Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijackthis log

Unread postby geraldheyman » June 4th, 2007, 11:58 am

Here is a Hijackthis log from my machine:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:20:59 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Agnitum\Outpost Firewall\Plugins\Anti-Spam\asp_srv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Init\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AudigySpeaker] E:\Winxp\Audio\Audigy2\Update\Project1.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Outpost Security Suite] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6954694625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9015419421
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Outpost Security Suite Service (OutpostSecuritySuite) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

--
End of file - 10827 bytes

I am having trouble with someone being able to run processes, i.e. file searches, on my machine. I am also uncertain but there may be a key logger running on this computer. The addition of a new firewall, Outpost Security Suite, from Agnitum has not helped. I also added an antivirus from AVG. I used to have a security suite from McAfee. By the way if you can tell me which ports a key logger or remote desktop might use I can block them in Outpost.

Gerald Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ
Advertisement
Register to Remove

Unread postby Katana » June 6th, 2007, 5:50 pm

Hello geraldheyman and welcome to Malware Removal

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

The Beta version of HJT is still on "trial" and as such can be unstable.

Download HJT

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 6th, 2007, 6:27 pm

Kantana

Here is the requested Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:12 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Security Task Manager\SpyProtector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [AudigySpeaker] E:\Winxp\Audio\Audigy2\Update\Project1.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Outpost Security Suite] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 2)" /M "Stylus CX4800" /EF "HKCU"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O10 - Unknown file in Winsock LSP: c:\program files\agnitum\outpost firewall\lspfilt.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6954694625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9015419421
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Outpost Security Suite Service (OutpostSecuritySuite) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe

Jerrry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 7th, 2007, 12:37 pm

Hi geraldheyman,

Your log looks clean :D
I am having trouble with someone being able to run processes, i.e. file searches, on my machine. I am also uncertain but there may be a key logger running on this computer.

What makes you think that you have a keylogger or someone running programs ?
You also say
The addition of a new firewall, Outpost Security Suite, from Agnitum has not helped.

Please can you give some specific details for both of these points


If you have uinstalled Mcafee then you can fix the following lines in HJT


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 7th, 2007, 8:49 pm

As to the subject of someone running a file search, one day I walked in and observed a file search in progress. I watched and finally rebooted the machine. After that I have not observed a process running. However I dowloaded Security Task Manager Pro and installed it. From time to time its icon disappears from the system task tray. I wrote to the developer and they assured me that such behavior is unusual. This program intercepts keyboard logging, mouse movements and starting and ending of programs. It also displays all of the processes running on this computer. If I am interested in a process I can look it up in Google.

Also, suddenly one day a program showed up, Spyware Doctor which I did not download. I keep a close watch on the programs on this machine, and did not download.

As to the subject of keyboard logging, I have nothing definite.

As to the subject of Agnitum Outpost, it has the ability to track when the sizes of modules change. I choose the agressive respone of keeping track of the changes which Agnitum recommends. Modules kept changing oveer and over again, leading me to believe that there was some program making the changes.

All of this makes me believe that I should reformat and rebuild my system. Do you know of a site that can help me do that?

Jerry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 9th, 2007, 8:22 am

Hi geraldheyman,

The decision to reformat is obviously yours, but could I suggest that you run a couple of rootkit scanners first.
This should tell us if you actually have a problem.

Spyware Doctor is a legitimate program and it is very unlikely that any virus or hacker would want to install it on your machine
For a very good tutorial on Reformat and Reinstall click HERE

AVG AntiRootkit

  • Download AVG Anti-rootkit from here
  • Double click on avgarkt-setup-1.1.0.42.exe to start the install of AVG Anti-rootkit
  • Click Next>
  • Click Next>
  • Click I agree
  • Click Next>
  • Click Install
  • Click Finish, your computer will now be restarted
  • Once your machine has restarted, doubleclick on the AVG Anti-rootkit shortcut on your desktop to start AVG Anti-rootkit
  • Click Perform in-depth search
  • Click Scan
  • Wait for the scan to complete
  • Right click in the middle of the window, and click Save results
  • Save it to the desktop as avgrk.csv
  • Use notepad to open that file, and post the contents as a reply to this topic


Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 9th, 2007, 3:35 pm

Katana, I tried posting the results from AVGrootkit and Combo. T got this error message:

SQL Error:1153 Got a packet bigger than 'max_allowed_packet' bytes.

