF
2009-02-09 14:49 54 a------- c:\windows\system32\ctzapxx.ini
2009-02-09 14:11 65,536 a------- c:\windows\system32\ctdvda32.dll
2009-02-09 14:05 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 14:00 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-09 14:00 <DIR> --d----- c:\program files\common files\Creative
2009-02-09 03:22 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-07 21:21 <DIR> --d----- c:\program files\AskTBar
2009-02-07 21:20 4,757 a------- c:\windows\Irremote.ini
2009-02-07 20:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-07 20:51 14,048 a------- c:\windows\system32\spmsg2.dll
2009-02-05 20:52 <DIR> --d----- C:\divx
2009-02-03 18:49 <DIR> --d----- c:\program files\common files\3DO Shared
2009-02-03 18:49 <DIR> --d----- c:\program files\3DO

==================== Find3M ====================

2009-02-25 07:57 7,304 a------- c:\windows\TMP0001.TMP
2009-02-17 20:41 14,336 a------- c:\windows\system32\svchost.exe
2009-01-12 11:22 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 21:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 21:28 57,344 a------- c:\windows\system32\dpv11.dll
2006-12-07 13:55 19,560 a------- c:\docume~1\timoth~1.pal\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:54:10.15 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 05 March 2009 - 04:08 PM

Hi

You shouldn't run ComboFix by yourself. It's not general removal tool like MBAM for example. Anyway, since you've now run it please post contents of ComboFix.txt file back here too.

Is your Nod32 license still valid?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 06 March 2009 - 12:55 PM

ComboFix alters the system clock, which hosed the trial version time period for Nod32. However, Nod32 no longer detected any viruses. Additionally, the trial version will be removed and a valid upgrade installed (already purchased) once the persistant registry entry is handled.

ComboFix was requested by Eset a number of times. I am attaching the logs instead of pasting for simplicity. It is important to note, originally as mentioned in the initial post the system was virtually hosed due to viruses, malware, and trojans. The first run of Avenger fixed the desktop. The first run of ComboFix fixed SpyHunter3 (SpyHunter 3 would not even run - as a result SpyHunter3 were removed, as was SpyZooka). Multiple runs were required to clean up the sheer volume of the assorted infection types. Additionally, some files were successfully removed, yet the ini files for the removed files were left intact. Most have been manually cleaned, but I can't say all though.

Eset helped clear everything else. Then, all of a sudden they refused to continue because I was using the trial version. Some did not understand that I was going to renew/upgrade after the final problem was fixed. I did upgrade but I seem to be on ignore for the moment - go figure...

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 06 March 2009 - 05:31 PM

Hi again,

ComboFix changes time display format but doesn't turn the date back or forward.


Delete your old copy of ComboFix.exe and then follow these instructions:

Seeing that you have P2P programs installed I recommend uninstalling them. Whatever you decide to do those programs must be not run during the process at least.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 March 2009 - 08:58 AM

ComboFix stops - it now runs in limited functional mode - with an error of not being able to find the batch file Check_Hal. I had forgotten about the recovery console. It wouldn't install before because Run32.DLL was missing - thanks to SpyZooka.

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 08 March 2009 - 09:23 AM

ComboFix stops - it now runs in limited functional mode - with an error of not being able to find the batch file Check_Hal.


Hi

Sounds like you didn't delete old ComboFix.exe file and get a fresh copy as instructed. Please do so. Also, make sure protection programs are disabled before you run ComboFix.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 March 2009 - 07:46 PM

Hey Blade,

I think that did it. I would guess ComboFix couldn't fix the problem before because of the missing Run32.DLL, so there was no network or internet connections, causing the Recovery Console to fail as well. Now the RC installed without any major hitchs, and I do not see RS32 in the report or the registry.

Please feel free to peruse the new logs to see if there is anything else untoward that I might not be familiar with listed. The sad thing is Eset still hasn't replied. Oh well, I guess it is just as well. :thumbup2:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Timothy L. Palmer at 20:35:59.03 on Sun 03/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.574 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSdotNET\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Timothy L. Palmer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.viewsonic.com/forms/warrantyreg.cfm
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RcMan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [kmw_run.exe] kmw_run.exe
mRun: [Daemon14] c:\progra~1\micros~2\gameco~1\strate~1\daemon14.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [Ad-watch] "c:\program files\ad-aware 6\Ad-watch.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSWheel]
StartupFolder: c:\docume~1\timoth~1.pal\startm~1\programs\startup\restar~1.lnk - e:\viewsonic.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\colori~1.lnk - c:\program files\e-color\colorific\hgcctl95.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\sonnreg.lnk - c:\program files\e-color\registration\SonnReg.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\truein~1.lnk - c:\program files\e-color\true internet color\TICIcon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-19 9458]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-2-9 8576]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 MSSQL$VSdotNET;MSSQL$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSdotNET [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-12-31 18840]
S0 ati7xdxx;ati7xdxx;c:\windows\system32\drivers\ati7xdxx.sys --> c:\windows\system32\drivers\ati7xdxx.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 SQLAgent$VSdotNET;SQLAgent$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSdotNET [?]
S4 Vssstucdecpr;Vssstucdecpr; [x]

=============== Created Last 30 ================

2009-03-08 20:12 <DIR> a-dshr-- C:\cmdcons
2009-03-08 20:10 <DIR> --d----- C:\ComboFix
2009-03-01 00:35 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-01 00:35 1,409 a------- c:\windows\QTFont.for
2009-02-27 14:41 7,680 a--sh--- c:\windows\system32\Thumbs.db
2009-02-27 14:41 9,216 a--sh--- c:\windows\Thumbs.db
2009-02-21 17:00 <DIR> --d----- C:\XPSP2
2009-02-20 04:51 0 a------- c:\windows\system32\SndDrv32x.ini
2009-02-20 03:35 <DIR> --d----- c:\program files\RegSupreme
2009-02-20 01:26 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-20 00:40 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-18 15:28 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2009-02-18 15:28 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-18 01:04 161,792 a------- c:\windows\SWREG.exe
2009-02-18 01:04 98,816 a------- c:\windows\sed.exe
2009-02-17 22:43 <DIR> --d----- c:\docume~1\timoth~1.pal\applic~1\Malwarebytes
2009-02-17 22:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 22:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 22:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 22:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-02-17 15:57 2 a------- C:\209414804
2009-02-17 15:57 26,624 a------- C:\pfkik.exe
2009-02-16 00:47 0 a------- c:\windows\system32\UACmurdhdat.Vdll
2009-02-13 03:28 <DIR> --d----- c:\program files\ESET
2009-02-11 02:22 <DIR> --d----- c:\program files\IsoBuster
2009-02-09 17:18 <DIR> --d----- c:\program files\Bin File Viewer
2009-02-09 17:17 <DIR> --d----- c:\program files\Bin Converter
2009-02-09 16:59 8,576 a------- c:\windows\system32\drivers\VCdRom.sys
2009-02-09 16:38 31,812 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,812 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,440 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,440 a------- c:\windows\system32\BMXState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.BAK
2009-02-09 16:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF
2009-02-09 15:49 54 a------- c:\windows\system32\ctzapxx.ini
2009-02-09 15:11 65,536 a------- c:\windows\system32\ctdvda32.dll
2009-02-09 15:05 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:00 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-09 15:00 <DIR> --d----- c:\program files\common files\Creative
2009-02-09 04:22 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-07 22:21 <DIR> --d----- c:\program files\AskTBar
2009-02-07 22:20 4,757 a------- c:\windows\Irremote.ini
2009-02-07 21:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-07 21:51 14,048 a------- c:\windows\system32\spmsg2.dll

==================== Find3M ====================

2009-03-08 10:01 7,304 a------- c:\windows\TMP0001.TMP
2009-02-17 21:41 14,336 a------- c:\windows\system32\svchost.exe
2009-01-12 12:22 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-10 20:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 20:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 22:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 22:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 22:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 22:28 57,344 a------- c:\windows\system32\dpv11.dll
2006-12-07 14:55 19,560 a------- c:\docume~1\timoth~1.pal\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:36:08.78 ===============

Attached Files



#10 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 March 2009 - 08:28 PM

I stand corrected. Folder refreshes weren't happening after running ComboFix so I rebooted. Of course, RS32.Net reappeared according to Ad-Watch, which doesn't block the registry write. Oh well, I was happy for a minute...

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 09 March 2009 - 11:00 AM

Hi again,

I recommend you get rid of your P2P programs. Major part of infections spreads in P2P networks nowadays. By getting rid of the clients you reduce risk getting infected.


Uninstall these vulnerable Javas:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_03



Also, Ad-Aware 6 is not supported anymore. I recommend uninstalling it and getting Ad-Aware AE which is the latest version.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
ati7xdxx
Vssstucdecpr

File::
C:\pfkik.exe
C:\209414804
c:\windows\system32\UACmurdhdat.Vdll
c:\windows\system32\Drivers\ati7xdxx.sys

DDS::
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} -
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7xdxx.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 March 2009 - 05:12 PM

Blade,

All suggested program removals were done, with one exception. Almost all of the Adobe 6 reader updates are also Adobe Acrobat updates as well. As a result I left them alone as I do not want to break Acrobat. I have downloaded the newest Reader, as well as Ad-Aware SE, but I haven't installed them just yet. Additionally, I have the Eset Security Suite as well, also not installed yet. The trial version of Eset Nod32 expires shortly, and will be removed prior to installing the suite.

On a side note I am glad to see you had this listed: C:\pfkik.exe. I kept looking at it as it bothered me, but I couldn't say for certain either way so I left it alone.

There is no report from KasperSky, no malware detected.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Timothy L. Palmer at 17:42:50.93 on Mon 03/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.537 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSdotNET\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Timothy L. Palmer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.viewsonic.com/forms/warrantyreg.cfm
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RcMan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [kmw_run.exe] kmw_run.exe
mRun: [Daemon14] c:\progra~1\micros~2\gameco~1\strate~1\daemon14.exe
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSWheel]
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\timoth~1.pal\startm~1\programs\startup\restar~1.lnk - e:\viewsonic.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\colori~1.lnk - c:\program files\e-color\colorific\hgcctl95.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\sonnreg.lnk - c:\program files\e-color\registration\SonnReg.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\truein~1.lnk - c:\program files\e-color\true internet color\TICIcon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-19 9458]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-2-9 8576]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 MSSQL$VSdotNET;MSSQL$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSdotNET [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-12-31 18840]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 SQLAgent$VSdotNET;SQLAgent$VSdotNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSdotNET [?]

