Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problems with a Genetik trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problems with a Genetik trojan

Unread postby Kpax » August 1st, 2008, 4:29 am

Hello to anyone heeding my call!

Lately my anti virus program has been going crazy about a Genetik Trojan. It reports that .exe files in the temp folders are infected and that they've been moved to quarantine.

All of these very similar, some "good" program creating a .exe file with some generic random name.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Time Module Object Name Threat Action User Information
2008-08-01 09:26:29 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\026G17gB.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-08-01 01:05:57 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\i6gc0NYi.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\ctfmon.exe. The file was moved to quarantine. You may close this window.
2008-07-31 23:00:53 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\Myj7bl1W.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\ctfmon.exe. The file was moved to quarantine. You may close this window.
2008-07-31 20:58:27 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\CbeFwjqk.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\ctfmon.exe. The file was moved to quarantine. You may close this window.
2008-07-31 18:50:42 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\2347BTJ8.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\ctfmon.exe. The file was moved to quarantine. You may close this window.
2008-07-31 13:36:18 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\NBNORJnc.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-31 11:29:51 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\uJd7dBoU.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Logitech\SetPoint\SetPoint.exe. The file was moved to quarantine. You may close this window.
2008-07-31 03:06:53 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\162E3DAS.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Rainlendar2\Rainlendar2.exe. The file was moved to quarantine. You may close this window.
2008-07-31 01:29:36 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\U00BuK44.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Rainlendar2\Rainlendar2.exe. The file was moved to quarantine. You may close this window.
2008-07-31 01:29:35 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\07K5tE4i.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Rainlendar2\Rainlendar2.exe. The file was moved to quarantine. You may close this window.
2008-07-30 22:15:57 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\55vdrxRH.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Rainlendar2\Rainlendar2.exe. The file was moved to quarantine. You may close this window.
2008-07-30 22:15:56 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\2fhMpQm3.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-30 16:31:20 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\B8ccjE02.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\wscntfy.exe. The file was moved to quarantine. You may close this window.
2008-07-30 14:39:44 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\77AyTuG2.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\wuauclt.exe. The file was moved to quarantine. You may close this window.
2008-07-30 14:39:42 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\61mtrxDY.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-30 05:55:55 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\62K2647r.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-30 05:55:53 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\Yiu0o7L0.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-30 01:19:04 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\QhOx41mQ.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-29 23:18:45 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\3803IL71.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-29 21:18:49 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\2HFU11XB.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-29 19:19:32 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\8dSY0sku.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\wscntfy.exe. The file was moved to quarantine. You may close this window.
2008-07-29 17:12:45 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\22BFu0Ap.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-29 15:22:46 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\xlqnBb1X.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-29 14:24:02 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\NDk4Y3S8.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\IEXPLORE.EXE. The file was moved to quarantine. You may close this window.
2008-07-29 14:24:00 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\0O1MBEEw.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\IEXPLORE.EXE. The file was moved to quarantine. You may close this window.
2008-07-29 02:21:27 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\7534ewy0.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-29 00:34:14 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\Je5qtC11.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Rainlendar2\Rainlendar2.exe. The file was moved to quarantine. You may close this window.
2008-07-28 22:16:13 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\08FUXl53.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-28 20:48:53 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\UaXonQ4n.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-28 20:48:48 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\QmieoBH0.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-28 16:15:51 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\4E0fU0pa.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-28 14:34:16 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\iO6LmCCJ.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-28 14:34:15 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\dw3ypGD4.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-27 22:53:44 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\UU86l0y2.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\etMon.exe. The file was moved to quarantine. You may close this window.
2008-07-25 14:28:30 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\h6rd5gxN.exe probably a variant of Win32/Genetik trojan quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Eset\nod32kui.exe. The file was moved to quarantine. You may close this window.
2008-07-20 04:19:27 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\01R3sC4h.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-20 02:34:36 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\LHo83sNa.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-20 01:37:53 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\mC3ITTX6.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-20 01:37:51 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\PI2fE28S.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-19 06:17:25 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\ab8711jX.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
2008-07-19 04:18:15 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\Xmu4f873.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-19 02:12:05 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\3tu8ijvI.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-19 01:34:05 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\Li7y8848.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\system32\wscntfy.exe. The file was moved to quarantine. You may close this window.
2008-07-18 23:27:54 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\RHXtT13O.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-18 22:10:32 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\E68nIVsT.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-18 22:10:21 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\q5sa6n27.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
2008-07-18 22:10:15 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\KIrm671c.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
2008-07-18 15:17:36 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\iAYE0u7s.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.
2008-07-18 01:32:02 AMON file C:\DOCUME~1\K\LOCALS~1\Temp\2GGH70EI.exe probably unknown NewHeur_PE virus quarantined - deleted KIRKEN\K Event occurred on a new file created by the application: C:\Program Files\MSN Messenger\MsnMsgr.Exe. The file was moved to quarantine. You may close this window.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After a while a-squared also started noticing that some of those .exes were downloading "invisible" data and I could choose to block that.