As a result it would not post. I suspect that the results from AVGrootkit is the problem. The file size is 1.024 MB.

I am posting the results from Combo here:


2007-05-28 21:54:16 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-28 21:51:29 -------- d-----w C:\Program Files\Common Files\Stardock
2007-05-28 21:51:28 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-28 21:51:22 -------- d-----w C:\Program Files\Common Files\Palo Alto Software
2007-05-28 21:49:51 -------- d-----w C:\Program Files\Apple Software Update
2007-05-28 21:26:25 -------- d-----w C:\Program Files\ItsDeductible2006
2007-05-28 21:24:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Weather Channel Platinum
2007-05-28 20:52:17 -------- d-----w C:\Program Files\Avery Wizard
2007-05-28 20:30:26 -------- d-----w C:\Program Files\Identity Theft Protector
2007-05-28 18:27:23 -------- d-----w C:\Program Files\Windows NT
2007-05-28 18:27:19 -------- d-----w C:\Program Files\DesignPro
2007-05-28 18:27:03 -------- d-----w C:\Program Files\Spyware Doctor
2007-05-28 18:27:01 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-05-28 18:26:59 -------- d-----w C:\Program Files\Movie Maker
2007-05-28 18:26:45 -------- d-----w C:\Program Files\SecCopy
2007-05-28 18:26:44 -------- d-----w C:\Program Files\QuickTime
2007-05-28 18:26:44 -------- d-----w C:\Program Files\Picasa2
2007-05-28 16:39:41 -------- d-----w C:\Program Files\Quicken
2007-05-28 16:34:21 -------- d-----w C:\Program Files\Axaware
2007-05-28 16:33:19 -------- d-----w C:\Program Files\Belkin Bulldog Plus
2007-05-28 16:33:04 -------- d-----w C:\Program Files\CyberScrub Privacy Suite
2007-05-28 16:33:04 -------- d-----w C:\Program Files\American Landscapes
2007-05-28 16:32:52 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-28 16:24:18 -------- d-----w C:\Program Files\Messenger
2007-05-28 16:23:30 -------- d-----w C:\Program Files\iTunes
2007-05-27 22:19:06 -------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-05-25 03:08:58 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-05-17 04:18:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Safe Folder
2007-05-11 02:47:05 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-09 15:24:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-07 20:40:21 -------- d-----w C:\Program Files\epson
2007-05-06 21:17:54 -------- d-----w C:\Program Files\Stardock
2007-05-06 18:21:03 -------- d-----w C:\Program Files\MSBuild
2007-05-06 18:15:35 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-05 17:50:09 -------- d-----w C:\Program Files\Google
2007-05-05 05:24:23 -------- d-----w C:\Program Files\BinarySense
2007-05-04 18:17:15 -------- d-----w C:\Program Files\Intel
2007-05-04 17:14:27 -------- d-----w C:\Program Files\Smart PC Solutions
2007-05-04 17:14:27 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Smart PC Solutions
2007-05-04 15:09:40 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-01 03:16:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-04-30 19:05:07 -------- d-----w C:\Program Files\Siber Systems
2007-04-27 18:35:42 -------- d-----w C:\Program Files\Creative
2007-04-27 18:32:44 409,600 ------w C:\WINDOWS\system32\wrap_oal.dll
2007-04-27 18:32:43 86,016 ------w C:\WINDOWS\system32\OpenAL32.dll
2007-04-27 18:32:32 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Creative
2007-04-23 03:16:54 4,357,632 ------w C:\WINDOWS\system32\logonuiX.exe
2007-04-23 03:15:04 -------- d-----w C:\Program Files\WinCustomize
2007-04-20 05:26:30 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-20 05:26:27 -------- d-----w C:\Program Files\Yahoo!
2007-04-19 13:42:10 -------- d-----w C:\Program Files\TweakNow RegCleaner Pro
2007-04-19 13:41:45 -------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:28:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-04-15 05:29:31 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-03-17 13:43:01 292,864 ------w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:26:56 164 ----a-w C:\install.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-05-28 23:25]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 13:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudigySpeaker"="E:\Winxp\Audio\Audigy2\Update\Project1.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 18:18]
"Drag'n'Drop_Autolaunch"="C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" [2004-08-10 13:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-02 19:46]
"Spy Protector"="C:\Program Files\Security Task Manager\SpyProtector.exe" [2007-03-05 16:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Second Copy"="C:\Program Files\SecCopy\SecCopy.exe" [2007-03-20 13:45]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-28 23:25]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []
"EPSON Stylus CX4800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-02 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"=MIDIDef.exe
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MUPS.lnk]
path=
backup=C:\WINDOWS\pss\MUPS.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Infotriever.lnk]
backup=C:\WINDOWS\pss\Infotriever.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]
backup=C:\WINDOWS\pss\VirtualExpander.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0296481154211413mcinstcleanup]
C:\WINDOWS\TEMP\029648~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atomic Clock 7.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
"C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
"C:\Program Files\McAfee\MBK\LogOnHook.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
"C:\Program Files\McAfee\MSK\MskAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Multi-function Keyboard]
GWHotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"C:\Program Files\Picasa2\PicasaMediaDetector.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
"C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Second Copy]
"C:\Program Files\SecCopy\SecCopy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPSentry_Smart"=2 (0x2)
"PrismXL"=2 (0x2)
"gusvc"=3 (0x3)
"MSK80Service"=2 (0x2)
"OutpostFirewall"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-11 15:36:25 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 18:50:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{6F3A31FE-A005-4183-BB03-5A42335938C5}.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 11:49:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\OP_CACHE.ATR
C:\WINDOWS\OP_CACHE.IDX
C:\WINDOWS\system32\OP_CACHE.ATR
C:\WINDOWS\system32\OP_CACHE.IDX
C:\WINDOWS\system32\drivers\OP_CACHE.ATR
C:\WINDOWS\system32\drivers\OP_CACHE.IDX

scan completed successfully
hidden files: 6

**************************************************************************

Completion time: 2007-06-09 11:52:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 11:52

--- E O F ---

I will see if this works.

Jerry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 9th, 2007, 6:04 pm

Hi geraldheyman,

Please can you post the full ComboFix log

C:/ComboFix.txt

Also Please can you re-run AVG Anti-rootkit
Please do NOT use the computer whilst it is running

Please post both logs in your next reply.
If you have to split the reply over several posts then please do so
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 10th, 2007, 10:42 am

Katana, here is the Combo post again:

"Owner" - 2007-06-09 11:40:15 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 07:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-04 22:46 65,536 --a------ C:\WINDOWS\system32\E_S00RP1.EXE
2007-06-04 22:46 122,880 --a------ C:\WINDOWS\system32\SAgent4.exe
2007-06-04 19:13 <DIR> d-------- C:\Program Files\Security Task Manager
2007-05-31 22:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-31 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSScanAppDataDir
2007-05-28 14:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\CyberScrub
2007-05-27 15:18 <DIR> d-------- C:\WINDOWS\system32\Filt
2007-05-27 15:17 798,366 --a------ C:\WINDOWS\system32\drivers\VBEngNT.sys
2007-05-27 15:17 379,080 --a------ C:\WINDOWS\system32\drivers\SandBox.sys
2007-05-27 15:17 <DIR> d-------- C:\Program Files\Agnitum
2007-05-23 17:42 <DIR> d-------- C:\!KillBox
2007-05-23 10:11 4,096 --a------ C:\WINDOWS\system32\ps.exe
2007-05-14 08:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\System Tweaker
2007-05-10 19:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-09 17:00 <DIR> d-------- C:\Program Files\Uniblue
2007-05-09 17:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-05-09 08:24 482,304 --------- C:\WINDOWS\system32\drivers\dnbudf.sys
2007-05-09 08:10 <DIR> d-------- C:\Program Files\Iomega HotBurn Pro


