TechSpot

Hacktool.rootkit!inf

By Ved
May 20, 2010
  1. I have been having trouble with the virus Hacktool.rootkit!inf. My AV is Norton Security Suite. Every time I run the scan the AV detects this virus but unfortunately cannot take any action, with the note that the virus requiers manual removal.
    For the File Insight my Av shows following:
    Location:
    cdrom.sys
    Activity:
    Infected file: C-Windows.old-Windows-system32-drivers-cdrom.sys (Manual removal requierd)
    Infected file: C-Windows.old-Windows-system32-drivers-wcscd.sys (No fix attempt)
    Infected file: C-Windows.old-Windows-system32-dllcache-cdrom.sys (No fix attempt)
    Infected file: C-Windows.old-Windows-Temp - cdfss (No fix attempt)
    Please suggest if there is anything I can do to completely remove these malwares without hurting my system.
    Thanks
    Ved
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow these steps in the Preliminary Virus and Malware Removal thread HERE
    When you have finished include all of the logs in your next reply for our review.

    Please do not use ant other cleaning program or scans while I am helping you unless I instruct you to. Do not use a registry cleaner or make any changes in the Registry.
     
  3. Ved

    Ved TS Rookie Topic Starter Posts: 43

    I’ve followed the 8 steps and am posting back the results.
    Waiting for your further instructions.
    Thank You much!
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Questions:

    1. Did you turn off System Restore? There are no System Restore points. This error is related to that:
    5/21/2010 1:55:11 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

    2. Have you set up any restrictions through the group Policy?

    3. Did you select ask.com for your home page on IE and install the AskCom toolbar intentionally? There are several entries for this>
    uStart Page = hxxp://eu.ask.com?o=15446&l=dis
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll


    We discourage the use of ask.com because of adware. I can remove this if you'd like in the script you'll run later

    4. Does your CD player work? Have you preciously reinstalled it and/or renamed the .exe file for it?

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix...
     
  5. Ved

    Ved TS Rookie Topic Starter Posts: 43

    1. System restores:
    When I originally ran Norton Scan and when it found this virus, I was asked to turn off System Restore points prior to new scan. I did that, and after it I thought I switched the restore points back on. I just checked and Restore point for C: is on, but restore point for D: is off. Should I turn the restore point for D: back on?

    2. Restriction through the group policy:
    To the best of my knowledge I have never set up any restriction through the group policy, furthermore, nor do I exactly know what the group policy is in this context, and thus I do not know how to check the status of same. If crucial would you please let me know hoe to check the same?

    3. AskCom:
    I use Firefox instead of IE. And the home page on Firefox is set to Gmail. I checked in Control Panel the programs and there is no AskCom. Further I have opened the IE, and yes the home page in deed was set to ask.com, and I have removed the Askcom homepage and set the gmail one.

    4.CD:
    I use CDplayer frequently to write the files, just checked the play function and it works fine.
    I have no recollection of reinstalling the cdplayer recently nor changing anything about it, .exe files including.
    How can I check the same if needed?

    Before I run Combofix, as you suggested, I will wait for your response regarding the first 3 steps including the CD issue. Please let me know if I need to do anything more regarding the steps above before I install and run Combofix.
    Thank You much,
    Ved
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the clear explanations. Sometimes we really have to pull info out. You made my job easier!

    About System Restore: Years ago, it was thought best to turn off SR if malware was suspected. The reason being to keep malware out of the restore points. As time went on and we had more tools and learned more about getting into a system, we found that occasionally the only way to get in was through System Restore. It because better to have a bad restore point than none at all.

    System Restore is the least understood system function that I know of and one of the most important. Unfortunately, there is inconsistency in the directions for this, as you found. But it is best to keep SR turned on and then when a system is clean, we have you set a new, clean restore point and drop the old ones.

    System Restore should run on the Local System Drive which is usually C. It depends on what the D drive is, how much 'room' there is to store the restore points.