Is this something serious or am I just suffering from programs interfering with eachother or themselves?? :roll:

Thanks in advance
/Kristian




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:56, on 2008-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\hajit.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3997 bytes


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am
Advertisement
Register to Remove

Re: Problems with a Genetik trojan

Unread postby Katana » August 4th, 2008, 7:54 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------



Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply




Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Problems with a Genetik trojan

Unread postby Kpax » August 4th, 2008, 9:39 am

Hello Katana, thanks for your reply!

At the moment the kettle is boiling although it will take some time until it is finished.

Meanwhile here's the DSS log:



Deckard's System Scanner v20071014.68
Run by K on 2008-08-04 15:38:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 22.71 GiB (less than 15%) free.


-- HijackThis (run as K.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:24, on 2008-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\K\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\K.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 2993 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-07-28 12:13:58 29184 --a------ C:\WINDOWS\system32\d2Rbq877.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-07-19 04:26:14 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 01:18:13 29760 --a------ C:\WINDOWS\system32\T0k4TBVP.exe
2008-07-12 10:03:31 0 d-------- C:\Documents and Settings\K\Application Data\Agency9
2008-07-11 16:29:21 0 d-------- C:\Program Files\Lionhead Studios


-- Find3M Report ---------------------------------------------------------------

2008-08-04 15:26:29 0 d-------- C:\Documents and Settings\K\Application Data\mIRC
2008-08-04 14:58:42 0 d-------- C:\Documents and Settings\K\Application Data\uTorrent
2008-08-04 12:46:53 0 d-------- C:\Program Files\mIRC
2008-07-16 23:19:36 0 d-------- C:\Program Files\Warcraft III
2008-07-11 16:29:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-11 15:23:36 0 d-------- C:\Program Files\Common Files
2008-07-10 15:15:20 77393 --a------ C:\WINDOWS\War3Unin.dat
2008-06-28 21:27:18 0 d-------- C:\Documents and Settings\K\Application Data\Winamp
2008-06-27 12:54:26 0 d-------- C:\Documents and Settings\K\Application Data\Personal
2008-06-27 12:29:37 0 d-------- C:\Program Files\Nordea NCR1 Installationspaket
2008-06-27 12:29:36 0 d-------- C:\Program Files\Personal
2008-06-27 12:29:36 0 d-------- C:\Documents and Settings\K\Application Data\Netscape
2008-06-27 12:29:36 0 d-------- C:\Documents and Settings\K\Application Data\Mozilla
2008-06-12 20:32:35 0 d-------- C:\Program Files\MagicISO
2008-06-09 16:01:20 0 d-------- C:\Program Files\OpenTTD
2008-06-06 04:51:50 0 d-------- C:\Documents and Settings\K\Application Data\Dev-Cpp
2008-06-06 04:50:08 0 d-------- C:\Documents and Settings\K\Application Data\GetRightToGo


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16:49 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-21 22:40]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 15:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 12:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-27 21:34:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^K^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\K\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
C:\WINDOWS\system32\xRaidSetup.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etMonitor]
C:\WINDOWS\etMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LBTServ"=3 (0x3)
"Adobe LM Service"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-08-04 15:38:41 ------------
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Katana » August 4th, 2008, 11:33 am

