Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Packed.Win32.Krap.aq


  • This topic is locked This topic is locked
1 reply to this topic

#1 DropKickMyPC

DropKickMyPC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 15 October 2009 - 01:16 AM

Seems I have a virus... Packed.Win32.Krap.aq. Can someone help me remove this????? Thanks!!!!!! :thumbsup:



Here's the combofix log:

ComboFix 09-10-14.08 - Candice 10/14/2009 22:24.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.189 [GMT -7:00]
Running from: c:\documents and settings\Candice\Desktop\ComboFixA.exe
AV: Shaw Secure 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\msa.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 04:41 . 2009-10-15 05:18 -------- d-----w- C:\ComboFix
2009-10-03 06:30 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 04:25 . 2009-09-24 04:25 -------- d-----w- C:\MGS
2009-09-18 17:48 . 2009-10-15 03:51 -------- d-----w- c:\documents and settings\Candice\Tracing
2009-09-18 05:44 . 2009-09-18 10:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-18 05:43 . 2009-09-18 05:43 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-18 05:41 . 2009-08-06 05:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-09-18 05:40 . 2009-09-18 05:40 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-18 05:39 . 2006-11-29 20:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-09-18 05:38 . 2009-09-18 05:38 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-18 05:35 . 2009-09-18 05:43 -------- d-----w- c:\program files\Microsoft
2009-09-18 05:34 . 2009-09-18 05:34 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-18 05:24 . 2009-09-18 05:24 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 04:07 . 2006-12-10 03:22 -------- d-----w- c:\program files\Shaw Secure
2009-10-13 06:28 . 2006-12-18 18:14 -------- d-----w- c:\program files\Citrix
2009-10-09 06:37 . 2004-09-27 00:16 37728 -c--a-w- c:\documents and settings\Candice\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 04:26 . 2007-03-26 18:59 -------- d-----w- c:\program files\WinAce
2009-09-30 22:43 . 2004-09-02 04:49 -------- d-----w- c:\program files\Java
2009-09-20 17:03 . 2008-05-07 04:23 -------- d-----w- c:\program files\Oberon Media
2009-09-18 05:41 . 2008-03-08 06:37 -------- d-----w- c:\program files\Windows Live
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2004-09-02 04:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-02 04:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-06-29 02:45 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-09-02 04:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-01 02:14 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-02 04:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2006-03-18 17:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2006-03-18 17:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-01 02:14 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:52 . 2009-08-05 02:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2003-07-16 20:39 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 23:44 . 2009-07-26 23:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-25 12:23 . 2008-12-10 18:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22 . 2003-07-16 20:42 1435648 ----a-w- c:\windows\system32\query.dll
2004-10-14 02:10 . 2004-10-13 03:42 56 -csh--r- c:\windows\system32\C4CBBF2019.sys
2004-10-14 02:10 . 2004-10-13 03:42 5852 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-11-27 234856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-17 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"LexBceS"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.5\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/18/2008 10:49 AM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [1/8/2007 9:40 AM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [12/11/2008 10:30 PM 66720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/17/2009 10:41 PM 54752]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [1/8/2007 9:39 AM 100984]
S3 kazoo;Kazoo.sys Kazoo Device driver;c:\windows\system32\drivers\kazoo.sys [7/28/2005 9:47 PM 9600]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [1/8/2007 9:39 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [1/8/2007 9:39 AM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-10-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mSearch Bar = hxxp://start.shaw.ca/start/enca/addons/search/
mWindow Title = Internet Explorer Provided by SHAW Internet
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 22:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(684)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(604)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2009-10-15 22:44
ComboFix-quarantined-files.txt 2009-10-15 05:43
ComboFix2.txt 2009-07-03 14:04

Pre-Run: 34,966,216,704 bytes free
Post-Run: 35,387,691,008 bytes free

167 --- E O F --- 2009-10-14 16:31

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:31 AM

Posted 15 October 2009 - 01:50 AM

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users