Weird things happen !

Discussion in 'Virus Information' started by pg, Dec 14, 2009.

  1. pg

    pg Guest

    Last nite everything was fine.

    This morning all my browsers except Google Chrome are dead.

    The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

    After clicking them, nothing

    Check under task manager, they are there, and taking a lot of CPU
    resources, but stay behind

    Killed those browsers and re-install, still the same.

    So I download the MBAM (Malyware Bytes Anti-Malware) and scan

    After a scan, MBAM reported that there were 5 trojans, and I deleted
    all 5 of them.

    Reboot the computer, and still the browsers (except Google Chrome)
    refused to work.

    Run MBAM again, 3 more data entries in the Registry were found. Delete
    them again (report at the end of message)

    Reboot.

    Still the browsers can't run.

    Download Avast and Norton.

    Norton won't run without downloading their virus definition, but
    something is blocking Norton from downloading their virus
    definition !!

    Now Avast is downloading its virus definition, VERY SLOW !

    My 2mbps line is downloading at less than 2kbps speed !!

    I will run Avast after it finishes with the update.

    BTW, is there any other package that I should run to check what
    actually has happened to my computer?

    Please help !

    Attached: Report from MBAM

    = = ==================================================

    Malwarebytes' Anti-Malware 1.42
    Database version: 3357
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/7/2009 12:58:27 PM
    mbam-log-2009-12-07 (12-58-27).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 145847
    Time elapsed: 8 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    \AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
    (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    \FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
    -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    \UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -
    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    = = ===========================================================
     
    pg, Dec 14, 2009
    #1
    1. Advertisements

  2. From: "pg" <>

    | Last nite everything was fine.

    | This morning all my browsers except Google Chrome are dead.

    | The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

    Kill all software on PC and perform a scan using Gmer.

    http://www.gmer.net/#files
     
    David H. Lipman, Dec 14, 2009
    #2
    1. Advertisements

  3. From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

    ADDENDUM:

    In addition, don't install BOTH Avast and Norton. It is one or the other, and Avast is
    preferred, as it is contrindicated to install more than one fully installed AV application
    performing both "On Demand" and "On Acess" scanning on any singular PC.
     
    David H. Lipman, Dec 14, 2009
    #3
  4. pg

    pg Guest


    Opera 10.10, Firefox 3.5.5 and IE 8.0.6001 and Google Chrome are the 4
    browsers in my computer.

    Now only Google Chrome works, barely --- very slow !

    The other three starts, but stay hidden, and consuming CPU resources
    like crazy

    I re-download new copies of Firefox 3.5.5 and Opera 10.10 and re-
    installed them.

    Still none of them works.

    I downloaded Norton's Online utility, clicked on the setup file, and
    after it installed, it wanted to download the virus definition, and
    that virus / trojan / malware BLOCKS norton's attempt to dl _any_
    virus definition.

    Avast' dl was successful, and I use it to run the "boot up" routine,
    scanned the entire system, and asked it to delete EVERYTHING that it
    finds suspicious.

    After Avast' scan, I rebooted the machine, and STILL, IE, FF and Opera
    refuse to work !

    Same as before.

    I have run DDS, RootRepeal and Hijackthis, and will post the result at
    the end of this message.

    MBAM did delete some suspicious trojan, but this system is still very
    much in deep shit (please pardon my French).

    Here are the reports:

    = = =============================

    Root Repeal

    = = =============================

    ROOTREPEAL © AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/12/07 13:26
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: BIOS.sys
    Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
    Address: 0xF557B000 Size: 13696 File Visible: - Signed: No
    Status: -

    Name: cpuz132_x32.sys
    Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
    Address: 0xF0205000 Size: 12672 File Visible: - Signed: No
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xEFAD5000 Size: 49152 File Visible: No Signed: No
    Status: -

    Name: rtqj.sys
    Image Path: rtqj.sys
    Address: 0xF5DD8000 Size: 54016 File Visible: No Signed: No
    Status: -

    Name: tap0901.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
    Address: 0xF6138000 Size: 25216 File Visible: - Signed: No
    Status: -

    Name: uyowfi.sys
    Image Path: uyowfi.sys
    Address: 0xF5DC8000 Size: 54016 File Visible: No Signed: No
    Status: -

    ==EOF==


    = = =============================

    DDS

    = = =============================


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Administrator at 12:53:18.71 on Mon 12/07/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2772
    [GMT -12:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager
    \bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager
    \bin32\nSvcIp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
    \ExtensionsTaskManager32.exe
    C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Desktop\HousecallLauncher.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zS22.tmp\setup.exe
    C:\Documents and Settings\Administrator\Desktop\avast_home_setup.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:
    \program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:
    \program files\free download manager\iefdm2.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-
    bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-
    eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie
    \jqs_plugin.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    uRun: [Google Update] "c:\documents and settings\administrator\local
    settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [VTTrayp] VTtrayp.exe
    mRun: [OODefragTray] c:\windows\system32\oodtray.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /
    install
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows
    \system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows
    \system32\NvMcTray.dll,NvTaskbarInit
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static
    \CLIStart.exe" MSRun
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [openvpn-gui] c:\program files\ultravpn\bin\openvpn-gui.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader
    9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm
    \1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -
    atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin
    \jusched.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
    Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger
    \msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {D3D6DBB7-7AE8-47E2-A68D-004688814060} = 202.188.0.133
    202.188.1.5
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:
    \windows\system32\WPDShServiceObj.dll
    IFEO: taskmgr.exe - c:\program files\free extended task manager
    \extensions\taskmanager\ExtensionsTaskManager32.exe

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox
    \profiles\4x3ekcqo.default\
    FF - prefs.js: browser.startup.homepage - google.com.au
    FF - plugin: c:\documents and settings\administrator\application data
    \mozilla\firefox\profiles\4x3ekcqo.default\extensions
    \{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
    FF - plugin: c:\documents and settings\administrator\local settings
    \application data\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-
    ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-
    ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla
    firefox\greprefs\security-prefs.js - pref
    ("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-9 13696]
    R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys
    [2009-10-31 12672]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers
    \mbamswissarmy.sys [2009-12-7 38224]
    R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows
    \system32\drivers\nvhda32.sys [2009-10-28 30880]
    S0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-3-26 16896]
    S0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers
    \ViPrt.sys [2007-3-26 52224]
    S3 FXDrv32;FXDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]
    S3 GPUTool;GPUTool;\??\c:\docume~1\admini~1\locals~1\temp\gputool.sys
    --> c:\docume~1\admini~1\locals~1\temp\GPUTool.sys [?]
    S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-10-31
    4608]

    =============== Created Last 30 ================

    2009-12-08 00:41:38 0 d-----w- c:\windows\system32\drivers\NSS
    2009-12-08 00:41:38 0 d-----w- c:\program files\Norton Security Scan
    2009-12-08 00:37:32 0 d-----w- c:\program files\NortonInstaller
    2009-12-08 00:32:24 0 d-----w- c:\program files\CCleaner
    2009-12-08 00:30:23 0 d-----w- c:\program files\Trend Micro
    2009-12-08 00:28:15 0 d--h--w- c:\windows\PIF
    2009-12-08 00:13:06 0 d-----w- c:
    \docume~1\admini~1\applic~1\Malwarebytes
    2009-12-08 00:13:03 38224 ----a-w- c:\windows\system32\drivers
    \mbamswissarmy.sys
    2009-12-08 00:13:02 0 d-----w- c:
    \docume~1\alluse~1\applic~1\Malwarebytes
    2009-12-08 00:13:01 19160 ----a-w- c:\windows\system32\drivers
    \mbam.sys
    2009-12-08 00:13:01 0 d-----w- c:\program files\Malwarebytes' Anti-
    Malware
    2009-12-07 18:15:03 0 d--h--w- c:\windows\system32\GroupPolicy
    2009-12-06 18:54:58 63957 ----a-w- C:\xyz.png
    2009-12-05 04:37:29 53784 ----a-w- C:\DNS.png
    2009-11-26 09:14:22 0 d-----w- c:\program files\Free Download Manager
    2009-11-23 21:24:59 0 d-----w- c:\windows\system32\Adobe
    2009-11-22 22:20:59 0 d-sh--w- c:\documents and settings\administrator
    \PrivacIE
    2009-11-22 19:04:01 0 d-----w- c:\windows\system32\oodag
    2009-11-14 15:39:50 0 d-----w- c:\program files\LopeSoft
    2009-11-11 11:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2009-11-11 11:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2009-11-10 19:29:47 0 d-----w- c:\program files\UltraVPN
    2009-11-08 16:14:48 0 d-----w- c:\windows\pss

    ==================== Find3M ====================

    2009-10-29 04:48:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2009-10-29 04:48:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2009-10-21 07:08:02 69632 ----a-w- c:\windows\system32\XXPBAR.EXE
    2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPYSU.EXE
    2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPY.EXE
    2009-10-21 07:08:02 2321 ----a-w- c:\windows\system32\UIXXCOPY.BAT
    2009-10-21 07:08:02 230377 ----a-w- c:\windows\system32\XXCOPY16.EXE
    2009-10-21 07:08:02 146936 ----a-w- c:\windows\system32\XXCONSOLE.EXE
    2009-10-11 16:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-28 06:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
    2009-09-28 06:20:00 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2009-09-28 06:19:52 3166208 ----a-w- c:\windows\system32\nvwss.dll
    2009-09-28 06:19:50 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
    2009-09-28 06:19:48 3547136 ----a-w- c:\windows\system32\nvgames.dll
    2009-09-28 06:19:48 188416 ----a-w- c:\windows\system32\nvmccss.dll
    2009-09-28 06:19:48 1286144 ----a-w- c:\windows\system32\nvmobls.dll
    2009-09-28 06:19:46 86016 ----a-w- c:\windows\system32\nvmctray.dll
    2009-09-28 06:19:46 4935680 ----a-w- c:\windows\system32\nvdisps.dll
    2009-09-28 06:19:46 172100 ----a-w- c:\windows\system32\nvsvc32.exe
    2009-09-28 06:19:46 143360 ----a-w- c:\windows\system32\nvcolor.exe
    2009-09-28 06:19:46 13918208 ----a-w- c:\windows\system32\nvcpl.dll
    2009-09-28 06:19:40 229376 ----a-w- c:\windows\system32\nvmccs.dll
    2009-09-28 04:12:22 888832 ----a-w- c:\windows\system32\nvapi.dll
    2009-09-28 04:12:22 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
    2009-09-28 04:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
    2009-09-28 04:12:22 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
    2009-09-28 04:12:22 2007040 ----a-w- c:\windows\system32\nvcuda.dll
    2009-09-28 04:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
    2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcodins.dll
    2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
    2009-09-28 04:12:22 1604482 ----a-w- c:\windows\system32\nvdata.bin
    2009-09-28 04:12:22 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
    2009-09-26 04:35:00 593920 ------w- c:\windows\system32\ati2sgag.exe
    2009-09-24 21:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
    2009-09-23 22:39:28 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2009-09-23 22:38:26 299520 ----a-w- c:\windows\system32\ati2dvag.dll
    2009-09-23 22:21:32 204800 ----a-w- c:\windows\system32\atipdlxx.dll
    2009-09-23 22:21:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
    2009-09-23 22:21:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
    2009-09-23 22:20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2009-09-23 22:20:36 155648 ----a-w- c:\windows\system32\ati2evxx.dll
    2009-09-23 22:19:14 602112 ----a-w- c:\windows\system32\ati2evxx.exe
    2009-09-23 22:17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
    2009-09-23 22:11:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
    2009-09-23 22:09:18 3506080 ----a-w- c:\windows\system32\ati3duag.dll
    2009-09-23 21:58:16 12644352 ----a-w- c:\windows\system32\atioglxx.dll
    2009-09-23 21:53:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
    2009-09-23 21:53:26 887724 ----a-w- c:\windows\system32\ativva6x.dat
    2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\atimpc32.dll
    2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\amdpcom32.dll
    2009-09-23 21:32:20 561152 ----a-w- c:\windows\system32\atikvmag.dll
    2009-09-23 21:31:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
    2009-09-23 21:31:18 45056 ----a-w- c:\windows\system32\aticalcl.dll
    2009-09-23 21:30:08 167936 ----a-w- c:\windows\system32\atiadlxx.dll
    2009-09-23 21:29:42 17408 ----a-w- c:\windows\system32\atitvo32.dll
    2009-09-23 21:29:36 3489792 ----a-w- c:\windows\system32\aticaldd.dll
    2009-09-23 21:27:50 401408 ----a-w- c:\windows\system32\atiok3x2.dll
    2009-09-23 21:23:08 638976 ----a-w- c:\windows\system32\ati2cqag.dll
    2009-09-11 12:01:57 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2009-09-11 11:56:39 5334 ----a-w- c:\windows\system32\unins000.dat
    2009-09-11 11:56:31 716153 ----a-w- c:\windows\system32\unins000.exe
    2009-09-11 11:12:54 249856 ------w- c:\windows\Setup1.exe
    2009-09-11 11:12:53 73216 ----a-w- c:\windows\ST6UNST.EXE
    2009-09-10 13:29:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2009-09-10 04:24:52 315392 ----a-w- c:\windows\HideWin.exe
    2008-03-09 19:25:10 236 ----a-w- c:\program files\common files\dx.reg

    ============= FINISH: 12:53:33.01 ===============


    = = =============================

    Hijackthis

    = = =============================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:45:22 PM, on 12/7/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager
    \bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager
    \bin32\nSvcIp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
    \ExtensionsTaskManager32.exe
    C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data
    \Google\Chrome\Application\chrome.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
    C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
    \AcroIEHelperShim.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
    (no file)
    O2 - BHO: FDMIECookiesBHO Class -
    {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free
    Download Manager\iefdm2.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-
    BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-
    EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie
    \jqs_plugin.dll
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no
    file)
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView
    \nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS
    \system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS
    \system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE
    \Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\UltraVPN\bin\openvpn-
    gui.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe
    \Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM
    \1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    \QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin
    \jusched.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings
    \Administrator\Local Settings\Application Data\Google\Update
    \GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
    - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
    d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic
    \xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
    BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D6DBB7-7AE8-47E2-
    A68D-004688814060}: NameServer = 202.188.0.133 202.188.1.5
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS
    \system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
    \system32\ati2sgag.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) -
    Unknown owner - C:\Program Files\NVIDIA Corporation
    \NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
    Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:
    \Program Files\NVIDIA Corporation\NetworkAccessManager
    \bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
    Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS
    \system32\oodag.exe

    --
    End of file - 5032 bytes

    = = =============================


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/10/2009 1:34:41 AM
    System Uptime: 12/7/2009 12:36:39 PM (0 hours ago)

    Motherboard: FOXCONN | | MCP73M05
    Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket
    775 | 3000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 31 GiB total, 2.198 GiB free.
    D: is FIXED (NTFS) - 33 GiB total, 0.087 GiB free.
    E: is FIXED (NTFS) - 900 GiB total, 835.932 GiB free.
    F: is FIXED (NTFS) - 564 GiB total, 0.664 GiB free.
    G: is CDROM ()
    H: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description:
    Device ID: HDAUDIO
    \FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1C86A133&0&0001
    Manufacturer:
    Name:
    PNP Device ID: HDAUDIO
    \FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1C86A133&0&0001
    Service:

    ==== System Restore Points ===================

    RP67: 12/6/2009 10:48:44 AM - System Checkpoint
    RP68: 12/7/2009 11:05:02 AM - Removed Opera 10.10.
    RP69: 12/7/2009 11:05:13 AM - Installed Opera 10.10.

    ==== Installed Programs ======================

    7-Zip 4.65
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help English
    CCleaner
    Chinese (Simplified) Language Support
    Chinese (Traditional) Language Support
    CPUID CPU-Z 1.52.2
    DirectX10 RC2 Pre Fix 3
    FileMenu Tools
    Free Download Manager 3.0
    Free Extended Task Manager
    Google Chrome
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    Intel(R) Processor ID Utility
    Java(TM) 6 Update 17
    K-Meleon 1.5.3 en-US (remove only)
    Malwarebytes' Anti-Malware
    MFC RunTime files
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.5.5)
    MSXML 6.0 Parser (KB925673)
    Norton Security Scan
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    NVIDIA nView Desktop Manager
    O&O Defrag Professional
    Opera 10.10
    QuickTime
    Realtek High Definition Audio Driver
    Revo Uninstaller 1.83
    RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
    Safari
    UltraVPN
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    XXConsole: Super Console Generator ver 0.96

    ==== Event Viewer Messages From Past Week ========

    12/7/2009 12:37:11 PM, error: sr [1] - The System Restore filter
    encountered the unexpected error '0xC0000001' while processing the
    file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
    the volume.
    12/7/2009 12:37:02 PM, error: Service Control Manager [7026] - The
    following boot-start or system-start driver(s) failed to load: uagp35
    ViaIde ViBus videX32 ViPrt
    12/4/2009 10:25:01 AM, error: W32Time [34] - The time service has
    detected that the system time needs to be changed by +401699 seconds.
    The time service will not change the system time by more than +54000
    seconds. Verify that your time and time zone are correct, and that
    the time source time.windows.com (ntp.m|0x1|115.133.48.23:123-
    11/30/2009 5:51:40 PM, error: Service Control Manager [7000] - The
    Parallel port driver service failed to start due to the following
    error: The service cannot be started, either because it is disabled
    or because it has no enabled devices associated with it.
    11/30/2009 5:43:47 AM, error: Service Control Manager [7034] - The
    Java Quick Starter service terminated unexpectedly. It has done this
    1 time(s).
    11/30/2009 5:15:56 AM, error: Service Control Manager [7034] - The
    O&O Defrag service terminated unexpectedly. It has done this 1 time
    (s).

    ==== End Of File ===========================
     
    pg, Dec 14, 2009
    #4
  5. pg

    pg Guest

    Okay, thanks !!
     
    pg, Dec 14, 2009
    #5
  6. pg

    pg Guest

    Report from GMER:

    GMER 1.0.15.15279 - http://www.gmer.net
    Rootkit scan 2009-12-07 18:53:38
    Windows 5.1.2600 Service Pack 3
    Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    \awtdapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software) ZwClose
    [0xF1B6F6B8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software) ZwCreateKey
    [0xF1B6F574]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software)
    ZwDeleteValueKey [0xF1B6FA52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software)
    ZwDuplicateObject [0xF1B6F14C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software) ZwOpenKey
    [0xF1B6F64E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software)
    ZwOpenProcess [0xF1B6F08C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software) ZwOpenThread
    [0xF1B6F0F0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software)
    ZwQueryValueKey [0xF1B6F76E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software) ZwRestoreKey
    [0xF1B6F72E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
    protection module/ALWIL Software)
    ZwSetValueKey [0xF1B6F8AE]

    INT
    0x62 ?
    FCC112AC
    INT
    0x63 ?
    FC8B2634
    INT
    0x73 ?
    FC8B19B4
    INT
    0x83 ?
    FCC61E54
    INT
    0x93 ?
    FC89F754
    INT
    0xA3 ?
    FC89AE54
    INT
    0xA4 ?
    FCA1A6EC
    INT
    0xB1 ?
    FCCAD2AC
    INT
    0xB4 ?
    FCA4F6DC

    ---- Kernel code sections - GMER 1.0.15 ----

    ..text C:\WINDOWS\system32\DRIVERS
    \ati2mtag.sys
    section is writeable [0xF55E4000, 0x21F557, 0xE8000020]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
    \system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
    IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
    \system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs
    \Ntfs
    aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL
    Software)
    AttachedDevice \Driver\Tcpip \Device
    \Ip
    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device
    \Tcp
    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device
    \Udp
    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device
    \RawIp
    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@MinEncryptionLevel 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@Callback 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@CallbackNumber
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@Comment System
    Console
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@Domain
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@InitialProgram
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@InputBufferLength 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@KeyboardLayout 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@KeyboardName \REGISTRY
    \Machine\System\CurrentControlSet\Services\Kbdclass
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@MaxConnectionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@MaxDisconnectionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@MaxIdleTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@MouseName \REGISTRY
    \Machine\System\CurrentControlSet\Services\Mouclass
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@OutBufCount 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@OutBufDelay 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@OutBufLength 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@Password
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@PdClass 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@PdDll
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@PdFlag 30
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@PdName console
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@UserName
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@WdDll wdcon
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@WdFlag 36
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@WdName Console
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@WorkDirectory
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritAutoLogon 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritCallback 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritCallbackNumber 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritInitialProgram 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritMaxDisconnectionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritMaxIdleTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritMaxSessionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritReconnectSame 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritResetBroken 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fInheritShadow 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fLogonDisabled 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fPromptForPassword 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fReconnectSame 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fResetBroken 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fUseDefaultGina 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@Shadow 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@TraceClass 268435465
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@TraceDebugger 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@TraceEnable 12
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console@fEnableWinStation 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@CdClass 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@CdDLL
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@CdFlag 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@CdName
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@CfgDll RDPCFGEX.DLL
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@InteractiveDelay 50
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@OutBufDelay 100
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@PdClass 2
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@PdDLL tdtcp
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@PdFlag 78
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@PdName tcp
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@WdDLL rdpwd
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@WdFlag 52
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@WdName Microsoft RDP
    5.1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@WdPrefix RDP
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\Console\RDP@WsxDLL rdpwsx
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CfgDll RDPCFGEX.DLL
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fEnableWinStation 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@MaxInstanceCount -1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@PdName tcp
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@PdClass 2
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@PdDLL tdtcp
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@PdFlag 78
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@OutBufLength 530
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@OutBufCount 6
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@OutBufDelay 100
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@InteractiveDelay 50
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@PortNumber 3389
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@KeepAliveTimeout 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@LanAdapter 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WdName Microsoft RDP
    5.1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WdDLL rdpwd
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WsxDLL rdpwsx
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WdFlag 54
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@InputBufferLength 2048
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CdClass 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CdName
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CdDLL
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CdFlag 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Comment
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritAutoLogon 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritResetBroken 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritReconnectSame 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritInitialProgram 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritCallback 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritCallbackNumber 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritShadow 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritMaxSessionTime 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritMaxDisconnectionTime 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritMaxIdleTime 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritAutoClient 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritSecurity 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fInheritColorDepth 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fPromptForPassword 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fResetBroken 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fReconnectSame 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fLogonDisabled 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fAutoClientDrives 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fAutoClientLpts 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fForceClientLptDef 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableEncryption 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fHomeDirectoryMapRoot 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fUseDefaultGina 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableCpm 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableCdm 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableCcm 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableLPT 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableClip 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableExe 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@fDisableCam 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Username
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Domain
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Password
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WorkDirectory
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@InitialProgram
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@CallbackNumber
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Callback 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@Shadow 1
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@MaxConnectionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@MaxDisconnectionTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@MaxIdleTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@KeyboardLayout 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@MinEncryptionLevel 2
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@NWLogonServer
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WFProfilePath
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@WdPrefix RDP
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@TraceEnable 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@TraceDebugger 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@TraceClass 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    \WinStations\RDP-Tcp@ColorDepth 3
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
    \System
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
    \System@OODEFRAG11.00.00.01WORKSTATION
    0C04FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794BA7FD869164D67949280D8D7302FCC58A748D546B25B4C46155CF1082839BBB035AF617C9A29E1029A17F42D6BA01A6D4C9CB21ED020702B0FA16D77ECFB4387C0CC76F86CF57FBE40C9DB3B38225F246CDD34483FA247A72CC483FC3EB1AA1B87E022C1ACF580D2D53F3E88A52DCB0EF3656E27F3A3B23991724AF89B00A2F50B8F99D482D40877D4AF954F2292143173213A5247371753086F197EE4DD6097EB8F56637B8E3BD758E51DFE0373EE852011B196F7C4DC5C7F100F5863979FF1722D98D305F646151F43D1390147987852CB35F12608702B093F0C02BF509BEC88C6DF3FF131D6430FBBF8D53759D0EA08796A18D810C390D97BB5AA87FA98E23ECFF4737BB8A0E82F5818DC26C7DA3161D739F1784149CD4CD6F5392FE0D92445CF6070BB5AD903ABB37B1033857E9424B8CC195255FB995EF6F8440C1F2A72746270EE3339BC81D380B15F275807D3B77F965F96D3579C3217301AD8A6D605C735B7D444C987481C808E722C5CC49DA9A849C55DA05BF50D85CFB9B3BBB208DD0D8C423756FE309D8D29A355818A182C3EDD859E6D0E365924D2D71FF69119F842088736FCE60411935B81948631DC1263118938C

    ---- EOF - GMER 1.0.15 ----
     
    pg, Dec 14, 2009
    #6
  7. From: "pg" <>


    | Report from GMER:

    | GMER 1.0.15.15279 - http://www.gmer.net
    | Rootkit scan 2009-12-07 18:53:38
    | Windows 5.1.2600 Service Pack 3
    | Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    | \awtdapow.sys


    I have seen some logs but I haven't seen ...
    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

    Shown so much in a Gmer log.

    Remove ~nospam~ from my posting address and send me the full Gmer log file.

    I will Ping Gmer and see what he says about it.
     
    David H. Lipman, Dec 14, 2009
    #7
  8. pg

    pg Guest

    Dear Mr. Lipman,

    Email sent, with attachments of the full GMER log (zipped), along with
    OTL files (extra.zip, otl.zip), from my hotmail account.

    Thank you very much !!
     
    pg, Dec 14, 2009
    #8
  9. pg

    pg Guest


    I ran a search on terminal server and found "Backdoor.Botnachala"

    http://www.offensivecomputing.net/?q=node/110


    Could my system already hacked from the outside?
     
    pg, Dec 14, 2009
    #9
  10. pg

    pg Guest

    What is weird now is even when I want to run Kaspersky's online virus
    scan, I can't !

    Kaspersky told me to deactivate my resident virus scan, I did, and
    still the online scan won't run.

    Susequently I removed the avast! virus scanner from my computer, and
    still something is blocking Kaspersky's online virus scan !
     
    pg, Dec 15, 2009
    #10
  11. pg

    Virus Guy Guest

    Now that you've wasted a lot of time, maybe you'll do what anyone should
    really do when they have a Windoze system infected with malware:

    Remove the hard drive and slave it to a second trusted system and run a
    scan on it.

    I don't know why anyone bothers to scan an infected PC while Windoze is
    running on it. It's like trying to repair your car while it's moving
    with the engine running.
     
    Virus Guy, Dec 15, 2009
    #11
  12. pg

    pg Guest


    That is one thing you do not understand ...

    Doing the above won't get rid of many types of malware / virus /
    spyware

    2 reasons:

    Reason # 1, NTFS has some protection in place (or encryption, I dunno)
    that prevent 3rd party to look into users' directory.

    Which means, putting the infected drive as a slave drive and scan it,
    the virus / malware scanner can NOT reach place like " \Documents and
    Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
    "

    If the virus hides itself in those directories (such as \Documents and
    Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
    NEVER detected that virus


    Reason #2, Some malware / virus / spyware has inserted some rogue
    registries inside the registry file, putting that infected drive as a
    slave drive and scan it will NEVER get rid of those rogue registries

    As soon as the infected drive boots up, the virus will be activated by
    the rogue registries again
     
    pg, Dec 15, 2009
    #12
  13. pg

    Dave Baker Guest

    One thing I do when I'm trying to eliminate malware that antivirus scans
    don't find is to look for files that have had their permissions locked. An
    easy way to do this is try to change a file attribute such as the archive
    bit or read only bit for all the files in a directory, usually system32 is
    where I start as most malware hangs out in there.

    Any file that won't let its attributes be changed is suspicious and worth
    Googling to see what it does. If it's a nasty then I search the registry for
    any references to that filename, delete those entries then delete the file
    itself from within the Recovery Console if it can't be deleted normally.

    However if the corruption has already spread so far that things like System
    Restore and other key components no longer work it's probably quicker and
    more thorough to just do a complete reinstall.
     
    Dave Baker, Dec 15, 2009
    #13
  14. From: "pg" <>



    | That is one thing you do not understand ...

    | Doing the above won't get rid of many types of malware / virus /
    | spyware

    | 2 reasons:

    | Reason # 1, NTFS has some protection in place (or encryption, I dunno)
    | that prevent 3rd party to look into users' directory.

    | Which means, putting the infected drive as a slave drive and scan it,
    | the virus / malware scanner can NOT reach place like " \Documents and
    | Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
    | "

    | If the virus hides itself in those directories (such as \Documents and
    | Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
    | NEVER detected that virus


    If the file is encrypted under NTFS it would be green.

    One can easily "take ownership" of the are blocked by insufficient permissions and scan
    using a surrogate with an account with administrative rights.


    | Reason #2, Some malware / virus / spyware has inserted some rogue
    | registries inside
    | the registry file, putting that infected drive as a
    | slave drive and scan it will NEVER
    | get rid of those rogue registries

    | As soon as the infected drive boots up, the virus
    | will be activated by the rogue registries again


    Not true. If there is NO executable on the hard disk the (that is it was already removed)
    the Registry entries can NOT resurrect the removed DLL or EXE.
     
    David H. Lipman, Dec 15, 2009
    #14
  15. pg

    Dave Cohen Guest

    When oh when will people wise up and get an imaging program. I use
    www.terabyteunlimited.com Image for Windows in addition to their regular
    bootit product. These things go for around $35. Some people speak well
    of Acronis and I've no doubt there is even free stuff on the web. The
    advantage of IFW is it will run while you continue to use the system. I
    still use Avira and take reasonable precautions of course. These days an
    investment in one of the simple plug in usb external drives also makes
    sense and I keep a number of backups.
     
    Dave Cohen, Dec 15, 2009
    #15
  16. From: "FredW" <>


    | I use Macrium Reflect Free (4.2) on my Windows 7 64-bit.
    | http://www.macrium.com/reflectfree.asp
    | (just as good as Acronis.)
    | The only "disadvantage" of this program is,
    | that one needs to make a "recovery CD" to be able to restore.

    | Backup (= image) and restore work fine, as I have found out.
    | ;-)

    | --
    | Fred W. (NL)

    I use Ghost.

    It is the ONLY Symantec product I swear by and not swear at. :)
     
    David H. Lipman, Dec 15, 2009
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.