=============== Created Last 30 ================

2009-03-09 15:24 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-09 15:24 1,409 a------- c:\windows\QTFont.for
2009-03-08 20:12 <DIR> a-dshr-- C:\cmdcons
2009-02-27 14:41 7,680 a--sh--- c:\windows\system32\Thumbs.db
2009-02-27 14:41 9,216 a--sh--- c:\windows\Thumbs.db
2009-02-21 17:00 <DIR> --d----- C:\XPSP2
2009-02-20 04:51 0 a------- c:\windows\system32\SndDrv32x.ini
2009-02-20 03:35 <DIR> --d----- c:\program files\RegSupreme
2009-02-20 01:26 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-20 00:40 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-18 15:28 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2009-02-18 15:28 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-18 01:04 161,792 a------- c:\windows\SWREG.exe
2009-02-18 01:04 98,816 a------- c:\windows\sed.exe
2009-02-17 22:43 <DIR> --d----- c:\docume~1\timoth~1.pal\applic~1\Malwarebytes
2009-02-17 22:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 22:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 22:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 22:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-02-13 03:28 <DIR> --d----- c:\program files\ESET
2009-02-11 02:22 <DIR> --d----- c:\program files\IsoBuster
2009-02-09 17:18 <DIR> --d----- c:\program files\Bin File Viewer
2009-02-09 17:17 <DIR> --d----- c:\program files\Bin Converter
2009-02-09 16:59 8,576 a------- c:\windows\system32\drivers\VCdRom.sys
2009-02-09 16:38 31,812 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,812 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,440 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 31,440 a------- c:\windows\system32\BMXState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 16:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.BAK
2009-02-09 16:38 4,958,588 a------- c:\windows\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF
2009-02-09 15:49 54 a------- c:\windows\system32\ctzapxx.ini
2009-02-09 15:11 65,536 a------- c:\windows\system32\ctdvda32.dll
2009-02-09 15:05 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-10021102}.rfx
2009-02-09 15:00 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-09 15:00 <DIR> --d----- c:\program files\common files\Creative
2009-02-09 04:22 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-07 22:21 <DIR> --d----- c:\program files\AskTBar
2009-02-07 22:20 4,757 a------- c:\windows\Irremote.ini
2009-02-07 21:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-07 21:51 14,048 a------- c:\windows\system32\spmsg2.dll

==================== Find3M ====================

2009-03-09 15:23 7,304 a------- c:\windows\TMP0001.TMP
2009-02-17 21:41 14,336 a------- c:\windows\system32\svchost.exe
2009-01-12 12:22 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-10 20:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 20:33 86,016 a------- c:\windows\system32\dpl100.dll
2006-12-07 14:55 19,560 a------- c:\docume~1\timoth~1.pal\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:43:16.07 ===============

Attached Files



#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 10 March 2009 - 10:57 AM

Hi

That looks better. How's the system running now?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Merasya

Merasya
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 March 2009 - 07:03 PM

Hey Blade,

That seems to have removed the persistant registry entry. Before I start installing the other things I do have a couple of queries:

1. IE6 no longer displays any icons on a web page. I hated IE7 (which is on my laptop) but found something which makes it tolerable, so if it is just better to install IE7, then that's fine - assuming the installation fixes the icons.

2. With all the runs of ComboFix, installing some software, and uninstalling other software there is a fairly large amount of restore points. Anyway to safely clean up some of them? After all this time and energy I would hate for the system to go wacky and require booting up from a restore point only to pick one that isn't worth restoring.

3. At one point Eset wanted me to run XP-SP2 in order to replace the missing Run32.DLL, but the patch bombed as soon as it started to access the registry. Since then I fixed the DLL and Eset fixed the registry (we think - I never tried running the patch afterwards since the dll was fixed). Additionally, The system was originally installed back in 2002. Only XP-SP1 and XP-SP1A patches were ran, all the XP-SP2 patches were done piecemeal. As a result there are a ton of $NTUninstall folders (I think that's right, too lazy to double check). Anyway, is there any way of cleaning up some of these safely, and is it worth even trying to run the XP-SP2 patch?

Other than this I do not know of any other problems or glitches, but I do wish to thank you very much for your help. I SOOO did not want to have to reinstall everything from scratch!

Timothy

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 11 March 2009 - 09:34 AM

Hi Timothy

Some answers to your questions :)

1. Installing IE7 is recommended though picture problem could possibly be sorted out in other way too. It's safer than IE6.

2. Those restore points will be flushed and replaced with a healthy one :step4:

3. I don't think it would be a wise move to remove those $NTUninstall folders. Anyway, if you don't have sp2 installed then I strongly recommend to do so.



Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users