Virus/Trojan problem...
Hi,
I have a problem here with a Virus/ Tojan that I can't seem to get rid of...
The Virus/ Tojan does the following things...
1. disables my Antivirus program - CA Anti Virus 8.4.0.24
2. deletes the exe files of my Anti Trojan program - Trojan Hunter 5
3. disables booting into Safe Mode by deleting the SafeMode entry in the registry
4. if u try to re-install those affected programs it will automatically delete the exe files again
I figured out adding those deleted entries to the registry again, and I was able to boot in Safe Mode.
Finally in Safe Mode I did the following things:
a. ran CA Antivirus Software Scan - no viruses found
b. ran Trojan Hunter - trojans found - deleted them all
--> because the exe of Trojan Hunter was deleted I copied the exe from another PC to the infected one (in Safe Mode) and ran the program
c. I could NOT run Ad-Aware 2007 or install any programs in SafeMode, so...
Back in Windows (Normal Mode) I got a popup from Windows:
"Windows file protection
Files that are required for windows to run properly have been replaced by unrecognized versions. To maintain system stability, windows must restore the original versions of these files."
I inserted the Windows CD and the popup went away.
The Virus/Trojan problem still persists, I ran Ad-Aware 2007 and deleted all of the infections - the problem still persists...
Back in Safe Mode - the Virus/Trojan deleted the SafeMode registry entry again - I added it again, booted into Safe Mode again and ran Trend Micro HiJackThis.
Here's the report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:59 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Files\Applications\System-Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
O4 - HKCU\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: RATT.lnk = C:\Program Files\Microsoft\RATTV3\RATT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188282304859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188282262734
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O20 - Winlogon Notify: adsnw32 - C:\WINDOWS\SYSTEM32\adsnw32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nexus Server (Carbon Coder) (Nexus Server) - Unknown owner - C:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 8206 bytes
Thanx for your help in advance !!!
Mike
P.S.: Would you recommend using different programs than CA Anti Virus & Trojan Hunter for my protection ?
I have a problem here with a Virus/ Tojan that I can't seem to get rid of...
The Virus/ Tojan does the following things...
1. disables my Antivirus program - CA Anti Virus 8.4.0.24
2. deletes the exe files of my Anti Trojan program - Trojan Hunter 5
3. disables booting into Safe Mode by deleting the SafeMode entry in the registry
4. if u try to re-install those affected programs it will automatically delete the exe files again
I figured out adding those deleted entries to the registry again, and I was able to boot in Safe Mode.
Finally in Safe Mode I did the following things:
a. ran CA Antivirus Software Scan - no viruses found
b. ran Trojan Hunter - trojans found - deleted them all
--> because the exe of Trojan Hunter was deleted I copied the exe from another PC to the infected one (in Safe Mode) and ran the program
c. I could NOT run Ad-Aware 2007 or install any programs in SafeMode, so...
Back in Windows (Normal Mode) I got a popup from Windows:
"Windows file protection
Files that are required for windows to run properly have been replaced by unrecognized versions. To maintain system stability, windows must restore the original versions of these files."
I inserted the Windows CD and the popup went away.
The Virus/Trojan problem still persists, I ran Ad-Aware 2007 and deleted all of the infections - the problem still persists...
Back in Safe Mode - the Virus/Trojan deleted the SafeMode registry entry again - I added it again, booted into Safe Mode again and ran Trend Micro HiJackThis.
Here's the report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:59 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Files\Applications\System-Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
O4 - HKCU\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: RATT.lnk = C:\Program Files\Microsoft\RATTV3\RATT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188282304859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188282262734
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{1FD4CE7F-9A77-4CD6-A93E-10AC170C7CDC}: NameServer = 192.168.2.1
O20 - Winlogon Notify: adsnw32 - C:\WINDOWS\SYSTEM32\adsnw32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nexus Server (Carbon Coder) (Nexus Server) - Unknown owner - C:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 8206 bytes
Thanx for your help in advance !!!
Mike
P.S.: Would you recommend using different programs than CA Anti Virus & Trojan Hunter for my protection ?
0
This discussion has been closed.
Comments
ComboFix 08-01-05.1 - Mike 2008-01-04 19:02:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1533 [GMT -8:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\srosa.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\LEGACY_NWSAPAGENT
\LEGACY_SROSA
\NwSapAgent
\srosa
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-04 19:01 . 2000-08-31 08:00 51,200 --a
C:\WINDOWS\NirCmd.exe
2008-01-04 07:49 . 2008-01-04 07:49 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Ahead
2008-01-04 06:16 . 2004-08-04 04:00 11,776 --a--c--- C:\WINDOWS\system32\dllcache\chkdsk.exe
2008-01-04 06:16 . 2004-08-04 04:00 11,776 --a
C:\WINDOWS\system32\chkdsk.exe
2008-01-03 21:41 . 2008-01-03 21:41 <DIR> d
C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-01-03 19:09 . 2008-01-03 19:09 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\PC Suite
2008-01-03 19:08 . 2004-08-04 04:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-01-03 09:24 . 2008-01-04 10:06 <DIR> d
C:\Program Files\TrojanHunter 5.0
2008-01-03 09:01 . 2007-02-28 03:55 2,182,144 --a
C:\WINDOWS\system32\ntoskrnl.exe
2008-01-03 09:01 . 2007-02-28 03:55 2,182,144 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-03 08:37 . 2006-08-19 04:07 634,794
C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-03 08:36 . 2008-01-04 00:36 <DIR> d
C:\WINDOWS\system32\drivers\down
2008-01-03 07:54 . 2007-10-12 09:51 5,206,016 --a
C:\WINDOWS\system32\mkl_genarts.dll
2008-01-03 07:54 . 2006-09-20 15:49 200,704 --a
C:\WINDOWS\system32\libguide40.dll
2008-01-03 07:54 . 2008-01-03 08:06 202 --a
C:\WINDOWS\MSUTIL.INI
2008-01-03 07:18 . 2007-02-18 23:41 2,867,200 --a
C:\WINDOWS\system32\sapphire_ae.dll
2008-01-03 07:17 . 2008-01-03 07:17 <DIR> d
C:\Program Files\GenArts
2008-01-02 22:30 . 2008-01-02 22:30 <DIR> d
C:\Program Files\DVDInfoPro
2008-01-01 22:25 . 2008-01-01 22:25 <DIR> d
C:\Program Files\Magic Bullet MisFire
2008-01-01 22:25 . 2008-01-01 22:25 <DIR> d
C:\Program Files\Magic Bullet Looks
2008-01-01 22:14 . 2008-01-01 22:14 <DIR> d
C:\Program Files\Synthetic Aperture
2008-01-01 01:30 . 2008-01-01 01:30 <DIR> d
C:\Temp
2008-01-01 01:22 . 2008-01-01 01:22 <DIR> d
C:\Documents and Settings\Mike\Application Data\dvdcss
2008-01-01 01:19 . 2008-01-01 01:19 <DIR> d
C:\Program Files\Xilisoft
2008-01-01 01:19 . 2005-11-20 21:48 45,056 --a
C:\WINDOWS\system32\WNASPI32.DLL
2008-01-01 01:19 . 2005-11-20 21:48 16,512 --a
C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-01 01:16 . 2008-01-01 01:16 0 --a
C:\WINDOWS\system32\video.avs
2008-01-01 01:14 . 2008-01-01 01:14 <DIR> d
C:\Program Files\Plato DVD Ripper
2007-12-30 15:58 . 2007-12-30 15:58 0 --a
C:\ADM_Pandora
2007-12-29 20:52 . 2007-12-30 15:58 <DIR> d
C:\Documents and Settings\Mike\Application Data\gtk-2.0
2007-12-29 20:51 . 2007-12-29 20:51 <DIR> d
C:\Program Files\Avidemux 2.4
2007-12-29 20:51 . 2007-12-29 20:53 <DIR> d
C:\Documents and Settings\Mike\avidemux
2007-12-29 18:13 . 2007-12-29 18:13 <DIR> d
C:\Program Files\Plato DVD Copy
2007-12-29 17:58 . 2007-12-29 17:58 <DIR> d
C:\Program Files\Plato DVD to AVI Converter
2007-12-29 01:13 . 2007-12-29 01:13 <DIR> d
C:\WINDOWS\system32\NtmsData
2007-12-28 21:12 . 2007-12-28 21:12 <DIR> d
C:\Program Files\MediaInfo
2007-12-28 16:46 . 2007-12-28 16:46 <DIR> d
C:\Program Files\VideoReDoTVSuite
2007-12-28 16:46 . 2007-12-29 03:14 <DIR> d
C:\Documents and Settings\Mike\Application Data\VideoReDo-TVSuite
2007-12-27 22:33 . 2007-12-27 22:36 <DIR> d
C:\Documents and Settings\Mike\Application Data\DVD Shrink
2007-12-26 16:51 . 2007-12-26 16:51 <DIR> d
C:\Documents and Settings\Mike\Application Data\MPEG Streamclip
2007-12-26 06:46 . 2007-12-26 06:46 <DIR> d
C:\Documents and Settings\Mike\Application Data\Media Player Classic
2007-12-25 05:07 . 2007-12-25 05:07 <DIR> d
C:\Program Files\K-Lite Codec Pack
2007-12-25 05:07 . 2006-09-24 16:11 389,120 --a
C:\WINDOWS\system32\lameACM.acm
2007-12-25 05:07 . 2004-01-25 17:18 217,088 --a
C:\WINDOWS\system32\yv12vfw.dll
2007-12-25 05:07 . 2007-09-04 17:56 164,352 --a
C:\WINDOWS\system32\unrar.dll
2007-12-25 05:07 . 2007-09-21 01:52 118,784 --a
C:\WINDOWS\system32\ac3acm.acm
2007-12-25 05:07 . 2007-12-07 18:28 7,680 --a
C:\WINDOWS\system32\ff_vfw.dll
2007-12-25 05:07 . 2007-07-10 17:10 547 --a
C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-25 05:07 . 2007-10-03 16:03 414 --a
C:\WINDOWS\system32\lame_acm.xml
2007-12-25 04:02 . 2003-12-20 01:38 45,568 --a
C:\WINDOWS\system32\HUFFYUV.DLL
2007-12-24 02:27 . 2007-12-24 02:27 <DIR> d
C:\Program Files\TuneUp Utilities 2008
2007-12-24 02:27 . 2007-12-24 02:27 306,432 --a
C:\WINDOWS\system32\TuneUpDefragService.exe
2007-12-24 02:27 . 2007-12-20 10:41 29,440 --a
C:\WINDOWS\system32\uxtuneup.dll
2007-12-23 01:30 . 2007-12-23 01:30 <DIR> d
C:\Program Files\Exact Audio Copy 0.95 pebeta 4
2007-12-22 23:02 . 2007-12-22 23:02 <DIR> d
C:\Program Files\CUE Splitter
2007-12-20 01:35 . 2007-12-22 00:19 <DIR> d
C:\Documents and Settings\Mike\Application Data\BSplayer PRO
2007-12-14 02:23 . 2008-01-03 08:30 <DIR> d
C:\Program Files\eMule
2007-12-11 16:01 . 2007-12-11 16:01 <DIR> d
C:\Program Files\ZqWare
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a
C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 14:19
d
w C:\Documents and Settings\Mike\Application Data\uTorrent
2008-01-03 16:36
d
w C:\Program Files\PeerGuardian2
2008-01-02 14:18
d
w C:\Program Files\QuickTime
2008-01-02 14:18
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-02 06:25 7,473 ----a-w C:\Program Files\mbsuite21.log
2007-12-31 05:12
d
w C:\Program Files\AviSynth 2.5
2007-12-31 04:32
d
w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-29 11:03
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 05:09
d
w C:\Program Files\Flash Fluid Effect 1.0
2007-12-26 04:19
d
w C:\Program Files\Common Files\Adobe
2007-12-26 04:12 9,464
w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-26 04:12 9,336
w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-26 04:12 43,528
w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-26 04:12 129,784
w C:\WINDOWS\system32\pxafs.dll
2007-12-26 04:12 118,520
w C:\WINDOWS\system32\pxinsi64.exe
2007-12-26 04:12 116,472
w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-24 10:27
d
w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-23 03:03
d
w C:\Program Files\Mp3-Tag Studio 3.05
2007-12-20 09:35
d
w C:\Program Files\Webteh
2007-12-05 22:17 593,920
w C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-04 11:03
d
w C:\Program Files\Vertus Fluid Mask 3
2007-12-02 00:58
d
w C:\Program Files\Common Files\Pure Networks Shared
2007-12-02 00:57
d
w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-11-19 02:17
d
w C:\Program Files\Better File Rename
2007-11-19 01:59
d
w C:\Program Files\Better File Series
2007-11-15 00:24
d
w C:\Documents and Settings\Mike\Application Data\Mr Retro
2007-11-15 00:19
d
w C:\Program Files\DCETools
2007-11-15 00:13
d
w C:\Documents and Settings\All Users\Application Data\Digital Anarchy
2007-11-15 00:11 145,717 ----a-w C:\WINDOWS\Curves 3 Uninstaller.exe
2007-11-15 00:11
d
w C:\Program Files\Curvemeister.com
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-15 09:49 645,670 ----a-w C:\Utorrent-1.6-Install.exe
2007-10-15 07:07 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-10-15 07:07 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-10-15 07:07 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-10-14 19:51 716,496 ----a-w C:\RATTV3Setup.exe
2007-09-01 08:37 129 --sha-w C:\Program Files\desktop.ini
2003-11-04 01:07 499,712 ----a-w C:\Program Files\msvcp71.dll
2003-11-04 01:07 348,160 ----a-w C:\Program Files\msvcr71.dll
2003-05-30 17:22 344,064 ----a-r C:\Program Files\msvcr70.dll
2002-01-05 11:40 487,424 ----a-w C:\Program Files\msvcp70.dll
2006-02-26 05:08 108 --sha-r C:\WINDOWS\neoqaz2.dll
2007-06-20 13:56 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-06-20 13:56 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-06-20 13:56 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007062020070621\index.dat
2007-06-20 13:56 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2004-06-17 01:06 631363]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 02:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.E XE" [2007-03-20 15:40 1884160]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-10-14 23:07 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-10-14 23:07 230928]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 00:04 321088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-05-29 18:29 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58 1744896]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RATT.lnk - C:\Program Files\Microsoft\RATTV3\RATT.exe [2007-10-14 11:53:10]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\adsnw32]
adsnw32.dll 2004-03-05 20:47 7680 C:\WINDOWS\system32\adsnw32.dll
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasav e.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E 967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E 96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E 96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E 96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E 97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27 CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 03:03]
R2 Nexus Server;Nexus Server (Carbon Coder);C:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe [2007-04-10 11:14]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:00]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-24 02:27]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{074ff0af-1eef-11dc-82b9-806d6172696f}]
\Shell\AutoRun\command - F:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:30:03 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2007-12-29 15:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 19:18:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-04 19:28:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 03:28:12
.
2007-12-17 00:21:09 --- E O F ---
Thanx for your help !
Mike
Can you please post a new HijackThis log from after you ran ComboFix? ComboFix may or may not have fixed this problem.
Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead (grin)