To get the Extra log
  • Click Start > Run type "%userprofile%\desktop\dss.exe" /config click OK
  • This will bring up a pop up box.
    • Uncheck Main log.
    • Check Extra log
      • check the 5 boxes beneath it.
  • Hit the Scan button.
  • When the scan finishes the Extra.txt file will be minimised in Taskbar at the bottom of your screen.
  • Post it back here please.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Problems with a Genetik trojan

Unread postby Kpax » August 4th, 2008, 4:25 pm

Here's the extra (sry, missed it the first time :oops: ):

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 2047.04 MiB / 1262.86 MiB
Pagefile Memory (total/avail): 3940.45 MiB / 2789.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1987.22 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 465.75 GiB total, 22.61 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD5000AAKS-00TMA0 - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Eset NOD32 antivirus system 2.51 v2.51 (Eset) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam Client"
"C:\\Program Files\\Steam\\SteamApps\\common\\Lost Planet Extreme Condition\\LostPlanetDx10.exe"="C:\\Program Files\\Steam\\SteamApps\\common\\Lost Planet Extreme Condition\\LostPlanetDx10.exe:*:Enabled:LostPlanetDX10"
"C:\\Program Files\\Steam\\SteamApps\\common\\Lost Planet Extreme Condition\\LostPlanetDx9.exe"="C:\\Program Files\\Steam\\SteamApps\\common\\Lost Planet Extreme Condition\\LostPlanetDx9.exe:*:Enabled:LostPlanetDX9"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"="C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe:*:Enabled:Kane & Lynch: Dead Men"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\K\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KIRKEN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\K
LOGONSERVER=\\KIRKEN
MIBDIRS=\mibs
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PHP\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\K\LOCALS~1\Temp
TMP=C:\DOCUME~1\K\LOCALS~1\Temp
USERDOMAIN=KIRKEN
USERNAME=K
USERPROFILE=C:\Documents and Settings\K
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

K (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe After Effects 7.0 --> msiexec /I {DD362256-A7A2-4524-9457-213DDC2AFC2A}
Adobe Audition 2.0 --> msiexec /I {01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}
Adobe Bridge 1.0 --> MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe InDesign CS2 --> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Premiere Pro 2.0 --> msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Reader 8.1.2 - Svenska --> MsiExec.exe /I{AC76BA86-7AD7-1053-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
AI Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{310BC5E2-31AF-49BB-904D-E71EB93645DC}\Setup.exe" -l0x9
Apache HTTP Server 2.2.8 --> MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Assassin's Creed --> C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Attansic Ethernet Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 -removeonly
Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
BaboViolent 2.10 --> "C:\Program Files\RndLabs\BaboViolent 2\unins000.exe"
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Black & White® 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}\setup.exe" -l0x9 -removeonly
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Dev-C++ 5 beta 9 release (4.9.9.2) --> "C:\Dev-Cpp\uninstall.exe"
DotA Client Build b1.8 (Final Beta) --> "C:\Program Files\DotA Gaming Network\unins000.exe"
Expekt Poker --> "C:\Poker\Expekt Poker\_SetupPoker.exe" /uninstall
Futuremark SystemInfo --> C:\Program Files\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe -runfromtemp -l0x0009 -removeonly
HeidiSQL 3.2 --> "C:\Program Files\HeidiSQL\unins000.exe"
Heroes of Might and Magic® III Complete --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes 3 Complete\Heroes of Might and Magic® III.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hot CPU Tester Pro 4.4.1 --> "C:\Program Files\Hot CPU Tester Pro 4 LE\unins000.exe"
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
JMB36X Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
Kane and Lynch: Dead Men --> MsiExec.exe /X{A66C4716-7E10-4A53-8101-00C3C11D6A9C}
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x001d -removeonly
Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Marratech 6.1 --> MsiExec.exe /X{C2B6CF03-4336-4786-8DA0-3DB39AC00956}
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{D1B01DC9-CBAF-45F9-A387-7D00C11B630E}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Standard --> MsiExec.exe /I{0002041D-78E1-11D2-B60F-006097C998E7}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Web Embedding Fonts Tool (III) --> "C:\Program Files\OpenType Tools\WEFT\Setup\isetup.exe" /Uninstall
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MySQL Server 5.0 --> MsiExec.exe /I{608FFCC7-7237-47BB-ABD5-8341754A3BBA}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Nordea NCR1 Installationspaket --> C:\Program Files\InstallShield Installation Information\{6411915E-FF96-4B7F-91FE-A3C864B3E317}\setup.exe -runfromtemp -l0x001d -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
OpenTTD 0.6.1 --> C:\Program Files\OpenTTD\uninstall.exe
PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Personal 4.5.4 --> "C:\Program Files\Personal\bin\persinst.exe" -u
PHP 5.2.5 --> MsiExec.exe /I{00FA2C30-C2BB-45A2-B0C3-769541E8F6A2}
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
Rainlendar2 (remove only) --> "C:\Program Files\Rainlendar2\uninst.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x1d -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Transport Tycoon Deluxe --> C:\WINDOWS\UniFISH.exe Transport Tycoon Deluxe
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
USB Video Device Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2758691A-2CDE-4942-A4AC-0E8F61FE2067}\Setup.exe"
USB Video Device Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3D5ECF7-7AE4-4B53-8A7E-1F850D6AE6B4}\Setup.exe"
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
VentriloMIX --> C:\Program Files\VentriloMIX\Uninstal.exe
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{2E55A582-4FFE-4FF2-8D4D-E7D275FF89BD}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR --> C:\Program Files\WinRAR\uninstall.exe
vixy converter uninstall --> "C:\Program Files\vixy.net\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5095 / Success
Event Submitted/Written: 08/04/2008 11:41:42 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5082 / Success
Event Submitted/Written: 08/03/2008 03:07:03 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5078 / Success
Event Submitted/Written: 08/01/2008 09:05:30 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5063 / Success
Event Submitted/Written: 07/31/2008 10:52:19 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5040 / Success
Event Submitted/Written: 07/30/2008 11:23:51 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4806 / Error
Event Submitted/Written: 08/04/2008 02:52:36 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4805 / Warning
Event Submitted/Written: 08/04/2008 02:40:46 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4804 / Warning
Event Submitted/Written: 08/04/2008 02:27:06 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4803 / Error
Event Submitted/Written: 08/04/2008 01:27:13 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4802 / Error
Event Submitted/Written: 08/04/2008 01:02:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}



-- End of Deckard's System Scanner: finished at 2008-08-04 22:18:22 ------------





I had the Kapersky scan running while I went to work. Now that I'm back it's still running.. That's 6 hours and 5% completed.. It seems that some "linked" .rar archives are taking especially long time to scan.

It has managed to scan thorugh 17500ish files before slowing down though and found 1 threat on 5 locations:
C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\026G17gB.exe <html><a href='http://www.viruslist.com/en/find?search_mode=virus&words=Trojan-Downloader.Win32.BHO.pe'>Trojan-Downloader.Win32.BHO.pe</a></html> 1

C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\2347BTJ8.exe <html><a href='http://www.viruslist.com/en/find?search_mode=virus&words=Trojan-Downloader.Win32.BHO.pe'>Trojan-Downloader.Win32.BHO.pe</a></html> 1

C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\CbeFwjqk.exe <html><a href='http://www.viruslist.com/en/find?search_mode=virus&words=Trojan-Downloader.Win32.BHO.pe'>Trojan-Downloader.Win32.BHO.pe</a></html> 1

C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\gHI5uhU7.exe <html><a href='http://www.viruslist.com/en/find?search_mode=virus&words=Trojan-Downloader.Win32.BHO.pe'>Trojan-Downloader.Win32.BHO.pe</a></html> 1

C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\Myj7bl1W.exe <html><a href='http://www.viruslist.com/en/find?search_mode=virus&words=Trojan-Downloader.Win32.BHO.pe'>Trojan-Downloader.Win32.BHO.pe</a></html> 1
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Katana » August 4th, 2008, 5:08 pm

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Problems with a Genetik trojan

Unread postby Kpax » August 4th, 2008, 6:16 pm

Ok, I'm doing what you've asked for.

When the "My Computer" scan would have taken forever I did a "Critical areas" scan and it resulted in this:

Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 15:02:13
Records in database: 1053042
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\K\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 64666
Threat name 9
Infected objects 10
Suspicious objects 0
Duration of the scan 01:02:07

File name Threat name Threats count
C:\Program Files\ESET\infected\DHMLP5BA.NQF Infected: Trojan-Downloader.Win32.Agent.yyy 1
C:\Program Files\ESET\infected\GL5O1JBA.NQF Infected: Trojan-Downloader.Win32.Agent.yxn 1
C:\Program Files\ESET\infected\QBCIHMAA.NQF Infected: Trojan-Downloader.Win32.Agent.wza 1
C:\Program Files\ESET\infected\SRSGMVAA.NQF Infected: Trojan-Downloader.Win32.Agent.vyy 1
C:\Program Files\ESET\infected\T4STFQAA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Program Files\Marratech\Marratech6.1\bin\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\Marratech\Marratech6.1\bin\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\WINDOWS\system32\d2Rbq877.dll Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\WINDOWS\system32\T0k4TBVP.exe Infected: Trojan-Downloader.Win32.Firu.jr 1
The selected area was scanned.


I don't know whether it will help you or not..
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Kpax » August 4th, 2008, 9:50 pm

Ok, here's the Malvarebyte log:

Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 2

03:47:49 2008-08-05
mbam-log-8-5-2008 (03-47-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177925
Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Will ComboFix first thing tomorrow morning..
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Kpax » August 5th, 2008, 8:24 am

The Combofix log:

ComboFix 08-08-04.01 - K 2008-08-05 14:13:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1596 [GMT 2:00]
Running from: C:\Documents and Settings\K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\K\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\K\Application Data\macromedia\Flash Player\#SharedObjects\NUY25Z4K\interclick.com
C:\Documents and Settings\K\Application Data\macromedia\Flash Player\#SharedObjects\NUY25Z4K\interclick.com\ud.sol
C:\Documents and Settings\K\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\K\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\d2Rbq877.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Documents and Settings\K\Application Data\Malwarebytes
2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 00:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 00:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 15:00 . 2008-08-04 15:00 <DIR> d-------- C:\Deckard
2008-07-19 04:26 . 2008-08-03 18:01 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 01:18 . 2008-07-18 01:17 29,760 --a------ C:\WINDOWS\system32\T0k4TBVP.exe
2008-07-18 01:18 . 2008-07-18 01:18 0 --a------ C:\WINDOWS\system32\T0k4TBVP.exe.a_a
2008-07-12 10:03 . 2008-07-12 10:03 <DIR> d-------- C:\Documents and Settings\K\Application Data\Agency9
2008-07-11 16:29 . 2008-07-11 16:29 <DIR> d-------- C:\Program Files\Lionhead Studios

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 13:26 --------- d-----w C:\Documents and Settings\K\Application Data\mIRC
2008-08-04 12:58 --------- d-----w C:\Documents and Settings\K\Application Data\uTorrent
2008-08-04 10:46 --------- d-----w C:\Program Files\mIRC
2008-07-17 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 21:19 --------- d-----w C:\Program Files\Warcraft III
2008-07-11 14:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 19:27 --------- d-----w C:\Documents and Settings\K\Application Data\Winamp
2008-06-28 15:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-28 15:53 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-27 10:54 --------- d-----w C:\Documents and Settings\K\Application Data\Personal
2008-06-27 10:29 --------- d-----w C:\Program Files\Personal
2008-06-27 10:29 --------- d-----w C:\Program Files\Nordea NCR1 Installationspaket
2008-06-27 10:29 --------- d-----w C:\Documents and Settings\K\Application Data\Netscape
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 22:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 18:32 --------- d-----w C:\Program Files\MagicISO
2008-06-09 14:01 --------- d-----w C:\Program Files\OpenTTD
2008-06-06 02:51 --------- d-----w C:\Documents and Settings\K\Application Data\Dev-Cpp
2008-06-06 02:50 --------- d-----w C:\Documents and Settings\K\Application Data\GetRightToGo
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-01 22:48 30,431 ----a-w C:\Program Files\wc3minicd.zip
2007-12-02 17:34 22,328 ----a-w C:\Documents and Settings\K\Application Data\PnkBstrK.sys
2006-09-30 20:59 429,568 ----a-w C:\Program Files\Auto Refresher (normal version).exe
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16 171464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 12:23 1365504]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-21 22:40 917504]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 15:49 1423360]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-27 21:34:05 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^K^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\K\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-03-21 18:23 1953792 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etMonitor]
--a------ 2005-07-26 19:45 40960 C:\WINDOWS\etMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 16:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-24 11:05 1271032 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-27 12:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LBTServ"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 16:12]
R3 DCamUSBET;ET USB 2710 Camera;C:\WINDOWS\system32\DRIVERS\etDevice.sys [2005-08-17 12:12]
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\etFilter.sys [2005-12-21 16:31]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\etScan.sys [2005-08-17 12:18]
R3 TdsNordecr;Nordea NCR1 SmartCard Reader;C:\WINDOWS\system32\DRIVERS\nordecr.sys [2007-10-30 09:57]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S4 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 01:37]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-04-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-17 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\T0k4TBVP.exe [2008-07-18 01:17]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\K\Application Data\Mozilla\Firefox\Profiles\4uf6lb0j.default\
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPinfotl.dll
FF -: plugin - C:\Program Files\Personal\bin\np_prsnl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 14:17:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-08-05 14:19:44
ComboFix-quarantined-files.txt 2008-08-05 12:18:43

Pre-Run: 22,893,330,432 bytes free
Post-Run: 25,036,541,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

201 --- E O F --- 2008-07-17 23:43:10
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Katana » August 5th, 2008, 9:46 am

Do you know what the following are ?
    C:\Program Files\wc3minicd.zip
    C:\Program Files\Auto Refresher (normal version).exe


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=33286&p=332334#p332334
    
    Comment:: Katana -- Trojan-Downloader.Win32.BHO.pe
    Collect::[4]
    C:\WINDOWS\system32\T0k4TBVP.exe
    C:\WINDOWS\system32\T0k4TBVP.exe.a_a
    File::
    C:\WINDOWS\Tasks\At9.job
    Folder::
    C:\Documents and Settings\K\Application Data\uTorrent
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=-
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

How are things running now, any problems still ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Problems with a Genetik trojan

Unread postby Kpax » August 5th, 2008, 10:19 am

C:\Program Files\wc3minicd.zip
C:\Program Files\Auto Refresher (normal version).exe

Those are tools used in a computer game. They're widely used and shouldn't be a problem. Did ComboFix indicate something?



ComboFix log:

ComboFix 08-08-04.01 - K 2008-08-05 15:59:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1344 [GMT 2:00]
Running from: C:\Documents and Settings\K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\K\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\d2Rbq877.dll
C:\WINDOWS\system32\T0k4TBVP.exe
C:\WINDOWS\system32\T0k4TBVP.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Documents and Settings\K\Application Data\Malwarebytes
2008-08-05 00:07 . 2008-08-05 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 00:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 00:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 15:00 . 2008-08-04 15:00 <DIR> d-------- C:\Deckard
2008-07-19 04:26 . 2008-08-03 18:01 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-12 10:03 . 2008-07-12 10:03 <DIR> d-------- C:\Documents and Settings\K\Application Data\Agency9
2008-07-11 16:29 . 2008-07-11 16:29 <DIR> d-------- C:\Program Files\Lionhead Studios

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 13:26 --------- d-----w C:\Documents and Settings\K\Application Data\mIRC
2008-08-04 12:58 --------- d-----w C:\Documents and Settings\K\Application Data\uTorrent
2008-08-04 10:46 --------- d-----w C:\Program Files\mIRC
2008-07-17 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 21:19 --------- d-----w C:\Program Files\Warcraft III
2008-07-11 14:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 19:27 --------- d-----w C:\Documents and Settings\K\Application Data\Winamp
2008-06-28 15:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-28 15:53 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-27 10:54 --------- d-----w C:\Documents and Settings\K\Application Data\Personal
2008-06-27 10:29 --------- d-----w C:\Program Files\Personal
2008-06-27 10:29 --------- d-----w C:\Program Files\Nordea NCR1 Installationspaket
2008-06-27 10:29 --------- d-----w C:\Documents and Settings\K\Application Data\Netscape
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 22:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 18:32 --------- d-----w C:\Program Files\MagicISO
2008-06-09 14:01 --------- d-----w C:\Program Files\OpenTTD
2008-06-06 02:51 --------- d-----w C:\Documents and Settings\K\Application Data\Dev-Cpp
2008-06-06 02:50 --------- d-----w C:\Documents and Settings\K\Application Data\GetRightToGo
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-01 22:48 30,431 ----a-w C:\Program Files\wc3minicd.zip
2007-12-02 17:34 22,328 ----a-w C:\Documents and Settings\K\Application Data\PnkBstrK.sys
2006-09-30 20:59 429,568 ----a-w C:\Program Files\Auto Refresher (normal version).exe
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16 171464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 12:23 1365504]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-21 22:40 917504]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 15:49 1423360]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-27 21:34:05 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^K^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\K\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-03-21 18:23 1953792 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etMonitor]
--a------ 2005-07-26 19:45 40960 C:\WINDOWS\etMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 16:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-24 11:05 1271032 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-27 12:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LBTServ"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 16:12]
R3 DCamUSBET;ET USB 2710 Camera;C:\WINDOWS\system32\DRIVERS\etDevice.sys [2005-08-17 12:12]
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\etFilter.sys [2005-12-21 16:31]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\etScan.sys [2005-08-17 12:18]
R3 TdsNordecr;Nordea NCR1 SmartCard Reader;C:\WINDOWS\system32\DRIVERS\nordecr.sys [2007-10-30 09:57]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S4 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 01:37]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-04-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-17 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\T0k4TBVP.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 15:59:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-08-05 16:00:07
ComboFix-quarantined-files.txt 2008-08-05 14:00:04
ComboFix2.txt 2008-08-05 12:19:45

Pre-Run: 25,042,669,568 bytes free
Post-Run: 25,032,126,464 bytes free

179 --- E O F --- 2008-07-17 23:43:10


After the first ComboFix run I've gotten 1 virus warning.

It has only passed 13 minutes since the last ComboFix with the script so I can't say for sure if the virus warnings has stopped. I will know for sure later today though cause they've been coming regularly the last few days..

I'll report back later today or tomorrow if no warnings occur, until then I can't thank you enough :D
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Katana » August 5th, 2008, 10:46 am

No it didn't show anything bad about those files, I just wanted to know if you knew they were there :)
I'll report back later today or tomorrow if no warnings occur, until then I can't thank you enough

We aren't finished yet :lol:


OTMoveIt
Please download OTMoveIt2 by OldTimer and save it to your desktop
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
EmptyTemp
C:\Deckard\System Scanner\20080804153813\backup\*.* s
C:\WINDOWS\Tasks\At9.job

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Problems with a Genetik trojan

Unread postby Kpax » August 5th, 2008, 10:58 am

Hehe uups :P

OTMoveIt said this:

< EmptyTemp >
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\etilqs_FiuF8lNVjz345YARMJ7w scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\IH73E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\~DF5F20.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\~DF5F2B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\~DF6BB1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\~DF6BBC.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\hsperfdata_K\2236 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\ASP-uppgift scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\JSP-uppgift scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\PHP-uppgift scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< C:\Deckard\System Scanner\20080804153813\backup\*.* s >
File/Folder C:\Deckard\System Scanner\20080804153813\backup\*.* s not found.
C:\WINDOWS\Tasks\At9.job moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08052008_164921

Files moved on Reboot...
File C:\DOCUME~1\K\LOCALS~1\Temp\etilqs_FiuF8lNVjz345YARMJ7w not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\IH73E.tmp not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\~DF5F20.tmp not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\~DF5F2B.tmp not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\~DF6BB1.tmp not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\~DF6BBC.tmp not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\hsperfdata_K\2236 not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\ASP-uppgift not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\JSP-uppgift not found!
File C:\DOCUME~1\K\LOCALS~1\Temp\plugtmp\PHP-uppgift not found!



Active scan is 20% done.. Will be back as sone as it's done.
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Kpax » August 5th, 2008, 12:10 pm

Ok, it's done.. Took your advice, put on a LP and relaxed a bit ;)


ActiveScan result:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-05 18:06:05
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Eset NOD32 antivirus system 2.51 2.51 Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\QBCIHMAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\WMJOY0BA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\T4STFQAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\SRSGMVAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\R1SRZEBA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\DHMLP5BA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\ESET\infected\GL5O1JBA.NQF
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\DotA Gaming Network\dprotect.dc
03262853 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\K\Desktop\Deladim\Programim\TrapCode Plugins\trapcode.multikeygen.v1.1.exe
03275485 Generic Trojan Virus/Trojan No 0 No No C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\[NewTorrents.info] Word.to.PDF.Converter.v3.0.030505.Incl.Keymaker-EMBRACE.rar[[NewTorrents.info] Word.to.PDF.Converter.v3.0.030505.Incl.Keymaker-EMBRACE\keygen.exe]
03296163 Generic Malware Virus/Trojan No 0 Yes No C:\Poker\Expekt Poker\_SetupPoker.exe
03296163 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\SetupPoker.exe
03439318 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\Auto Refreshers.zip[Auto Refresher (n00b version).exe]
03463065 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\gHI5uhU7.exe
03463065 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\CbeFwjqk.exe
03463065 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\2347BTJ8.exe
03463065 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\026G17gB.exe
03463065 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080804153813\backup\DOCUME~1\K\LOCALS~1\Temp\Myj7bl1W.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ¢
;===================================================================================================================================================================================
No C:\Documents and Settings\K\Desktop\ComboFix.exe ¢
No C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\mirc631.exe[²ÖÇ\mirc631.exe][mirc.exe] ¢
No C:\Documents and Settings\K\Local Settings\Application Data\Mozilla\Firefox\Profiles\4uf6lb0j.default\Cache\C2152591d01
No C:\Program Files\mIRC\mirc.exe ¢
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ¢
;===================================================================================================================================================================================
133387 MEDIUM MS06-065 ¢
120823 MEDIUM MS06-030 ¢
93454 MEDIUM MS05-049 ¢
;===================================================================================================================================================================================
Kpax
Regular Member
 
Posts: 16
Joined: January 30th, 2008, 12:52 am

Re: Problems with a Genetik trojan

Unread postby Katana » August 6th, 2008, 3:18 am

Well, that shows a couple of things that needs clarifying ....

C:\Program Files\DotA Gaming Network\dprotect.dc There is an open topic at the dotagaming forum regarding this file, so I recomend that you ask them about it
http://www.dotagaming.net/forums/index.php?topic=2357.0

I take it that Auto Refreshers.zip is related to the game along with the other files I asked about ?
And I am assuming that you installed mIRC ?


Now, regarding
"C:\Documents and Settings\K\Desktop\Deladim\Programim\TrapCode Plugins\trapcode.multikeygen.v1.1.exe"
"C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\[NewTorrents.info] Word.to.PDF.Converter.v3.0.030505.Incl.Keymaker-EMBRACE.rar[[NewTorrents.info] Word.to.PDF.Converter.v3.0.030505.Incl.Keymaker-EMBRACE\keygen.exe]"


In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

These files MUST be deleted !!!!!!!

In the future I strongly suggest you stay away from using cracks and/or Keygens.





OTMoveIt
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\Documents and Settings\K\Desktop\Deladim\Programim\TrapCode Plugins\trapcode.multikeygen.v1.1.exe
C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\[NewTorrents.info] Word.to.PDF.Converter.v3.0.030505.Incl.Keymaker-EMBRACE.rar
C:\Documents and Settings\K\Desktop\GANDALF VAR E DUU\SetupPoker.exe
C:\Poker\Expekt Poker\_SetupPoker.exe
C:\Deckard

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



How are things running now, any problems still ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: mAL_rEm018 and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware