Weird things happen !

[pg]

Last nite everything was fine.

This morning all my browsers except Google Chrome are dead.

The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

After clicking them, nothing

Check under task manager, they are there, and taking a lot of CPU
resources, but stay behind

Killed those browsers and re-install, still the same.

So I download the MBAM (Malyware Bytes Anti-Malware) and scan

After a scan, MBAM reported that there were 5 trojans, and I deleted
all 5 of them.

Reboot the computer, and still the browsers (except Google Chrome)
refused to work.

Run MBAM again, 3 more data entries in the Registry were found. Delete
them again (report at the end of message)

Reboot.

Still the browsers can't run.

Download Avast and Norton.

Norton won't run without downloading their virus definition, but
something is blocking Norton from downloading their virus
definition !!

Now Avast is downloading its virus definition, VERY SLOW !

My 2mbps line is downloading at less than 2kbps speed !!

I will run Avast after it finishes with the update.

BTW, is there any other package that I should run to check what
actually has happened to my computer?

Please help !

Attached: Report from MBAM

= = ==================================================

Malwarebytes' Anti-Malware 1.42
Database version: 3357
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2009 12:58:27 PM
mbam-log-2009-12-07 (12-58-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145847
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
(0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -

Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

= = ===========================================================

 

[ASCII]

Last nite everything was fine.

This morning all my browsers except Google Chrome are dead.

The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

You found something that killed Opera V10.10 from within,
or ran something you downloaded that targeted its executable?

 

[ASCII]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
(0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -

Those are simply the effect of not having the security center keep flashing
that tray balloon when you don't have an external FW, AV, or auto-update.
MBAM started including those some three or four months ago. Last time I tried
it I was able to get it to ignore those in a subsequent scan.

 

[David H. Lipman]

From: "pg" <[email protected]>

| Last nite everything was fine.

| This morning all my browsers except Google Chrome are dead.

| The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

Kill all software on PC and perform a scan using Gmer.

http://www.gmer.net/#files

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

ADDENDUM:

In addition, don't install BOTH Avast and Norton. It is one or the other, and Avast is
preferred, as it is contrindicated to install more than one fully installed AV application
performing both "On Demand" and "On Acess" scanning on any singular PC.

 

[pg]

You found something that killed Opera V10.10 from within,
or ran something you downloaded that targeted its executable?

Opera 10.10, Firefox 3.5.5 and IE 8.0.6001 and Google Chrome are the 4
browsers in my computer.

Now only Google Chrome works, barely --- very slow !

The other three starts, but stay hidden, and consuming CPU resources
like crazy

I re-download new copies of Firefox 3.5.5 and Opera 10.10 and re-
installed them.

Still none of them works.

I downloaded Norton's Online utility, clicked on the setup file, and
after it installed, it wanted to download the virus definition, and
that virus / trojan / malware BLOCKS norton's attempt to dl _any_
virus definition.

Avast' dl was successful, and I use it to run the "boot up" routine,
scanned the entire system, and asked it to delete EVERYTHING that it
finds suspicious.

After Avast' scan, I rebooted the machine, and STILL, IE, FF and Opera
refuse to work !

Same as before.

I have run DDS, RootRepeal and Hijackthis, and will post the result at
the end of this message.

MBAM did delete some suspicious trojan, but this system is still very
much in deep shit (please pardon my French).

Here are the reports:

= = =============================

Root Repeal

= = =============================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 13:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: BIOS.sys
Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
Address: 0xF557B000 Size: 13696 File Visible: - Signed: No
Status: -

Name: cpuz132_x32.sys
Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
Address: 0xF0205000 Size: 12672 File Visible: - Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFAD5000 Size: 49152 File Visible: No Signed: No
Status: -

Name: rtqj.sys
Image Path: rtqj.sys
Address: 0xF5DD8000 Size: 54016 File Visible: No Signed: No
Status: -

Name: tap0901.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Address: 0xF6138000 Size: 25216 File Visible: - Signed: No
Status: -

Name: uyowfi.sys
Image Path: uyowfi.sys
Address: 0xF5DC8000 Size: 54016 File Visible: No Signed: No
Status: -

==EOF==


= = =============================

DDS

= = =============================


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 12:53:18.71 on Mon 12/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2772
[GMT -12:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\HousecallLauncher.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zS22.tmp\setup.exe
C:\Documents and Settings\Administrator\Desktop\avast_home_setup.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:
\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:
\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-
bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-
eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie
\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Google Update] "c:\documents and settings\administrator\local
settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /
install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows
\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows
\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static
\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [openvpn-gui] c:\program files\ultravpn\bin\openvpn-gui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader
9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm
\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -
atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin
\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger
\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {D3D6DBB7-7AE8-47E2-A68D-004688814060} = 202.188.0.133
202.188.1.5
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:
\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - c:\program files\free extended task manager
\extensions\taskmanager\ExtensionsTaskManager32.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox
\profiles\4x3ekcqo.default\
FF - prefs.js: browser.startup.homepage - google.com.au
FF - plugin: c:\documents and settings\administrator\application data
\mozilla\firefox\profiles\4x3ekcqo.default\extensions
\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\documents and settings\administrator\local settings
\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program
files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-
ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program
files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-
ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla
firefox\greprefs\security-prefs.js - pref
("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-9 13696]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys
[2009-10-31 12672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers
\mbamswissarmy.sys [2009-12-7 38224]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows
\system32\drivers\nvhda32.sys [2009-10-28 30880]
S0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-3-26 16896]
S0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers
\ViPrt.sys [2007-3-26 52224]
S3 FXDrv32;FXDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]
S3 GPUTool;GPUTool;\??\c:\docume~1\admini~1\locals~1\temp\gputool.sys
--> c:\docume~1\admini~1\locals~1\temp\GPUTool.sys [?]
S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-10-31
4608]

=============== Created Last 30 ================

2009-12-08 00:41:38 0 d-----w- c:\windows\system32\drivers\NSS
2009-12-08 00:41:38 0 d-----w- c:\program files\Norton Security Scan
2009-12-08 00:37:32 0 d-----w- c:\program files\NortonInstaller
2009-12-08 00:32:24 0 d-----w- c:\program files\CCleaner
2009-12-08 00:30:23 0 d-----w- c:\program files\Trend Micro
2009-12-08 00:28:15 0 d--h--w- c:\windows\PIF
2009-12-08 00:13:06 0 d-----w- c:
\docume~1\admini~1\applic~1\Malwarebytes
2009-12-08 00:13:03 38224 ----a-w- c:\windows\system32\drivers
\mbamswissarmy.sys
2009-12-08 00:13:02 0 d-----w- c:
\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 00:13:01 19160 ----a-w- c:\windows\system32\drivers
\mbam.sys
2009-12-08 00:13:01 0 d-----w- c:\program files\Malwarebytes' Anti-
Malware
2009-12-07 18:15:03 0 d--h--w- c:\windows\system32\GroupPolicy
2009-12-06 18:54:58 63957 ----a-w- C:\xyz.png
2009-12-05 04:37:29 53784 ----a-w- C:\DNS.png
2009-11-26 09:14:22 0 d-----w- c:\program files\Free Download Manager
2009-11-23 21:24:59 0 d-----w- c:\windows\system32\Adobe
2009-11-22 22:20:59 0 d-sh--w- c:\documents and settings\administrator
\PrivacIE
2009-11-22 19:04:01 0 d-----w- c:\windows\system32\oodag
2009-11-14 15:39:50 0 d-----w- c:\program files\LopeSoft
2009-11-11 11:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 11:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-10 19:29:47 0 d-----w- c:\program files\UltraVPN
2009-11-08 16:14:48 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-10-29 04:48:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-29 04:48:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-21 07:08:02 69632 ----a-w- c:\windows\system32\XXPBAR.EXE
2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPYSU.EXE
2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPY.EXE
2009-10-21 07:08:02 2321 ----a-w- c:\windows\system32\UIXXCOPY.BAT
2009-10-21 07:08:02 230377 ----a-w- c:\windows\system32\XXCOPY16.EXE
2009-10-21 07:08:02 146936 ----a-w- c:\windows\system32\XXCONSOLE.EXE
2009-10-11 16:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 06:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 06:20:00 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-28 06:19:52 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 06:19:50 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 06:19:48 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 06:19:48 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 06:19:48 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 06:19:46 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 06:19:46 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 06:19:46 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-28 06:19:46 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-28 06:19:46 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-28 06:19:40 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-28 04:12:22 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-28 04:12:22 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-28 04:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-28 04:12:22 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-28 04:12:22 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-28 04:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-28 04:12:22 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-28 04:12:22 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-26 04:35:00 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-09-24 21:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-23 22:39:28 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38:26 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2009-09-23 22:21:32 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-23 22:21:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-23 22:21:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-23 22:20:36 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-09-23 22:19:14 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-09-23 22:17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-09-23 22:09:18 3506080 ----a-w- c:\windows\system32\ati3duag.dll
2009-09-23 21:58:16 12644352 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-23 21:53:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
2009-09-23 21:53:26 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-23 21:32:20 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-09-23 21:31:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-23 21:31:18 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-23 21:30:08 167936 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-23 21:29:42 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-09-23 21:29:36 3489792 ----a-w- c:\windows\system32\aticaldd.dll
2009-09-23 21:27:50 401408 ----a-w- c:\windows\system32\atiok3x2.dll
2009-09-23 21:23:08 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-09-11 12:01:57 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-11 11:56:39 5334 ----a-w- c:\windows\system32\unins000.dat
2009-09-11 11:56:31 716153 ----a-w- c:\windows\system32\unins000.exe
2009-09-11 11:12:54 249856 ------w- c:\windows\Setup1.exe
2009-09-11 11:12:53 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-10 13:29:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-10 04:24:52 315392 ----a-w- c:\windows\HideWin.exe
2008-03-09 19:25:10 236 ----a-w- c:\program files\common files\dx.reg

============= FINISH: 12:53:33.01 ===============


= = =============================

Hijackthis

= = =============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:22 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
(no file)
O2 - BHO: FDMIECookiesBHO Class -
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free
Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-
BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-
EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie
\jqs_plugin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no
file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView
\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS
\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS
\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE
\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\UltraVPN\bin\openvpn-
gui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe
\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM
\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin
\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings
\Administrator\Local Settings\Application Data\Google\Update
\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic
\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D6DBB7-7AE8-47E2-
A68D-004688814060}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS
\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) -
Unknown owner - C:\Program Files\NVIDIA Corporation
\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:
\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS
\system32\oodag.exe

--
End of file - 5032 bytes

= = =============================


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/10/2009 1:34:41 AM
System Uptime: 12/7/2009 12:36:39 PM (0 hours ago)

Motherboard: FOXCONN | | MCP73M05
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket
775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 31 GiB total, 2.198 GiB free.
D: is FIXED (NTFS) - 33 GiB total, 0.087 GiB free.
E: is FIXED (NTFS) - 900 GiB total, 835.932 GiB free.
F: is FIXED (NTFS) - 564 GiB total, 0.664 GiB free.
G: is CDROM ()
H: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: HDAUDIO
\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1C86A133&0&0001
Manufacturer:
Name:
PNP Device ID: HDAUDIO
\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1C86A133&0&0001
Service:

==== System Restore Points ===================

RP67: 12/6/2009 10:48:44 AM - System Checkpoint
RP68: 12/7/2009 11:05:02 AM - Removed Opera 10.10.
RP69: 12/7/2009 11:05:13 AM - Installed Opera 10.10.

==== Installed Programs ======================

7-Zip 4.65
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
CPUID CPU-Z 1.52.2
DirectX10 RC2 Pre Fix 3
FileMenu Tools
Free Download Manager 3.0
Free Extended Task Manager
Google Chrome
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Processor ID Utility
Java(TM) 6 Update 17
K-Meleon 1.5.3 en-US (remove only)
Malwarebytes' Anti-Malware
MFC RunTime files
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSXML 6.0 Parser (KB925673)
Norton Security Scan
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nView Desktop Manager
O&O Defrag Professional
Opera 10.10
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.83
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Safari
UltraVPN
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XXConsole: Super Console Generator ver 0.96

==== Event Viewer Messages From Past Week ========

12/7/2009 12:37:11 PM, error: sr [1] - The System Restore filter
encountered the unexpected error '0xC0000001' while processing the
file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.
12/7/2009 12:37:02 PM, error: Service Control Manager [7026] - The
following boot-start or system-start driver(s) failed to load: uagp35
ViaIde ViBus videX32 ViPrt
12/4/2009 10:25:01 AM, error: W32Time [34] - The time service has
detected that the system time needs to be changed by +401699 seconds.
The time service will not change the system time by more than +54000
seconds. Verify that your time and time zone are correct, and that
the time source time.windows.com (ntp.m|0x1|115.133.48.23:123-

207.46.197.32:123) is working properly.

11/30/2009 5:51:40 PM, error: Service Control Manager [7000] - The
Parallel port driver service failed to start due to the following
error: The service cannot be started, either because it is disabled
or because it has no enabled devices associated with it.
11/30/2009 5:43:47 AM, error: Service Control Manager [7034] - The
Java Quick Starter service terminated unexpectedly. It has done this
1 time(s).
11/30/2009 5:15:56 AM, error: Service Control Manager [7034] - The
O&O Defrag service terminated unexpectedly. It has done this 1 time
(s).

==== End Of File ===========================

 

[pg]

Okay, thanks !!

 

[pg]

From: "David H. Lipman" <[email protected]>

ADDENDUM:

In addition, don't install BOTH Avast and Norton.  It is one or the other, and Avast is
preferred, as it is contrindicated to install more than one fully installed AV application
performing both "On Demand" and "On Acess" scanning on any singular PC.

Report from GMER:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-07 18:53:38
Windows 5.1.2600 Service Pack 3
Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\awtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwClose
[0xF1B6F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwCreateKey
[0xF1B6F574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDeleteValueKey [0xF1B6FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDuplicateObject [0xF1B6F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwOpenKey
[0xF1B6F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwOpenProcess [0xF1B6F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwOpenThread
[0xF1B6F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwQueryValueKey [0xF1B6F76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwRestoreKey
[0xF1B6F72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwSetValueKey [0xF1B6F8AE]

INT
0x62 ?
FCC112AC
INT
0x63 ?
FC8B2634
INT
0x73 ?
FC8B19B4
INT
0x83 ?
FCC61E54
INT
0x93 ?
FC89F754
INT
0xA3 ?
FC89AE54
INT
0xA4 ?
FCA1A6EC
INT
0xB1 ?
FCCAD2AC
INT
0xB4 ?
FCA4F6DC

---- Kernel code sections - GMER 1.0.15 ----

..text C:\WINDOWS\system32\DRIVERS
\ati2mtag.sys
section is writeable [0xF55E4000, 0x21F557, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs
\Ntfs
aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL
Software)
AttachedDevice \Driver\Tcpip \Device
\Ip
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\Tcp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\Udp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\RawIp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MinEncryptionLevel 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Comment System
Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InputBufferLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardName \REGISTRY
\Machine\System\CurrentControlSet\Services\Kbdclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MouseName \REGISTRY
\Machine\System\CurrentControlSet\Services\Mouclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufCount 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufDelay 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdClass 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdDll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdFlag 30
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdName console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@UserName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdDll wdcon
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdFlag 36
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdName Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritAutoLogon 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallbackNumber 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritInitialProgram 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxSessionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritShadow 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fPromptForPassword 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceClass 268435465
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceDebugger 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceEnable 12
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdFlag 52
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdName Microsoft RDP
5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxInstanceCount -1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufLength 530
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufCount 6
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PortNumber 3389
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeepAliveTimeout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@LanAdapter 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdName Microsoft RDP
5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdFlag 54
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InputBufferLength 2048
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Comment
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoLogon 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritResetBroken 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritReconnectSame 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritInitialProgram 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallbackNumber 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritShadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxSessionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxDisconnectionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxIdleTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoClient 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritSecurity 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritColorDepth 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fPromptForPassword 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientDrives 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientLpts 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fForceClientLptDef 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableEncryption 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fHomeDirectoryMapRoot 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCpm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCdm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCcm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableLPT 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableClip 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableExe 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCam 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Username
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MinEncryptionLevel 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@NWLogonServer
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WFProfilePath
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceEnable 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceDebugger 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@ColorDepth 3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\[email protected]
0C04FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794BA7FD869164D67949280D8D7302FCC58A748D546B25B4C46155CF1082839BBB035AF617C9A29E1029A17F42D6BA01A6D4C9CB21ED020702B0FA16D77ECFB4387C0CC76F86CF57FBE40C9DB3B38225F246CDD34483FA247A72CC483FC3EB1AA1B87E022C1ACF580D2D53F3E88A52DCB0EF3656E27F3A3B23991724AF89B00A2F50B8F99D482D40877D4AF954F2292143173213A5247371753086F197EE4DD6097EB8F56637B8E3BD758E51DFE0373EE852011B196F7C4DC5C7F100F5863979FF1722D98D305F646151F43D1390147987852CB35F12608702B093F0C02BF509BEC88C6DF3FF131D6430FBBF8D53759D0EA08796A18D810C390D97BB5AA87FA98E23ECFF4737BB8A0E82F5818DC26C7DA3161D739F1784149CD4CD6F5392FE0D92445CF6070BB5AD903ABB37B1033857E9424B8CC195255FB995EF6F8440C1F2A72746270EE3339BC81D380B15F275807D3B77F965F96D3579C3217301AD8A6D605C735B7D444C987481C808E722C5CC49DA9A849C55DA05BF50D85CFB9B3BBB208DD0D8C423756FE309D8D29A355818A182C3EDD859E6D0E365924D2D71FF69119F842088736FCE60411935B81948631DC1263118938C

---- EOF - GMER 1.0.15 ----

 

[ASCII]

I'm surprised that Dave didn't advise against posting the full GMER report,
as it's as big or bigger than HJT.

 

[David H. Lipman]

From: "pg" <[email protected]>


| Report from GMER:

| GMER 1.0.15.15279 - http://www.gmer.net
| Rootkit scan 2009-12-07 18:53:38
| Windows 5.1.2600 Service Pack 3
| Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \awtdapow.sys


I have seen some logs but I haven't seen ...
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Shown so much in a Gmer log.

Remove ~nospam~ from my posting address and send me the full Gmer log file.

I will Ping Gmer and see what he says about it.

 

[pg]

Dear Mr. Lipman,

Email sent, with attachments of the full GMER log (zipped), along with
OTL files (extra.zip, otl.zip), from my hotmail account.

Thank you very much !!

 

[pg]

From: "pg" <[email protected]>

| On Dec 13, 11:47 pm, "David H. Lipman" <[email protected]>



| Report from GMER:

| GMER 1.0.15.15279 -http://www.gmer.net
| Rootkit scan 2009-12-07 18:53:38
| Windows 5.1.2600 Service Pack 3
| Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \awtdapow.sys

I have seen some logs but I haven't seen ...
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Shown so much in a Gmer log.

Remove ~nospam~ from my posting address and send me the full Gmer log file.

I will Ping Gmer and see what he says about it.

I ran a search on terminal server and found "Backdoor.Botnachala"

http://www.offensivecomputing.net/?q=node/110


Could my system already hacked from the outside?

 

[pg]

What is weird now is even when I want to run Kaspersky's online virus
scan, I can't !

Kaspersky told me to deactivate my resident virus scan, I did, and
still the online scan won't run.

Susequently I removed the avast! virus scanner from my computer, and
still something is blocking Kaspersky's online virus scan !

 

[Virus Guy]

What is weird now is even when I want to run Kaspersky's online
virus scan, I can't ! Kaspersky told me to deactivate my
resident virus scan, I did, and still the online scan won't run.
Susequently I removed the avast! virus scanner from my computer,
and still something is blocking Kaspersky's online virus scan !

Now that you've wasted a lot of time, maybe you'll do what anyone should
really do when they have a Windoze system infected with malware:

Remove the hard drive and slave it to a second trusted system and run a
scan on it.

I don't know why anyone bothers to scan an infected PC while Windoze is
running on it. It's like trying to repair your car while it's moving
with the engine running.

 

[pg]

Now that you've wasted a lot of time, maybe you'll do what anyone should
really do when they have a Windoze system infected with malware:

Remove the hard drive and slave it to a second trusted system and run a
scan on it.

I don't know why anyone bothers to scan an infected PC while Windoze is
running on it.  It's like trying to repair your car while it's moving
with the engine running.

That is one thing you do not understand ...

Doing the above won't get rid of many types of malware / virus /
spyware

2 reasons:

Reason # 1, NTFS has some protection in place (or encryption, I dunno)
that prevent 3rd party to look into users' directory.

Which means, putting the infected drive as a slave drive and scan it,
the virus / malware scanner can NOT reach place like " \Documents and
Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
"

If the virus hides itself in those directories (such as \Documents and
Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
NEVER detected that virus


Reason #2, Some malware / virus / spyware has inserted some rogue
registries inside the registry file, putting that infected drive as a
slave drive and scan it will NEVER get rid of those rogue registries

As soon as the infected drive boots up, the virus will be activated by
the rogue registries again

 

[kavery]

That is one thing you do not understand ...

Doing the above won't get rid of many types of malware / virus / spyware

As soon as the infected drive boots up, the virus will be activated by
the rogue registries again

In that case you're better off formatting and re-installing. I've scanned
many infected systems, both by slaving the drive and by using a bootable
CD like UBCD4WIN. I've always been able to scan all users' directories up
to and including the browser cache and temp directories. UBCD4WIN has an
app that will let you clear all users' temp directories that works a
treat in a case like this. The only thing I could think of denying access
would be if the user made their home directory private. In that case they
may be out of luck.

Regedit has an option to load a remote registry so if you knew the
location of the rogue entries you could delete them that way. They
usually hang out in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce. If they are in a different location, if you know
the name of what's infected the system, many AV vendors will offer this
information on their website. They'd have to know it to be able to scan
for it. If you can delete the entries in the registry there's a good
chance it won't start the next time the machine is booted.

 

[Dave Baker]

I ran a search on terminal server and found "Backdoor.Botnachala"

http://www.offensivecomputing.net/?q=node/110


Could my system already hacked from the outside?

One thing I do when I'm trying to eliminate malware that antivirus scans
don't find is to look for files that have had their permissions locked. An
easy way to do this is try to change a file attribute such as the archive
bit or read only bit for all the files in a directory, usually system32 is
where I start as most malware hangs out in there.

Any file that won't let its attributes be changed is suspicious and worth
Googling to see what it does. If it's a nasty then I search the registry for
any references to that filename, delete those entries then delete the file
itself from within the Recovery Console if it can't be deleted normally.

However if the corruption has already spread so far that things like System
Restore and other key components no longer work it's probably quicker and
more thorough to just do a complete reinstall.

 

[David H. Lipman]

From: "pg" <[email protected]>



| That is one thing you do not understand ...

| Doing the above won't get rid of many types of malware / virus /
| spyware

| 2 reasons:

| Reason # 1, NTFS has some protection in place (or encryption, I dunno)
| that prevent 3rd party to look into users' directory.

| Which means, putting the infected drive as a slave drive and scan it,
| the virus / malware scanner can NOT reach place like " \Documents and
| Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
| "

| If the virus hides itself in those directories (such as \Documents and
| Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
| NEVER detected that virus


If the file is encrypted under NTFS it would be green.

One can easily "take ownership" of the are blocked by insufficient permissions and scan
using a surrogate with an account with administrative rights.


| Reason #2, Some malware / virus / spyware has inserted some rogue
| registries inside
| the registry file, putting that infected drive as a
| slave drive and scan it will NEVER
| get rid of those rogue registries

| As soon as the infected drive boots up, the virus
| will be activated by the rogue registries again


Not true. If there is NO executable on the hard disk the (that is it was already removed)
the Registry entries can NOT resurrect the removed DLL or EXE.

 

[Dave Cohen]

From: "pg" <[email protected]>



| That is one thing you do not understand ...

| Doing the above won't get rid of many types of malware / virus /
| spyware

| 2 reasons:

| Reason # 1, NTFS has some protection in place (or encryption, I dunno)
| that prevent 3rd party to look into users' directory.

| Which means, putting the infected drive as a slave drive and scan it,
| the virus / malware scanner can NOT reach place like " \Documents and
| Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
| "

| If the virus hides itself in those directories (such as \Documents and
| Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
| NEVER detected that virus


If the file is encrypted under NTFS it would be green.

One can easily "take ownership" of the are blocked by insufficient permissions and scan
using a surrogate with an account with administrative rights.


| Reason #2, Some malware / virus / spyware has inserted some rogue
| registries inside
| the registry file, putting that infected drive as a
| slave drive and scan it will NEVER
| get rid of those rogue registries

| As soon as the infected drive boots up, the virus
| will be activated by the rogue registries again


Not true. If there is NO executable on the hard disk the (that is it was already removed)
the Registry entries can NOT resurrect the removed DLL or EXE.

When oh when will people wise up and get an imaging program. I use
www.terabyteunlimited.com Image for Windows in addition to their regular
bootit product. These things go for around $35. Some people speak well
of Acronis and I've no doubt there is even free stuff on the web. The
advantage of IFW is it will run while you continue to use the system. I
still use Avira and take reasonable precautions of course. These days an
investment in one of the simple plug in usb external drives also makes
sense and I keep a number of backups.

 

[David H. Lipman]

From: "FredW" <[email protected]>


| I use Macrium Reflect Free (4.2) on my Windows 7 64-bit.
| http://www.macrium.com/reflectfree.asp
| (just as good as Acronis.)
| The only "disadvantage" of this program is,
| that one needs to make a "recovery CD" to be able to restore.

| Backup (= image) and restore work fine, as I have found out.
| ;-)

| --
| Fred W. (NL)

I use Ghost.

It is the ONLY Symantec product I swear by and not swear at.