    About Group Policy: Simply put, Group Policy gives you administrative control over users and computers in your network. It's a "a set of rules which control the working environment of user accounts and computer accounts." There is information for setting this in Windows 7 and screen short to help you HERE. You should become familiar with it.

    About Ask.com: It was showing as the IE Search page, a BHO> Browser Helper Object and also with a Toolbar. It is very pervasive and I suggest you completely remove it. I will have you run HijackThis later and if there are any entries left, I will have you check them for removal.

    About the CD Drive: I asked about it because GMER has an entry> C:\Windows.old\Windows\system32\cdplayer.exe.manifest > (size mismatch) 2091520/749 bytes executable The Directory isn't right with the Windows.old so I may have to look into that.

    Go ahead and run Combofix- I'll add the script after that.
     
  7. Ved

    Ved TS Rookie Topic Starter Posts: 43

    ComboFix 10-05-24.03 - Buba 05/25/2010 9:13.1.1 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.504.125 [GMT 2:00]
    Running from: c:\users\Buba\Downloads\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
    .

    2010-05-25 07:29 . 2010-05-25 07:30 -------- d-----w- c:\users\Buba\AppData\Local\temp
    2010-05-25 07:29 . 2010-05-25 07:29 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-20 19:02 . 2010-05-20 19:02 -------- d-----w- c:\users\Buba\AppData\Roaming\Malwarebytes
    2010-05-20 19:01 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-20 19:01 . 2010-05-20 19:01 -------- d-----w- c:\programdata\Malwarebytes
    2010-05-20 19:01 . 2010-05-20 19:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-20 19:01 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-20 18:56 . 2010-05-20 18:56 -------- d-----w- c:\program files\Common Files\Java
    2010-05-20 18:55 . 2010-05-20 18:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-20 18:54 . 2010-05-20 18:54 -------- d-----w- c:\program files\Java
    2010-05-20 18:48 . 2010-05-20 18:48 -------- d-----w- c:\program files\Common Files\Adobe
    2010-05-20 09:07 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-05-20 09:07 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
    2010-05-20 09:07 . 2010-05-20 09:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-05-20 09:07 . 2010-05-20 09:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-05-20 09:07 . 2010-05-20 09:07 -------- d-----w- c:\program files\Symantec
    2010-05-20 09:05 . 2010-05-20 11:22 -------- d-----w- c:\windows\system32\drivers\N360
    2010-05-20 09:05 . 2010-05-20 09:05 -------- d-----w- c:\program files\Norton Security Suite
    2010-05-20 09:04 . 2010-05-20 09:04 -------- d-----w- c:\programdata\NortonInstaller
    2010-05-20 09:04 . 2010-05-20 09:04 -------- d-----w- c:\program files\NortonInstaller
    2010-05-20 08:51 . 2010-05-20 09:05 -------- d-----w- c:\programdata\Norton
    2010-05-17 20:17 . 2010-05-17 20:17 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2010-05-17 16:00 . 2010-02-04 08:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-05-17 16:00 . 2010-02-04 08:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-05-17 16:00 . 2010-02-04 08:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-05-17 16:00 . 2010-02-04 08:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-05-17 16:00 . 2009-09-04 15:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
    2010-05-17 16:00 . 2009-09-04 15:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
    2010-05-17 16:00 . 2009-09-04 15:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
    2010-05-17 16:00 . 2009-09-04 15:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
    2010-05-17 16:00 . 2009-09-04 15:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
    2010-05-17 08:25 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-05-17 08:25 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-05-17 08:23 . 2010-05-17 08:23 -------- d-----w- c:\program files\Microsoft Works
    2010-05-17 08:21 . 2010-05-17 08:21 -------- d-----w- c:\windows\PCHEALTH
    2010-05-17 08:21 . 2010-05-17 08:21 -------- d-----w- c:\program files\Microsoft.NET
    2010-05-17 08:15 . 2010-05-17 08:15 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-05-17 08:14 . 2010-05-17 08:14 -------- d-----w- c:\users\Buba\AppData\Local\Microsoft Help
    2010-05-17 08:14 . 2010-05-17 20:19 -------- d-----w- c:\programdata\Microsoft Help
    2010-05-12 11:42 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-11 14:19 . 2010-05-11 14:19 -------- d-----w- c:\programdata\eMule
    2010-05-11 14:18 . 2010-05-11 14:18 -------- d-----w- C:\Emule
    2010-05-11 14:18 . 2010-05-11 14:20 -------- d-----w- c:\users\Buba\AppData\Local\eMule
    2010-05-11 14:18 . 2010-05-11 14:18 -------- d-----w- c:\program files\eMule
    2010-05-11 13:38 . 2010-05-11 13:38 -------- d-----w- c:\program files\iPod
    2010-05-11 13:38 . 2010-05-11 13:39 -------- d-----w- c:\program files\iTunes
    2010-05-11 13:34 . 2010-05-11 13:34 -------- d-----w- c:\program files\Bonjour
    2010-04-29 07:22 . 2010-05-20 18:50 -------- d-----w- c:\users\Buba\AppData\Local\Adobe
    2010-04-28 08:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
    2010-04-28 08:47 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2010-04-28 08:47 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-25 06:55 . 2010-03-25 17:25 -------- d-----w- c:\users\Buba\AppData\Roaming\Skype
    2010-05-25 06:54 . 2010-03-25 17:25 -------- d-----w- c:\users\Buba\AppData\Roaming\skypePM
    2010-05-20 09:07 . 2010-05-20 09:07 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-05-20 09:07 . 2010-05-20 09:07 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-05-19 16:05 . 2010-03-26 16:19 -------- d-----w- c:\users\Buba\AppData\Roaming\BitTorrent
    2010-05-17 10:00 . 2010-03-25 18:03 108824 ----a-w- c:\users\Buba\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-17 08:22 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2010-05-12 18:40 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
    2010-05-11 13:38 . 2010-04-15 12:33 -------- d-----w- c:\program files\Common Files\Apple
    2010-05-11 13:38 . 2010-04-15 12:35 -------- d-----w- c:\programdata\Apple Computer
    2010-05-11 13:28 . 2010-05-11 13:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
    2010-05-06 08:36 . 2010-03-25 17:35 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-16 09:13 . 2010-04-15 12:40 -------- d-----w- c:\users\Buba\AppData\Roaming\Apple Computer
    2010-04-15 12:39 . 2010-04-15 12:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-15 12:36 . 2010-04-15 12:35 -------- d-----w- c:\program files\QuickTime
    2010-04-15 12:34 . 2010-04-15 12:34 -------- d-----w- c:\program files\Apple Software Update
    2010-04-15 12:33 . 2010-04-15 12:33 -------- d-----w- c:\programdata\Apple
    2010-04-08 11:20 . 2010-04-08 11:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 11:20 . 2010-04-08 11:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-03-30 20:41 . 2010-03-30 20:31 -------- d-----w- c:\users\Buba\AppData\Roaming\Winamp
    2010-03-30 20:33 . 2010-03-30 20:31 -------- d-----w- c:\program files\Winamp
    2010-03-30 20:32 . 2010-03-30 20:32 -------- d-----w- c:\program files\Winamp Detect
    2010-03-30 20:32 . 2010-03-30 20:32 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2010-03-30 19:46 . 2010-03-30 19:44 -------- d-----r- c:\program files\Skype
    2010-03-30 19:44 . 2010-03-30 19:44 -------- d-----w- c:\program files\Common Files\Skype
    2010-03-30 19:44 . 2010-03-25 17:25 -------- d-----w- c:\programdata\Skype
    2010-03-27 20:11 . 2010-03-27 20:09 -------- d--h--w- c:\program files\Temp
    2010-03-27 20:09 . 2010-03-27 20:09 -------- d-----w- c:\program files\Realtek
    2010-03-27 20:09 . 2010-03-27 20:09 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-27 20:09 . 2010-03-27 20:09 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-03-27 19:49 . 2010-03-27 19:49 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2010-03-26 19:22 . 2010-03-26 19:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
    2010-03-26 16:19 . 2010-03-26 16:19 -------- d-----w- c:\program files\BitTorrent
    2010-03-25 17:25 . 2010-03-25 17:25 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-03-08 21:33 . 2010-04-14 07:36 427520 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-27 12:07 . 2010-04-14 07:36 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-27 12:07 . 2010-04-14 07:36 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-27 07:32 . 2010-04-14 07:36 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-02-27 07:32 . 2010-04-14 07:36 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-02-27 07:32 . 2010-04-14 07:36 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 8092192]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 133104]
    R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [2010-03-27 23456]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2009-10-15 328752]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2009-11-26 172592]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
    S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100518.002\IDSvix86.sys [2010-05-18 344112]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0401000.020\SYMTDIV.SYS [2009-11-22 340016]
    S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-18 102448]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 17:48]

    2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 17:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/accounts/Ser...eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Buba\AppData\Roaming\Mozilla\Firefox\Profiles\vq2a0iwb.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://gmail.com
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(540)
    c:\windows\system32\cryptnet.dll
    .
    Completion time: 2010-05-25 09:38:04
    ComboFix-quarantined-files.txt 2010-05-25 07:38

    Pre-Run: 13,990,621,184 bytes free
    Post-Run: 14,000,164,864 bytes free

    - - End Of File - - EE2AF1F94AC446377021493A43C073EA
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, that one is gone.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      cdplayer.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ==================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    DDS:
    uStart Page = hxxp://eu.ask.com?o=15446&l=dis
    c:\program files\ask.com\GenericAskToolbar.dll
    c:\program files\ask.com\GenericAskToolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    
    Registry::
    Driver::
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    P2P or 'file sharing' Warning:
    I would like to make you aware of the following:
    You have both Bit Torrent and eMule on the system: These are bot files sharing programs

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bit Torrent and eMule for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    There is much discussion and controversy about downloading or uploading copyrighted material using eMule. If this is monitored by your ISP, it is a possibility that they could close your account. If you decided not to uninstall these programs,please do not use them while I am helping clean the system.
     
  9. Ved

    Ved TS Rookie Topic Starter Posts: 43

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 12:53 on 26/05/2010 by Buba (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "cdplayer.*"
    C:\Windows.old\Windows\system32\cdplayer.exe.manifest -rah-- 749 bytes [21:53 04/12/2009] [21:53 04/12/2009] 5A5CFF37F1BD0F86B9BDAAD7A9445882

    -=End Of File=-

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f8ba2dca31b4429e1d3d1a801dafcf
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-26 01:28:12
    # local_time=2010-05-26 03:28:12 (+0100, Central Europe Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7600 NT
    # compatibility_mode=768 16777215 100 0 5338534 5338534 0 0
    # compatibility_mode=3589 16777213 80 86 519677 38242497 0 0
    # compatibility_mode=5893 16776574 100 94 692434 27326793 0 0
    # compatibility_mode=8192 67108863 100 0 305 305 0 0
    # scanned=118396
    # found=7
    # cleaned=0
    # scan_time=6289
    C:\Windows.old\Windows\system32\dllcache\cdrom.sys Win32/Protector.I virus 00000000000000000000000000000000 I
    C:\Windows.old\Windows\system32\drivers\cdrom.sys Win32/Protector.I virus 00000000000000000000000000000000 I
    C:\Windows.old\Windows\system32\drivers\wcscd.sys Win32/Protector.I virus 00000000000000000000000000000000 I
    C:\Windows.old\Windows\Temp\cdfss Win32/Protector.I virus 00000000000000000000000000000000 I
    F:\System Volume Information\_restore{73A8B94A-004F-409C-8D7F-CAC68CD91880}\RP111\A0018885.exe a variant of Win32/Kryptik.DCT trojan 00000000000000000000000000000000 I
    F:\System Volume Information\_restore{73A8B94A-004F-409C-8D7F-CAC68CD91880}\RP111\A0018886.inf INF/Autorun virus 00000000000000000000000000000000 I
    F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, now you've come full circle! Let's see if this keeps it gone:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Windows.old\Windows\system32\dllcache\cdrom.sys 
      C:\Windows.old\Windows\system32\drivers\cdrom.sys 
      C:\Windows.old\Windows\system32\drivers\wcscd.sys 
      C:\Windows.old\Windows\Temp\cdfss 
      F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==========================================
    When you attempted to download the mp3 from LimeWire, you were told you needed to get a Codec to play it. When you got that codec, you also got TrojanDownloader.
    F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    And it's on the D Drive. If this is a flash drive, you will need to disinfect that also

    You probably saw a screen something like this:
    [​IMG]
    Courtesy BitDefender
    ==============================
    Win32/Protector.* is a virus that is encrypted to infect a computer without being notice. Source code is written by a programmer in a high-level language and readable by people but not computers.Win32/Protector can block Internet access and can connect to a remote computer also download other malware.
    ============================
    After you have run OTMoveIt, I'd like you to do the following, then post the results:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Before I have you do any more, I need to see the result of this scan.
     
  11. Ved

    Ved TS Rookie Topic Starter Posts: 43

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Windows.old\Windows\system32\dllcache\cdrom.sys moved successfully.
    C:\Windows.old\Windows\system32\drivers\cdrom.sys moved successfully.
    C:\Windows.old\Windows\system32\drivers\wcscd.sys moved successfully.
    C:\Windows.old\Windows\Temp\cdfss moved successfully.
    F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Buba
    ->Temp folder emptied: 1290 bytes
    ->Temporary Internet Files folder emptied: 33639 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 37712331 bytes
    ->Google Chrome cache emptied: 5876372 bytes
    ->Flash cache emptied: 5321 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 42.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05272010_091945

    - - - - - - -
    Question:
    Your comment: “…And it's on the D Drive. If this is a flash drive, you will need to disinfect that also…”
    To the best of my knowledge D Drive is not a flash drive but local if I can call it so. F Drive (Transcend) is a flash drive. Will you guide me through disinfecting those as well?
    - - - - - - - -

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/27 15:37:54 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 6de80f60d7de9ce6b8c2ddfdf79ef175
    SHA1 : 8d439a6186ff526403989ac217dfe8e3a2d8bc2c
    Online report : http://virscan.org/report/4864d9d2a93cc173b28fa6e04caf3703.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.0.0.8 20100527023509 2010-05-27 0.41 -
    AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.21 -
    AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.27 -
    Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
    Arcavir 2009 201005261728 2010-05-26 0.03 -
    Authentium 5.1.1 201005270049 2010-05-27 1.44 -
    AVAST! 4.7.4 100526-1 2010-05-26 0.01 -
    AVG 8.5.793 271.1.1/2898 2010-05-27 0.25 -
    BitDefender 7.90123.6098002 7.31855 2010-05-27 4.14 -
    ClamAV 0.96.1 11085 2010-05-27 0.01 -
    Comodo 3.13.579 4942 2010-05-25 0.88 -
    CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.04 -
    Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.62 -
    F-Prot 4.4.4.56 20100526 2010-05-26 1.37 -
    F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.05 -
    Fortinet 4.1.133 11.984 2010-05-26 0.16 -
    GData 21.237/21.79 20100527 2010-05-27 6.92 -
    ViRobot 20100525 2010.05.25 2010-05-25 0.36 -
    Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 6.51 -
    JiangMin 13.0.900 2010.05.24 2010-05-24 1.20 -
    Kaspersky 5.5.10 2010.05.26 2010-05-26 0.09 -
    KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.68 -
    McAfee 5400.1158 5994 2010-05-26 16.89 -
    Microsoft 1.5802 2010.05.27 2010-05-27 8.55 -
    Norman 6.04.12 6.04.00 2010-05-26 8.07 begin_of_the_skype_highlighting**************00 2010-05-26 8.07******end_of_the_skype_highlighting -
    Panda 9.05.01 2010.05.26 2010-05-26 2.00 -
    Trend Micro 9.120-1004 7.202.03 2010-05-26 0.03 -
    Quick Heal 10.00 2010.05.27 2010-05-27 1.68 -
    Rising 20.0 22.49.03.01 2010-05-27 1.35 -
    Sophos 3.07.1 4.53 2010-05-27 3.92 -
    Sunbelt 3.9.2424.2 6362 2010-05-26 7.30 -
    Symantec 1.3.0.24 20100526.006 2010-05-26 0.06 -
    nProtect 20100526.01 8495632 2010-05-26 7.88 -
    The Hacker 6.5.2.0 v00287 2010-05-25 0.34 -
    VBA32 3.12.12.5 20100526.0824 2010-05-26 2.72 -
    VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 2.48 -


    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/27 15:45:40 (CST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 2614272 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 2626fc9755be22f805d3cfa0ce3ee727
    SHA1 : d76db4dcd710be9c3314cff94824933847565372
    Online report : http://virscan.org/report/c378b27e6b2fe606c8a3a439e3f4d051.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.0.0.8 20100527023509 2010-05-27 0.40 -
    AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.15 -
    AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.31 -
    Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
    Arcavir 2009 201005261728 2010-05-26 0.14 -
    Authentium 5.1.1 201005270049 2010-05-27 3.13 -
    AVAST! 4.7.4 100526-1 2010-05-26 0.12 -
    AVG 8.5.793 271.1.1/2898 2010-05-27 0.33 -
    BitDefender 7.90123.6098002 7.31855 2010-05-27 3.89 -
    ClamAV 0.96.1 11085 2010-05-27 0.70 -
    Comodo 3.13.579 4942 2010-05-25 1.31 -
    CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.49 -
    Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.84 -
    F-Prot 4.4.4.56 20100526 2010-05-26 2.80 -
    F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.12 -
    Fortinet 4.1.133 11.984 2010-05-26 0.21 -
    GData 21.237/21.79 20100527 2010-05-27 7.09 -
    ViRobot 20100525 2010.05.25 2010-05-25 0.37 -
    Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 6.88 -
    JiangMin 13.0.900 2010.05.24 2010-05-24 1.19 -
    Kaspersky 5.5.10 2010.05.26 2010-05-26 0.09 -
    KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.65 -
    McAfee 5400.1158 5994 2010-05-26 16.18 -
    Microsoft 1.5802 2010.05.27 2010-05-27 6.43 -
    Norman 6.04.12 6.04.00 2010-05-26 8.01 -
    Panda 9.05.01 2010.05.26 2010-05-26 2.21 -
    Trend Micro 9.120-1004 7.202.03 2010-05-26 0.04 -
    Quick Heal 10.00 2010.05.27 2010-05-27 2.52 -
    Rising 20.0 22.49.03.01 2010-05-27 1.48 -
    Sophos 3.07.1 4.53 2010-05-27 3.97 -
    Sunbelt 3.9.2424.2 6362 2010-05-26 8.73 -
    Symantec 1.3.0.24 20100526.006 2010-05-26 0.14 -
    nProtect 20100526.01 8495632 2010-05-26 7.85 -
    The Hacker 6.5.2.0 v00287 2010-05-25 0.43 -
    VBA32 3.12.12.5 20100526.0824 2010-05-26 3.00 -
    VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 3.51 -


    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/27 15:48:49 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 20992 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 54a47f6b5e09a77e61649109c6a08866
    SHA1 : 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
    Online report : http://virscan.org/report/1cd9b770b8b29ac9982e0858c0d173c1.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.0.0.8 20100527023509 2010-05-27 0.49 -
    AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.29 -
    AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.26 -
    Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
    Arcavir 2009 201005261728 2010-05-26 0.03 -
    Authentium 5.1.1 201005270049 2010-05-27 1.42 -
    AVAST! 4.7.4 100526-1 2010-05-26 0.01 -
    AVG 8.5.793 271.1.1/2898 2010-05-27 0.29 -
    BitDefender 7.90123.6098002 7.31855 2010-05-27 4.13 -
    ClamAV 0.96.1 11085 2010-05-27 0.01 -
    Comodo 3.13.579 4942 2010-05-25 2.34 -
    CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.04 -
    Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.87 -
    F-Prot 4.4.4.56 20100526 2010-05-26 2.00 -
    F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.05 -
    Fortinet 4.1.133 11.984 2010-05-26 0.36 -
    GData 21.237/21.79 20100527 2010-05-27 7.97 -
    ViRobot 20100525 2010.05.25 2010-05-25 0.38 -
    Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 7.00 -
    JiangMin 13.0.900 2010.05.24 2010-05-24 1.20 -
    Kaspersky 5.5.10 2010.05.26 2010-05-26 0.10 -
    KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.64 -
    McAfee 5400.1158 5994 2010-05-26 17.49 -
    Microsoft 1.5802 2010.05.27 2010-05-27 6.80 -
    Norman 6.04.12 6.04.00 2010-05-26 8.01 -
    Panda 9.05.01 2010.05.26 2010-05-26 4.03 -
    Trend Micro 9.120-1004 7.202.03 2010-05-26 0.04 -
    Quick Heal 10.00 2010.05.27 2010-05-27 2.75 -
    Rising 20.0 22.49.03.01 2010-05-27 1.27 -
    Sophos 3.07.1 4.53 2010-05-27 4.20 -
    Sunbelt 3.9.2424.2 6362 2010-05-26 7.12 -
    Symantec 1.3.0.24 20100526.006 2010-05-26 0.06 -
    nProtect 20100526.01 8495632 2010-05-26 7.95 -
    The Hacker 6.5.2.0 v00287 2010-05-25 0.32 -
    VBA32 3.12.12.5 20100526.0824 2010-05-26 2.68 -
    VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 2.35 -
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good. That scan let's us know if there is a Virut infection. It's always a good thing to see 'no malware found' in this scan!

    We have resolved the problem in your Post #1. Looks like you used the flash drive (F) for the LimeWire download so you know it's infected!

    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    Please download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Then repeat the Eset scan. Leave both log in next reply.
     
  13. Ved

    Ved TS Rookie Topic Starter Posts: 43

    It looks like as if I am having some problem running the Flash Disinfector.
    I save Flash_Disinfector.exe file from the link you have provided.
    After downloading I double-click on Flash_Disinfector in Downloads window
    From User Account Control window I allow the installed program to make changes
    Then looks like nothing is happening
    In search for Flash_Disinfector and find Flash_Disinfector.exe
    I click on it and still nothing.
    I have tried it few times with flash drive connected and not connected, the only visible difference is that when flash or memory stick is connected Program Compatibility Assistant window shows up with the message: This program might not have installed correctly, giving an option of Reinstall using recommended settings or This program installed correctly. Tried the two with visible same effect.
    I do not know if the scan starts at all.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running it under the Administrative Account.
     
  15. Ved

    Ved TS Rookie Topic Starter Posts: 43

    About the same thing is happening when I try to activate Flash_Disinfector from the Administrative Account…after downloading and double-click to run it. Open File – Security Warning window appears…with the message that the publisher could not be verified… and options to run or cancel.
    After again clicking on run in this window a new window appears, again with the message that: the program might not have installed correctly and options to: reinstall using recommended settings or: this program installed correctly.
    I tried option reinstall using recommended settings, and still the same effect.
    I have also right click on the Flash Disinfector desktop icon and chose troubleshoot compatibility:
    Where I am given two options: Try recommended settings: with following result:
    Windows compatibility mode: Windows XP (SP2)…with the option to start the program to make sure that these new settings have fixed the problem, but still does not want to start.
    I am using Windows 7
    Or an option troubleshoot program, with the problem list of different options such as:
    Program worked in earlier windows
    Program opens but doesn’t display
    Requires additional permission
    Don’t see my problem listed – when I click on this it gives different versions of Windows but not 7, and asks on which program it ran earlier.
    I don’t know if this is compatible with 7 or is there some other issue why I can’t start this.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Select the Compatibility tab> enter Windows XP for earlier version.

    I'll check later on and see if this program won't work on W7.
     
  17. Ved

    Ved TS Rookie Topic Starter Posts: 43

    In Administrator – Flash Disinfector Properties - Compatibility Tab
    I entered Windows XP (Service Pack 2 & 3) as well as Vista but still program wont run.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I can't find any OS limit on this program. Did it scan at all?
     
  19. Ved

    Ved TS Rookie Topic Starter Posts: 43

    I don’t know if it scan at all, but I do not think so.
    No scanning window or scanning message of any kind appeared at all.
    As I don’t know if any scanning window or message appears usually with Flash Disinfector at all, few times I tried to run Flash Disinfector with and without flash drive, or other removable device connected.
    And there was no difference what so ever, including no appearance of the messages… please plug in / insert…
    I did not proceed yet with the HJT, thinking that Flash Disinfector should be complete first.
    As I use this flash in question also with some other computers I don’t want to infect them as well.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have checked many forums for comments on this program. It is safe and legitimate:

    It appears that some security programs complain about it! It is possible for you to run your antivirus program on the flash drive?
     
  21. Ved

    Ved TS Rookie Topic Starter Posts: 43

    Yes I was able to run Norton Security Suite Virus scan on F:.
    I scaned it from Administrator.
    If this tells you anything:
    Result: No viruses or spyware detected.
    Detailes:
    Files & Directories: 22,625
    Registry Entries: 0
    Processes & Start-Up Items: 0
    Network & Browser Items: 0
    Other: 0
    Trusted Files: 0
    Skipped Files: 2
    I ran scan second time, as I forgot to save the log, and second time it scaned 15,651 Files & Directories and skiped 14,692.
    I am including this log here:
    Category: Scan Results
    Date & Time,Risk,Activity,Status,Task Name,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
    5/30/2010 12:28 PM,Info,Custom scan results,Completed,Custom scan,0:00:00:57,"15,651","15,651",0,0,0,0,0,"14,692",0,0,0
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Were there any numbers for these sections?

    Total Security Risks Detected,
    Total Security Risks Resolved
    Total Security Risks Requiring Attention
     
  23. Ved

    Ved TS Rookie Topic Starter Posts: 43

    they were all 0
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you noting any symptoms of the malware remaining? I'm thinking that I removed the file on the F Drive and the flash is clean.

    I'll check HijackThis to see if there are any bad entries remaining:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    If there are any remaining problems, please let me know now.
     
  25. Ved

    Ved TS Rookie Topic Starter Posts: 43

    “…Are you noting any symptoms of the malware remaining? I'm thinking that I removed the file on the F Drive and the flash is clean….”
    The Norton Security Suite run automatic scan, with no flash attached, and came across Hacktool.Rootkit!Inf again.
    Here are some details that I found from AV File Insight, if it tells you somthing:
    Wcscd.sys
    Infected file: c:\_OTM\movedfiles\05272010_091945\c_windows.old\Windows\system31\drivers\wcscd.sys

    Also the computer is tremendously slow, much more then before, with a lot of programs freezing (non responding) …I do not know if this is also due to Skype (I turned off automatic start up, and will se the progress) or Norton Security Suite, as someone complained that this slows down the system, or because of virus.
    In addition on my desk top, some two icons both titled: desktop.ini showed up.
    --------
    First time I run HijackThis, I got following message:
    For some reason your system denied write access to the Host file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
    If this happens, you need to edit the file yourself. To do this, click Start, Run and type:
    Notepad C:\Windows\System32\drivers\etc\hosts
    And press Enter. Fine the line(s) Hijcak This reports and delete them.
    Save the file as ‘hosts’. (with quotes), and reboot.
    ---------
    Then I logged off and logged back in as administrator, where computer runs better.
    I downloaded HijackThis again.
    This time HijackThis worked fine and well.
    Here is the log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:35:43 PM, on 5/31/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\IPSBHO.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe

    --
    End of file - 4518 bytes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...