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 03:26:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-03 03:26:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeAUM
2007-06-01 08:28:01 -------- d-----w C:\Program Files\VideoProfessor
2007-06-01 08:21:48 -------- d-----w C:\Program Files\QuickTime(2)
2007-06-01 08:18:18 -------- d-----w C:\Program Files\KeyScrambler
2007-06-01 08:16:15 -------- d-----w C:\Program Files\iPod
2007-05-28 21:58:16 -------- d-----w C:\Program Files\SBOutlook
2007-05-28 21:58:15 -------- d-----w C:\Program Files\RootkitRevealer
2007-05-28 21:57:36 -------- d-----w C:\Program Files\Online Services
2007-05-28 21:57:35 -------- d-----w C:\Program Files\OfficeUpdate11
2007-05-28 21:57:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-28 21:54:20 -------- d-----w C:\Program Files\Microsoft Money
2007-05-28 21:54:16 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-28 21:51:29 -------- d-----w C:\Program Files\Common Files\Stardock
2007-05-28 21:51:28 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-28 21:51:22 -------- d-----w C:\Program Files\Common Files\Palo Alto Software
2007-05-28 21:49:51 -------- d-----w C:\Program Files\Apple Software Update
2007-05-28 21:26:25 -------- d-----w C:\Program Files\ItsDeductible2006
2007-05-28 21:24:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Weather Channel Platinum
2007-05-28 20:52:17 -------- d-----w C:\Program Files\Avery Wizard
2007-05-28 20:30:26 -------- d-----w C:\Program Files\Identity Theft Protector
2007-05-28 18:27:23 -------- d-----w C:\Program Files\Windows NT
2007-05-28 18:27:19 -------- d-----w C:\Program Files\DesignPro
2007-05-28 18:27:03 -------- d-----w C:\Program Files\Spyware Doctor
2007-05-28 18:27:01 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-05-28 18:26:59 -------- d-----w C:\Program Files\Movie Maker
2007-05-28 18:26:45 -------- d-----w C:\Program Files\SecCopy
2007-05-28 18:26:44 -------- d-----w C:\Program Files\QuickTime
2007-05-28 18:26:44 -------- d-----w C:\Program Files\Picasa2
2007-05-28 16:39:41 -------- d-----w C:\Program Files\Quicken
2007-05-28 16:34:21 -------- d-----w C:\Program Files\Axaware
2007-05-28 16:33:19 -------- d-----w C:\Program Files\Belkin Bulldog Plus
2007-05-28 16:33:04 -------- d-----w C:\Program Files\CyberScrub Privacy Suite
2007-05-28 16:33:04 -------- d-----w C:\Program Files\American Landscapes
2007-05-28 16:32:52 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-28 16:24:18 -------- d-----w C:\Program Files\Messenger
2007-05-28 16:23:30 -------- d-----w C:\Program Files\iTunes
2007-05-27 22:19:06 -------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-05-25 03:08:58 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-05-17 04:18:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Safe Folder
2007-05-11 02:47:05 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-09 15:24:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-07 20:40:21 -------- d-----w C:\Program Files\epson
2007-05-06 21:17:54 -------- d-----w C:\Program Files\Stardock
2007-05-06 18:21:03 -------- d-----w C:\Program Files\MSBuild
2007-05-06 18:15:35 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-05 17:50:09 -------- d-----w C:\Program Files\Google
2007-05-05 05:24:23 -------- d-----w C:\Program Files\BinarySense
2007-05-04 18:17:15 -------- d-----w C:\Program Files\Intel
2007-05-04 17:14:27 -------- d-----w C:\Program Files\Smart PC Solutions
2007-05-04 17:14:27 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Smart PC Solutions
2007-05-04 15:09:40 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-01 03:16:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-04-30 19:05:07 -------- d-----w C:\Program Files\Siber Systems
2007-04-27 18:35:42 -------- d-----w C:\Program Files\Creative
2007-04-27 18:32:44 409,600 ------w C:\WINDOWS\system32\wrap_oal.dll
2007-04-27 18:32:43 86,016 ------w C:\WINDOWS\system32\OpenAL32.dll
2007-04-27 18:32:32 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Creative
2007-04-23 03:16:54 4,357,632 ------w C:\WINDOWS\system32\logonuiX.exe
2007-04-23 03:15:04 -------- d-----w C:\Program Files\WinCustomize
2007-04-20 05:26:30 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-20 05:26:27 -------- d-----w C:\Program Files\Yahoo!
2007-04-19 13:42:10 -------- d-----w C:\Program Files\TweakNow RegCleaner Pro
2007-04-19 13:41:45 -------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:28:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-04-15 05:29:31 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-03-17 13:43:01 292,864 ------w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:26:56 164 ----a-w C:\install.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-05-28 23:25]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 13:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudigySpeaker"="E:\Winxp\Audio\Audigy2\Update\Project1.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 18:18]
"Drag'n'Drop_Autolaunch"="C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" [2004-08-10 13:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-02 19:46]
"Spy Protector"="C:\Program Files\Security Task Manager\SpyProtector.exe" [2007-03-05 16:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Second Copy"="C:\Program Files\SecCopy\SecCopy.exe" [2007-03-20 13:45]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-28 23:25]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []
"EPSON Stylus CX4800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-02 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"=MIDIDef.exe
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MUPS.lnk]
path=
backup=C:\WINDOWS\pss\MUPS.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Infotriever.lnk]
backup=C:\WINDOWS\pss\Infotriever.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]
backup=C:\WINDOWS\pss\VirtualExpander.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0296481154211413mcinstcleanup]
C:\WINDOWS\TEMP\029648~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atomic Clock 7.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
"C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
"C:\Program Files\McAfee\MBK\LogOnHook.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
"C:\Program Files\McAfee\MSK\MskAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Multi-function Keyboard]
GWHotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"C:\Program Files\Picasa2\PicasaMediaDetector.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
"C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Second Copy]
"C:\Program Files\SecCopy\SecCopy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPSentry_Smart"=2 (0x2)
"PrismXL"=2 (0x2)
"gusvc"=3 (0x3)
"MSK80Service"=2 (0x2)
"OutpostFirewall"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-11 15:36:25 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 18:50:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{6F3A31FE-A005-4183-BB03-5A42335938C5}.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 11:49:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\OP_CACHE.ATR
C:\WINDOWS\OP_CACHE.IDX
C:\WINDOWS\system32\OP_CACHE.ATR
C:\WINDOWS\system32\OP_CACHE.IDX
C:\WINDOWS\system32\drivers\OP_CACHE.ATR
C:\WINDOWS\system32\drivers\OP_CACHE.IDX

scan completed successfully
hidden files: 6

**************************************************************************

Completion time: 2007-06-09 11:52:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 11:52

--- E O F ---

The results from AVGrootkit contained a ton of files with the following
file names:

OP_CACHE.ATR
OP_CACHE.IDX

The directories changed. The files were hidden.

I did not use the computer during the last run of AVGrootkit. I will rerun AVGrootkit. If the file is as big as the first one what do you want me to do?

Jerry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 10th, 2007, 3:24 pm

Hi Jerry,

The ComboFix log appears to be clean,
If all the files in the AVG scan are
OP_CACHE.ATR
OP_CACHE.IDX

then there is nothing to worry about, they are from Agnitum, and are perfectly safe

From the Agnitum website
Q.: After installing Outpost Security Suite, I detected a number of hidden files on my hard disk.
A.: Don’t worry, we’re not planting rootkits on your PC! During the initial scan, Outpost Security Suite creates two auxiliary index files (OP_CACHE.ATR and OP_CACHE.IDX) which are hidden in every folder. The program uses these files to cache antivirus and spyware scan statuses for all the files and folders in that directory. This approach increases overall scanning speed dramatically, as unchanged files don’t need to be scanned again. If a file changes, or the malware signature database is updated, the cache is reset and the files will be rescanned next time.

These files can be read, but are not visible in the common folder listing. Some programs - anti-rootkit tools, for example - can view these files and sometimes detect them as malicious, as rootkits use the same technique to hide data. However, these hidden Outpost files are quite harmless. The hidden cache approach is a mandatory setting in the beta versions of the product, but will be optional in the final shipping product. Note, however, that scan times will increase if the cache is turned off


FindAWF
Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it.
When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.



Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Logs to Post in Reply
Please post the following logs in your reply
  • awf.txt
  • kaspersky log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 10th, 2007, 11:02 pm

Here is the awf.txt file:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Here is the kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 10, 2007 7:26:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/06/2007
Kaspersky Anti-Virus database records: 342097
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 448201
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 03:19:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007061020070611\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\JET138A.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF492.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD23.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD2F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFDFF9.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE834.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~WRD0000.doc Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Hi Jerry 06_10_07.doc Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\log\errors.log Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\log\system.log Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.ldb Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.mdb Object is locked skipped
C:\System Volume Information\_restore{9054D061-83C4-4026-94E3-1A4F8F8C99C2}\RP54\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9B51030E-221C-4738-AF49-111E46B8A36E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\prc.acl Object is locked skipped
C:\WINDOWS\system32\config\prcdrv.acl Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\SandBox.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Interesting, since I have no H:\ drive.

Also, my Agnitum Outpost Security Suite has ceased to boot when windows restarts. I have had to add it to C:\Documents and Settings\Owner\Start Menu\Programs\Startup folder. I did not want to reinstall it until we are through. I can remove it from this folder if need be for testing.

I also noticed that Agnitum Outpost Security Suite has ceased to update the virus database. I have reported this to Agnitum.

Also yesterday I put the system into hibernation and when I tried to power it back on today, the screen said resuming windows (I use hibernation to prevent problems from powering down and then rebooting). Anyway today it would not come up. Neither would holding down the power button for 10 seconds have any effect. I had to unplug the machine and hold the power button down for over a minute before it would restart.

By the way Kaspersky's scan skipped some files, how do I know that the contents of those files are valid.

What will be will be, perhaps, as the French say.

Jerry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 11th, 2007, 12:59 pm

Hi Jerry,

Congratulations :D your logs are clean,

By the way Kaspersky's scan skipped some files, how do I know that the contents of those files are valid.

Some files are always locked, we check the files and paths so there is nothing to worry about.
I think it is very unlikely that you have a keylogger or that anyone has remote access to your PC

You can delete ComboFix and FindAWF

Also yesterday I put the system into hibernation and when I tried to power it back on today, the screen said resuming windows (I use hibernation to prevent problems from powering down and then rebooting). Anyway today it would not come up. Neither would holding down the power button for 10 seconds have any effect. I had to unplug the machine and hold the power button down for over a minute before it would restart.


It possible that you have hardware problems http://www.bleepingcomputer.com has forums that may help you with this

Also, my Agnitum Outpost Security Suite has ceased to boot when windows restarts. I have had to add it to C:\Documents and Settings\Owner\Start Menu\Programs\Startup folder. I did not want to reinstall it until we are through. I can remove it from this folder if need be for testing.

I also noticed that Agnitum Outpost Security Suite has ceased to update the virus database. I have reported this to Agnitum.

A reinstall will more than likey solve the problems.

If you would like some tips on how to stay safe please read this article

So How Did I Get Infected In The First Place

If you can see a program in the must have section that you have never seen or used then get it!

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 11th, 2007, 5:15 pm

Katana,

I decided to move on. I removed Outpost Security Suite (OSS) and in doing so I noticed as part of the cleanup process that I could suddenly see on my desktop two OP*.* files. Then a little while later I saw the files disappear. I surmised that cleanup was deleting these files. In fact since my disk was very busy that was happening for all of my folders. I then let the process continue.

Next I installed OSS without the creation of the OP*.* files. Then I reran AVGRootkit. The results are as follows:

c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\OP_CACHE.ATR,Hidden File
c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\OP_CACHE.IDX,Hidden File
c:\WINDOWS\Prefetch\OP_CACHE.ATR,Hidden File
c:\WINDOWS\Prefetch\OP_CACHE.IDX,Hidden File

Now, I don't know if these files are real root kits or just a mistake in OSS, but I removed them anyway. Have a good day.

Jerry Heyman :D
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ

Unread postby Katana » June 12th, 2007, 11:51 am

Hi Jerry,

Outpost will have created
OP_CACHE.ATR
OP_CACHE.IDX

one of each will have been in each folder on your hard drive
From the Agnitum website
Q.: After installing Outpost Security Suite, I detected a number of hidden files on my hard disk.
A.: Don’t worry, we’re not planting rootkits on your PC! During the initial scan, Outpost Security Suite creates two auxiliary index files (OP_CACHE.ATR and OP_CACHE.IDX) which are hidden in every folder. The program uses these files to cache antivirus and spyware scan statuses for all the files and folders in that directory. This approach increases overall scanning speed dramatically, as unchanged files don’t need to be scanned again. If a file changes, or the malware signature database is updated, the cache is reset and the files will be rescanned next time.

These files can be read, but are not visible in the common folder listing. Some programs - anti-rootkit tools, for example - can view these files and sometimes detect them as malicious, as rootkits use the same technique to hide data. However, these hidden Outpost files are quite harmless. The hidden cache approach is a mandatory setting in the beta versions of the product, but will be optional in the final shipping product. Note, however, that scan times will increase if the cache is turned off

User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geraldheyman » June 12th, 2007, 1:01 pm

Well, my virus checking system in OSS found a trojan today, BZUB. It was immediately removed. I just wanted to update you. I do scans now every half day.

Jerry Heyman
geraldheyman
Regular Member
 
Posts: 21
Joined: June 4th, 2007, 1:07 am
Location: Phoenix, AZ
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware