Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32.Delf.rtk Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32.Delf.rtk Trojan

Unread postby hightechenvy » September 29th, 2008, 1:01 am

Working on a computer and I can't seem to get rid of this Trojan (Win32.Delf.rtk). I have run Spybot several times with restarts in between. No such luck. Anyone that can help would be great.
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm
Advertisement
Register to Remove

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 1st, 2008, 11:44 am

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Download and install HijackThis

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.


    Don't use the Analyse This button, its findings are dangerous if misinterpreted.
    Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required
    .

Uninstall List

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.


Please post the following in your next reply.
  • log from hijackthis
  • uninstall list
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 2nd, 2008, 12:42 am

Here is the Hijackthis.txt file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:37:27 PM, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [minitnyus] C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\wftadfi16_080819a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080828a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [minyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080921a.dll tan16d
O4 - HKLM\..\Policies\Explorer\Run: [mainyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080925a.dll tan16d
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0805362218
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Service - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: IPSE Service (Messanger) - Unknown owner - c:\windows\svchost.exe (file missing)
O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe

--
End of file - 11439 bytes


------------------------------------------

Here is the uninstall scan.

32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.0
Adobe Premiere Elements 2.0
Adobe Reader 8.1.2
AOL Toolbar
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
CA Yahoo! Anti-Spy (remove only)
CardRd81
CCHelp
CCScore
Conexant AC-Link Audio
CR2
Digital Media Reader
Easy Grade Pro
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
Google Gears
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Handmark® MobileDB(TM) for Palm OS
Hanes® T-ShirtMaker® Lite 3.0.0
HijackThis 2.0.0
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hoyle Board Games Demo
Hoyle Card Games 3
HP Customer Participation Program 9.0
HP Deskjet 5400 series
HP Deskjet All-In-One Software 9.0
HP Image Zone Express
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Software Update
HP Solution Center 9.0
HP Update
HPSSupply
Intel(R) Integrated Performance Primitives RTI 4.0
Interactive Lesson Planner 1.5
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 2
Kodak EasyShare software
KSU
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Standard Edition 2003
Microsoft Picture It! Premium 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero BurnRights
Nero OEM
Norton Security Center
Notifier
OpticFilm 7200
OTtBP
OTtBPSDK
Palm
PCDLNCH
PowerDVD
Presto! ImageFolio 4
Presto! Mr. Photo 3
Presto! PageManager 6.00
QuickTime
RealPlayer Basic
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SFR
SFR2
Sierra Utilities
SilverFast SE CD Documentation 6.2.0
SilverFast UScan-SE
Smart Start UP
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
Synaptics Pointing Device Driver
T-Mobile Dash™ User Manual
Ultimate Doodle Collection
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
VCAMCEN
Viewpoint Media Player
VPRINTOL
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Write On
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Toolbar
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 2nd, 2008, 12:07 pm

Hello,

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Download and Run ComboFix (by sUBs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the contents of C:\ComboFix.txt in your next reply.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

The version of HijackThis that you have on your computer is outdated.

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Please post the following:
  • The SDFix report
  • The ComboFix report
  • The new HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 2nd, 2008, 11:13 pm

--------- SDFix.txt Report ---------------

SDFix: Version 1.230
Run by Owner on Thu 10/02/2008 at 07:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\c.exe - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\server.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 19:29:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\8VV72KD9\\incredimail_install[1].exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\8VV72KD9\\incredimail_install[1].exe:*:Enabled:IncrediMail Installer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 20 Sep 2005 23,552 A..H. --- "C:\Integrated science\~WRL0002.tmp"
Sun 13 Nov 2005 26,624 ...H. --- "C:\1 a EDMT\finance\~WRL0420.tmp"
Sun 13 Nov 2005 25,600 ...H. --- "C:\1 a EDMT\finance\~WRL3903.tmp"
Wed 17 May 2000 11,264 A..HR --- "C:\Program Files\Interactive Lesson Planner 1.5\important.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 5 Sep 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 17 Aug 2004 97,792 ...H. --- "C:\WINDOWS\system32\6to4ex.dll"
Mon 25 Aug 2008 15,360 A..H. --- "C:\WINDOWS\system32\dbi102.dll"
Thu 7 Aug 2008 40,960 ..SHR --- "C:\WINDOWS\system32\Karna1Drv.dll"
Tue 1 Feb 2000 40,960 ..SHR --- "C:\WINDOWS\system32\KarnaDrv.dll"
Wed 23 Mar 2005 10,752 A.SH. --- "C:\WINDOWS\system32\Proxy.dll"
Sun 24 Aug 2008 103,424 ..SHR --- "C:\WINDOWS\system32\waoptimizer.dll"
Fri 4 Feb 2000 45,568 ..SHR --- "C:\WINDOWS\system32\wmoptimizer.dll"
Sun 28 Sep 2008 14,848 A..H. --- "C:\WINDOWS\system32\zordisa.dll"
Fri 25 Nov 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 15 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 15 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 2 Jun 2008 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 26 Jul 2006 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 24 Jun 2007 31,232 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 9 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0006.tmp"
Sun 13 Nov 2005 122,368 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0427.tmp"
Mon 25 Jun 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0719.tmp"
Sat 9 Feb 2008 75,776 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1009.tmp"
Sat 9 Feb 2008 61,952 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1071.tmp"
Sun 13 Nov 2005 122,880 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1246.tmp"
Mon 25 Jun 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1685.tmp"
Wed 17 May 2006 47,616 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1907.tmp"
Wed 17 May 2006 49,664 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2475.tmp"
Sun 13 Nov 2005 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2492.tmp"
Mon 25 Jun 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2753.tmp"
Sun 13 Nov 2005 28,160 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2792.tmp"
Sun 13 Nov 2005 121,344 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3253.tmp"
Sun 13 Nov 2005 122,880 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3303.tmp"
Sat 9 Feb 2008 76,288 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3582.tmp"
Mon 25 Jun 2007 30,208 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\CSUB Project\~WRL2193.tmp"
Mon 25 Jun 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\Leadership CSUB\~WRL2313.tmp"
Mon 25 Jun 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\Leadership CSUB\~WRL2771.tmp"
Mon 25 Jun 2007 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\Leadership CSUB\~WRL3564.tmp"
Mon 25 Jun 2007 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\Video Quiz CSUB\~WRL1593.tmp"
Mon 25 Jun 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\My Documents\Amanda\Video Quiz CSUB\~WRL2498.tmp"

Finished!


------------- ComboFix Report ----------------------

ComboFix 08-10-02.04 - Owner 2008-10-02 19:50:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.679 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\owner@mygeek[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\WINDOWS\dcbdcatys32_080925a.dll
C:\WINDOWS\Install.txt
C:\WINDOWS\MSSqlServer.dll
C:\WINDOWS\system\sgcxcxxaspf080925.exe
C:\WINDOWS\system32\_reproxy.dll
C:\WINDOWS\system32\123123.exe
C:\WINDOWS\system32\6to4ex.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\dbi102.dll
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\dwbin.exe
C:\WINDOWS\system32\fhattach.dll
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\inf\scsys16_080925.dll
C:\WINDOWS\system32\inf\sppdcrs080925.scr
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\inf\svchosd.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\IPHACTION.dll
C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\KarnaDrv.dll
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\maomaochong.exe
C:\WINDOWS\system32\mmchost.dll
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\Proxy.dll
C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\sss.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tmp0_74104817523.bk
C:\WINDOWS\system32\tmp1_560774404775.bk
C:\WINDOWS\system32\zordisa.dll
C:\WINDOWS\tawisys.ini
C:\WINDOWS\wftadfi16_080925a.dll
D:\Autorun.inf

. . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MESSANGER
-------\Legacy_NOBICYT
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEICTRL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_6to4
-------\Service_Internet Service
-------\Service_mabidwe
-------\Service_Messanger
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc


((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-10-02 18:54 . 2008-10-02 18:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:47 . 2008-10-02 19:37 <DIR> d-------- C:\SDFix
2008-09-29 15:26 . 2008-09-29 15:26 619 --a------ C:\moffice.lnk
2008-09-28 18:32 . 2008-10-02 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 20:19 . 2008-09-08 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-08 20:15 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-08 20:15 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-07 21:19 . 2008-09-21 19:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-07 21:18 . 2008-09-07 21:18 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-07 09:54 . 2008-09-07 09:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-07 09:54 . 2008-09-07 09:56 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-09-08 04:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-23 14:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HPAppData
2005-12-27 23:59 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-09-05 22:37 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2000-02-04 23:15 45,568 --sh--r C:\WINDOWS\system32\wmoptimizer.dll
2000-02-03 01:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012000020220000203\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=C:\WINDOWS\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickScan (OpticFilm 7200).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk
backup=C:\WINDOWS\pss\QuickScan (OpticFilm 7200).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-07 09:18 133104 C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
--a------ 2003-01-21 15:25 98304 C:\PROGRA~1\Plustek\Software\MrPhoto3\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 17:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-01 02:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 WMOptimizer;Windows Media Optimizer;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
wmosvr REG_MULTI_SZ WMOptimizer
waosvr REG_MULTI_SZ WAOptimizer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc137be1-0915-11da-bf14-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 19:59:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-02 20:04:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 03:04:21

Pre-Run: 53,175,009,280 bytes free
Post-Run: 53,901,512,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

257 --- E O F --- 2008-09-22 02:01:51


------------------ New HijackThis Log File ---------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:12 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0805362218
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8873 bytes
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 4th, 2008, 11:25 am

Hello,

Upload files for scanning
I'd like you to check a file/some files for malware.
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\beep.sys

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012000020220000203\index.dat
C:\WINDOWS\system32\Karna1Drv.dll
C:\WINDOWS\system32\waoptimizer.dll
C:\WINDOWS\system32\wmoptimizer.dl
C:\WINDOWS\system32\zordisa.dll

Driver::
WMOptimizer
AMDMSRIO

NetSvc::
wmosvr
waosvr


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please post the following:
  • The VirusTotal results
  • The ComboFix log
  • A fresh HijackThis log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 4th, 2008, 2:52 pm

I went to Jotti's to do the scans of the two files requested. Both files scanned found nothing on any of the testes done. I waited for a while but no log files ever came up.

-------------- ComboFix ---------------------

ComboFix 08-10-02.04 - Owner 2008-10-04 11:36:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.741 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012000020220000203\index.dat
C:\WINDOWS\system32\Karna1Drv.dll
C:\WINDOWS\system32\waoptimizer.dll
C:\WINDOWS\system32\wmoptimizer.dl
C:\WINDOWS\system32\zordisa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012000020220000203\index.dat
C:\WINDOWS\system32\Karna1Drv.dll
C:\WINDOWS\system32\waoptimizer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMDMSRIO
-------\Legacy_WMOPTIMIZER
-------\Service_AMDMSRIO
-------\Service_WMOptimizer


((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.

2008-10-02 20:09 . 2008-10-02 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 18:54 . 2008-10-02 18:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:47 . 2008-10-02 19:37 <DIR> d-------- C:\SDFix
2008-09-29 15:26 . 2008-09-29 15:26 619 --a------ C:\moffice.lnk
2008-09-28 18:32 . 2008-10-02 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 20:19 . 2008-09-08 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-08 20:15 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-08 20:15 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-07 21:19 . 2008-09-21 19:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-07 21:18 . 2008-09-07 21:18 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-07 09:54 . 2008-09-07 09:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-07 09:54 . 2008-09-07 09:56 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-09-08 04:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-23 14:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HPAppData
2005-12-27 23:59 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-09-05 22:37 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2000-02-04 23:15 45,568 --sh--r C:\WINDOWS\system32\wmoptimizer.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=C:\WINDOWS\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickScan (OpticFilm 7200).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk
backup=C:\WINDOWS\pss\QuickScan (OpticFilm 7200).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-07 09:18 133104 C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
--a------ 2003-01-21 15:25 98304 C:\PROGRA~1\Plustek\Software\MrPhoto3\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 17:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-01 02:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
wmosvr REG_MULTI_SZ WMOptimizer
waosvr REG_MULTI_SZ WAOptimizer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc137be1-0915-11da-bf14-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 11:41:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-04 11:46:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 18:45:56
ComboFix2.txt 2008-10-03 03:04:28

Pre-Run: 54,313,684,992 bytes free
Post-Run: 54,304,137,216 bytes free

174 --- E O F --- 2008-09-22 02:01:51


----------------------------- HiJackThis ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:59 AM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0805362218
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8874 bytes
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 5th, 2008, 9:13 am

Hello,

Run another custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
C:\WINDOWS\system32\wmoptimizer.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}"=-

NetSvc::
wmosvr
waosvr


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


------------------------------------------------------------------------------------------

Download CCleaner from here and save it to your desktop.

Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!

------------------------------------------------------------------------------------------

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

------------------------------------------------------------------------------------------

Please post the following in your next reply:
  1. The ComboFix log
  2. The Kaspersky log
  3. A fresh HijackThis log
  4. A description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 5th, 2008, 6:44 pm

Here is the remaining scans that you have asked for. The computer seems to be running fine but I'm a little consernd about the Kaspersky log. Are these a result of the various programs you have had me install or are these new items that it is finding?

-----------------------------------------------------------

ComboFix 08-10-02.04 - Owner 2008-10-05 13:02:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.756 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\wmoptimizer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wmoptimizer.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-02 20:09 . 2008-10-02 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 18:54 . 2008-10-02 18:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:47 . 2008-10-02 19:37 <DIR> d-------- C:\SDFix
2008-09-29 15:26 . 2008-09-29 15:26 619 --a------ C:\moffice.lnk
2008-09-28 18:32 . 2008-10-02 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 20:19 . 2008-09-08 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-08 20:15 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-08 20:15 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-07 21:19 . 2008-09-21 19:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-07 21:18 . 2008-09-07 21:18 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-07 09:54 . 2008-09-07 09:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-07 09:54 . 2008-09-07 09:56 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-09-07 09:52 . 2008-09-07 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-09-08 04:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-23 14:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HPAppData
2005-12-27 23:59 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-09-05 22:37 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=C:\WINDOWS\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickScan (OpticFilm 7200).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk
backup=C:\WINDOWS\pss\QuickScan (OpticFilm 7200).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-07 09:18 133104 C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
--a------ 2003-01-21 15:25 98304 C:\PROGRA~1\Plustek\Software\MrPhoto3\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 17:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-01 02:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-06-26 04:01 111856 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
wmosvr REG_MULTI_SZ WMOptimizer
waosvr REG_MULTI_SZ WAOptimizer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc137be1-0915-11da-bf14-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 13:07:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-05 13:12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 20:12:06
ComboFix2.txt 2008-10-04 18:46:02
ComboFix3.txt 2008-10-03 03:04:28

Pre-Run: 54,298,763,264 bytes free
Post-Run: 54,277,427,200 bytes free

162 --- E O F --- 2008-09-22 02:01:51


---------------- Kaspersky Log ------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 05, 2008 19:45:19
Records in database: 1293078
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 59855
Threat name: 37
Infected objects: 114
Suspicious objects: 0
Duration of the scan: 01:21:15


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\dcbdcatys32_080925a.dll.vir Infected: Trojan-Spy.Win32.Pophot.cru 1
C:\QooBox\Quarantine\C\WINDOWS\system\sgcxcxxaspf080925.exe.vir Infected: Trojan-Spy.Win32.Pophot.crq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\123123.exe.vir Infected: Trojan-GameThief.Win32.WOW.bvw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir Infected: Trojan.Win32.Dialer.aqm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dbi102.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.tlob 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir Infected: Rootkit.Win32.Small.ag 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dwbin.exe.vir Infected: Trojan-Downloader.Win32.Delf.lui 1
C:\QooBox\Quarantine\C\WINDOWS\system32\inf\scsys16_080925.dll.vir Infected: Trojan-Spy.Win32.Pophot.crt 1
C:\QooBox\Quarantine\C\WINDOWS\system32\inf\sppdcrs080925.scr.vir Infected: Trojan-Spy.Win32.Pophot.crq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\IPHACTION.dll.vir Infected: Trojan-Downloader.Win32.Agent.acbb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\IPHOST.dll.vir Infected: Trojan.Win32.Agent.ynl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Karna1Drv.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\KarnaDrv.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.srvk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\maomaochong.exe.vir Infected: Backdoor.Win32.Small.flb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mmchost.dll.vir Infected: Backdoor.Win32.Small.flb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\noytcyr.exe.vir Infected: Trojan.Win32.Agent.acng 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Proxy.dll.vir Infected: Trojan-Proxy.Win32.Agent.asy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir Infected: Trojan.Win32.Agent.ackq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sotpeca.exe.vir Infected: Trojan.Win32.Agent.actu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\soxpeca.exe.vir Infected: Trojan.Win32.Agent.acng 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sss.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.snmv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir Infected: Trojan.Win32.Agent.adem 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zordisa.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.syhe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\_reproxy.dll.vir Infected: Trojan.Win32.Agent.ynl 1
C:\QooBox\Quarantine\C\WINDOWS\wftadfi16_080925a.dll.vir Infected: Trojan-Spy.Win32.Pophot.crt 1
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Delf.lso 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Dialer.aql 1
C:\WINDOWS\system32\cfexfst.sys Infected: Trojan-Clicker.Win32.VB.bnj 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\a[1].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\mf0824[1].exe Infected: Trojan-GameThief.Win32.WOW.bvt 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\new2[1].exe Infected: Trojan.Win32.Agent.ynl 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\new2[1].exe Infected: Trojan-Proxy.Win32.Small.uy 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[10].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[1].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[2].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[3].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[4].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[6].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[7].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[8].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\pp[9].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\96NFCVNP\sl[1].exe Infected: Trojan-GameThief.Win32.OnLineGames.spgv 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\aCANAWCUU.exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\as[1].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[10].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[11].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[1].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[2].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[3].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[4].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[5].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[6].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[7].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[8].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\a[9].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\beauty[1].exe Infected: Trojan-GameThief.Win32.WOW.bpl 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\c[1].exe Infected: Trojan-Downloader.Win32.Delf.lso 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\downer[1].exe Infected: Trojan-Downloader.Win32.NanoDesu.bm 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCA1SK8MH.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCA28M80N.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCA3FR2N7.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCA3HINDB.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCA5QXOF2.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAASGDC8.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAEKYKRE.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAJXPBOG.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAOGLT9U.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAOJNXYX.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAQ69BHT.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAWOEPHH.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\ppCAZXLMW5.av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[10].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[11].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[1].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[2].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[3].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[4].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[5].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[6].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[7].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[8].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\pp[9].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QDDF8HNS\server[1].exe Infected: Trojan.Win32.Dialer.aql 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\123123[2].exe Infected: Trojan-GameThief.Win32.WOW.bvw 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\a[1].exe Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\db820[1].exe Infected: Trojan-Downloader.Win32.Delf.mfy 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\dwbin[1].exe Infected: Trojan-Downloader.Win32.Delf.lui 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\new2[1].exe Infected: Trojan.Win32.Agent.ynl 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\new2[1].exe Infected: Trojan-Proxy.Win32.Small.uy 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\pp[1].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\pp[2].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\pp[3].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\pp[4].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\pp[5].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2FB55UM\sss[1].exe Infected: Trojan-GameThief.Win32.OnLineGames.snmv 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\c[1].exe Infected: Trojan-Downloader.Win32.Delf.lso 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\dwbins[1].exe Infected: Trojan-Downloader.Win32.Delf.gff 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\ffxi369[1].exe Infected: Trojan-GameThief.Win32.OnLineGames.sxzm 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\pp[1].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\pp[3].av Infected: Backdoor.Win32.Agent.ppc 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\server[1].exe Infected: Trojan.Win32.Dialer.aql 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X7BD2ODI\sl[1].exe Infected: Trojan-GameThief.Win32.OnLineGames.spgv 1
C:\WINDOWS\system32\db820.exe Infected: Trojan-Downloader.Win32.Delf.mfy 1
C:\WINDOWS\system32\downer.exe Infected: Trojan-Downloader.Win32.NanoDesu.bm 1
C:\WINDOWS\system32\dwbins.exe Infected: Trojan-Downloader.Win32.Delf.gff 1
C:\WINDOWS\system32\fduvfct.sys Infected: Trojan-Clicker.Win32.VB.bwq 1
C:\WINDOWS\system32\mf0824.exe Infected: Trojan-GameThief.Win32.WOW.bvt 1
C:\WINDOWS\system32\new2.exe Infected: Trojan.Win32.Agent.ynl 1
C:\WINDOWS\system32\new2.exe Infected: Trojan-Proxy.Win32.Small.uy 1
C:\WINDOWS\system32\newcool.exe Infected: Trojan-Spy.Win32.Pophot.crq 1
C:\WINDOWS\system32\sl3.exe Infected: Trojan-GameThief.Win32.OnLineGames.tgfq 1
C:\WINDOWS\system32\udxfytw.sys Infected: Trojan-Clicker.Win32.VB.cfv 1
C:\WINDOWS\system32\us.exe Infected: Trojan-Spy.Win32.Pophot.bzb 1
C:\WINDOWS\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.cag 1

The selected area was scanned.

----------------------- HijackThis Log -----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:11 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0805362218
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9083 bytes
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 6th, 2008, 2:34 pm

Hi,

The computer seems to be running fine but I'm a little consernd about the Kaspersky log.


No need to worry. The majority of those findings are files that were already quarantined by Norton, ComboFix and SDFix and a bunch are Temporary Internet Files. There are a handful are files that we had not yet found - but that is the reason why we ran the online scan, to locate any other baddies that might be hanging around.

---------------------------------------------------------------------------------

Delete Temporary Internet Files

1. Quit Internet Explorer and close all programs.
2. Click Start, click Control Panel, and then double-click Internet Options.
3. On the General tab, click Delete Files under Temporary Internet Files.
4. In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
5. Click OK to close the window.

---------------------------------------------------------------------------------

Delete the Norton Quarantined Files

Go to this page and follow the directions for emptying Quarantine for your version of Norton Antivirus:Removing files from Norton AntiVirus Quarantine

---------------------------------------------------------------------------------

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\db820.exe
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbins.exe
C:\WINDOWS\system32\fduvfct.sys
C:\WINDOWS\system32\mf0824.exe
C:\WINDOWS\system32\new2.exe
C:\WINDOWS\system32\newcool.exe
C:\WINDOWS\system32\sl3.exe
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\us.exe
C:\WINDOWS\system32\xdufytw.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"wmosvr"=-
"waosvr"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post the ComboFix log along with a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 7th, 2008, 12:43 am

Ok, here we go. Here is the ComboFix log and the new HiJackThis log. Wasn't able to go into Norton and remove any of the Quarantine files. There is no Norton or Symantac folders under the C://Program Files. There is also no Norton Anti Virus install showing under ad remove programs. Only functioning Norton piece that I could find was their live update. Anyway found a few other programs that could be holding quarintine files and removed them.

System seems to be running pretty good. No real lag or wierd happenings.


------------- ComboFix Log ------------------------

ComboFix 08-10-02.04 - Owner 2008-10-06 21:25:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.755 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\db820.exe
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbins.exe
C:\WINDOWS\system32\fduvfct.sys
C:\WINDOWS\system32\mf0824.exe
C:\WINDOWS\system32\new2.exe
C:\WINDOWS\system32\newcool.exe
C:\WINDOWS\system32\sl3.exe
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\us.exe
C:\WINDOWS\system32\xdufytw.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\db820.exe
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbins.exe
C:\WINDOWS\system32\fduvfct.sys
C:\WINDOWS\system32\mf0824.exe
C:\WINDOWS\system32\new2.exe
C:\WINDOWS\system32\newcool.exe
C:\WINDOWS\system32\sl3.exe
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\us.exe
C:\WINDOWS\system32\xdufytw.sys

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-05 13:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-05 13:13 . 2008-10-05 13:13 <DIR> d-------- C:\Program Files\CCleaner
2008-10-02 20:09 . 2008-10-02 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 18:54 . 2008-10-02 18:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:47 . 2008-10-02 19:37 <DIR> d-------- C:\SDFix
2008-09-29 15:26 . 2008-09-29 15:26 619 --a------ C:\moffice.lnk
2008-09-28 18:32 . 2008-10-02 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 20:19 . 2008-09-08 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-08 20:15 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-08 20:15 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-07 21:19 . 2008-09-21 19:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-07 21:18 . 2008-09-07 21:18 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-07 09:54 . 2008-09-07 09:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-07 09:52 . 2008-10-06 21:18 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-07 09:52 . 2008-10-06 21:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 20:25 --------- d-----w C:\Program Files\Java
2008-10-03 02:42 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-09-08 04:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-23 14:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HPAppData
2005-12-27 23:59 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-09-05 22:37 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-02_20.04.02.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-03-04 17:06:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 17:07:06 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 18:36:48 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=C:\WINDOWS\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickScan (OpticFilm 7200).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk
backup=C:\WINDOWS\pss\QuickScan (OpticFilm 7200).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-07 09:18 133104 C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
--a------ 2003-01-21 15:25 98304 C:\PROGRA~1\Plustek\Software\MrPhoto3\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 17:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-01 02:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc137be1-0915-11da-bf14-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Search Protection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-YSearchProtection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 21:30:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-06 21:35:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 04:34:56
ComboFix2.txt 2008-10-05 20:12:11
ComboFix3.txt 2008-10-04 18:46:02
ComboFix4.txt 2008-10-03 03:04:28

Pre-Run: 54,199,762,944 bytes free
Post-Run: 54,225,346,560 bytes free

191 --- E O F --- 2008-09-22 02:01:51


------------------- HiJackThis Log ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:22 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0805362218
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8455 bytes
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Carolyn » October 7th, 2008, 4:31 pm

Hi,

Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

If you don't like Adobe Reader, you can try Foxit PDF Reader. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

--------------------------------------------------------------------------------------------------

Unisntall Outdated Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check J2SE Runtime Environment 5.0 Update 2.
  • Click the Remove or Change/Remove button.
  • Reboot your computer once all Java components are removed.

--------------------------------------------------------------------------------------------------

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  4. Do the same for each Viewpoint component.

--------------------------------------------------------------------------------------------------

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Please delete SDFix from you desktop.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Image
    Please advise if this step is missed for any reason as it performs some important actions.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

    • Continue to use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

    • Malwarebytes' Anti-Malware
      Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

      Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
      If this isn't done first, the next reboot may take a VERY LONG TIME.
      This is how to do it. First be sure you are signed in as a user with administrative privileges:
      Stop and Disable the DNS Client Service
      Go to Start, Run and type Services.msc and click OK.
      Under the Extended Tab, Scroll down and find this service.
      DNS Client
      Right-Click on the DNS Client Service. Choose Properties
      Select the General tab. Click on the Stop button.
      Click the Arrow-down tab on the right-hand side at the Start-up Type box.
      From the drop-down menu, click on Manual
      Click the Apply tab, then click OK


    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Win32.Delf.rtk Trojan

Unread postby hightechenvy » October 7th, 2008, 8:24 pm

I have read your post and have already begun taking many of the steps you mention to secure the machine. Thank you for your help.
hightechenvy
Active Member
 
Posts: 7
Joined: June 10th, 2008, 5:09 pm

Re: Win32.Delf.rtk Trojan

Unread postby Gary R » October 8th, 2008, 11:01 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware