Weird things happen !

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Last nite everything was fine.

This morning all my browsers except Google Chrome are dead.

The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

After clicking them, nothing

Check under task manager, they are there, and taking a lot of CPU
resources, but stay behind

Killed those browsers and re-install, still the same.

So I download the MBAM (Malyware Bytes Anti-Malware) and scan

After a scan, MBAM reported that there were 5 trojans, and I deleted
all 5 of them.

Reboot the computer, and still the browsers (except Google Chrome)
refused to work.

Run MBAM again, 3 more data entries in the Registry were found. Delete
them again (report at the end of message)

Reboot.

Still the browsers can't run.

Download Avast and Norton.

Norton won't run without downloading their virus definition, but
something is blocking Norton from downloading their virus
definition !!

Now Avast is downloading its virus definition, VERY SLOW !

My 2mbps line is downloading at less than 2kbps speed !!

I will run Avast after it finishes with the update.

BTW, is there any other package that I should run to check what
actually has happened to my computer?

Please help !

Attached: Report from MBAM

= = ==================================================

Malwarebytes' Anti-Malware 1.42
Database version: 3357
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2009 12:58:27 PM
mbam-log-2009-12-07 (12-58-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145847
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
(0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -
Quoted text here. Click to load it

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

= = ===========================================================




Re: Weird things happen !



pg wrote:
Quoted text here. Click to load it

You found something that killed Opera V10.10 from within,
or ran something you downloaded that targeted its executable?

Re: Weird things happen !

Quoted text here. Click to load it


Opera 10.10, Firefox 3.5.5 and IE 8.0.6001 and Google Chrome are the 4
browsers in my computer.

Now only Google Chrome works, barely --- very slow !

The other three starts, but stay hidden, and consuming CPU resources
like crazy

I re-download new copies of Firefox 3.5.5 and Opera 10.10 and re-
installed them.

Still none of them works.

I downloaded Norton's Online utility, clicked on the setup file, and
after it installed, it wanted to download the virus definition, and
that virus / trojan / malware BLOCKS norton's attempt to dl _any_
virus definition.

Avast' dl was successful, and I use it to run the "boot up" routine,
scanned the entire system, and asked it to delete EVERYTHING that it
finds suspicious.

After Avast' scan, I rebooted the machine, and STILL, IE, FF and Opera
refuse to work !

Same as before.

I have run DDS, RootRepeal and Hijackthis, and will post the result at
the end of this message.

MBAM did delete some suspicious trojan, but this system is still very
much in deep shit (please pardon my French).

Here are the reports:

=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

Root Repeal

=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

ROOTREPEAL AD, 2007-2009
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Scan Start Time:     2009/12/07 13:26
Program Version:     Version 1.3.5.0
Windows Version:     Windows XP SP3
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Drivers
-------------------
Name: BIOS.sys
Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
Address: 0xF557B000    Size: 13696    File Visible: -    Signed: No
Status: -

Name: cpuz132_x32.sys
Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
Address: 0xF0205000    Size: 12672    File Visible: -    Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFAD5000    Size: 49152    File Visible: No    Signed: No
Status: -

Name: rtqj.sys
Image Path: rtqj.sys
Address: 0xF5DD8000    Size: 54016    File Visible: No    Signed: No
Status: -

Name: tap0901.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Address: 0xF6138000    Size: 25216    File Visible: -    Signed: No
Status: -

Name: uyowfi.sys
Image Path: uyowfi.sys
Address: 0xF5DC8000    Size: 54016    File Visible: No    Signed: No
Status: -

=3D=3DEOF=3D=3D


=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

DDS

=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 12:53:18.71 on Mon 12/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2772
[GMT -12:00]


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Running Processes =3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine.3.0.44\NSS.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\HousecallLauncher.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\TempzS22.tmp\setup.exe
C:\Documents and Settings\Administrator\Desktop\avast_home_setup.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Pseudo HJT Report =3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

BHO: Adobe PDF Link Helper: - c:
\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: - No File
BHO: FDMIECookiesBHO Class: - c:
\program files\free download manager\iefdm2.dll
BHO: Java=99 Plug-In 2 SSV Helper: {dbc80044-a445-435b-
bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-
eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie
\jqs_plugin.dll
TB: - No File
uRun: [Google Update] "c:\documents and settings\administrator\local
settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /
install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows
\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows
\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static
\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [openvpn-gui] c:\program files\ultravpn\bin\openvpn-gui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader
9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm
.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -
atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin
\jusched.exe"
IE: - %windir%\Network
Diagnostic\xpnetdiag.exe
IE: - c:\program files\messenger
\msmsgs.exe
DPF: -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: = 202.188.0.133
202.188.1.5
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - - c:
\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - c:\program files\free extended task manager
\extensions\taskmanager\ExtensionsTaskManager32.exe

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D FIREFOX =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox
\profilesx3ekcqo.default\
FF - prefs.js: browser.startup.homepage - google.com.au
FF - plugin: c:\documents and settings\administrator\application data
\mozilla\firefox\profilesx3ekcqo.default\extensions
\\plugins\npww.dll
FF - plugin: c:\documents and settings\administrator\local settings
\application data\google\update.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program
files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-
ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program
files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-
ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla
firefox\greprefs\security-prefs.js - pref
("security.ssl3.rsa_seed_sha", true);

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SERVICES / DRIVERS =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-9 13696]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys
[2009-10-31 12672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers
\mbamswissarmy.sys [2009-12-7 38224]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows
\system32\drivers\nvhda32.sys [2009-10-28 30880]
S0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-3-26 16896]
S0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers
\ViPrt.sys [2007-3-26 52224]
S3 FXDrv32;FXDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]
S3 GPUTool;GPUTool;\??\c:\docume~1\admini~1\locals~1\temp\gputool.sys
--> c:\docume~1\admini~1\locals~1\temp\GPUTool.sys [?]
S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-10-31
4608]

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Created Last 30 =3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

2009-12-08 00:41:38    0    d-----w-    c:\windows\system32\drivers\NSS
2009-12-08 00:41:38    0    d-----w-    c:\program files\Norton Security Scan
2009-12-08 00:37:32    0    d-----w-    c:\program files\NortonInstaller
2009-12-08 00:32:24    0    d-----w-    c:\program files\CCleaner
2009-12-08 00:30:23    0    d-----w-    c:\program files\Trend Micro
2009-12-08 00:28:15    0    d--h--w-    c:\windows\PIF
2009-12-08 00:13:06    0    d-----w-    c:
\docume~1\admini~1\applic~1\Malwarebytes
2009-12-08 00:13:03    38224    ----a-w-    c:\windows\system32\drivers
\mbamswissarmy.sys
2009-12-08 00:13:02    0    d-----w-    c:
\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 00:13:01    19160    ----a-w-    c:\windows\system32\drivers
\mbam.sys
2009-12-08 00:13:01    0    d-----w-    c:\program files\Malwarebytes' Anti-
Malware
2009-12-07 18:15:03    0    d--h--w-    c:\windows\system32\GroupPolicy
2009-12-06 18:54:58    63957    ----a-w-    C:\xyz.png
2009-12-05 04:37:29    53784    ----a-w-    C:\DNS.png
2009-11-26 09:14:22    0    d-----w-    c:\program files\Free Download Manager
2009-11-23 21:24:59    0    d-----w-    c:\windows\system32\Adobe
2009-11-22 22:20:59    0    d-sh--w-    c:\documents and settings\administrator
\PrivacIE
2009-11-22 19:04:01    0    d-----w-    c:\windows\system32\oodag
2009-11-14 15:39:50    0    d-----w-    c:\program files\LopeSoft
2009-11-11 11:08:24    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2009-11-11 11:08:24    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2009-11-10 19:29:47    0    d-----w-    c:\program files\UltraVPN
2009-11-08 16:14:48    0    d-----w-    c:\windows\pss

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Find3M =3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

2009-10-29 04:48:52    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2009-10-29 04:48:52    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2009-10-21 07:08:02    69632    ----a-w-    c:\windows\system32\XXPBAR.EXE
2009-10-21 07:08:02    450560    ----a-w-    c:\windows\system32\XXCOPYSU.EXE
2009-10-21 07:08:02    450560    ----a-w-    c:\windows\system32\XXCOPY.EXE
2009-10-21 07:08:02    2321    ----a-w-    c:\windows\system32\UIXXCOPY.BAT
2009-10-21 07:08:02    230377    ----a-w-    c:\windows\system32\XXCOPY16.EXE
2009-10-21 07:08:02    146936    ----a-w-    c:\windows\system32\XXCONSOLE.EXE
2009-10-11 16:17:27    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-09-28 06:20:04    2173544    ----a-w-    c:\windows\system32\nvcplui.exe
2009-09-28 06:20:00    81920    ----a-w-    c:\windows\system32\nvwddi.dll
2009-09-28 06:19:52    3166208    ----a-w-    c:\windows\system32\nvwss.dll
2009-09-28 06:19:50    4026368    ----a-w-    c:\windows\system32\nvvitvs.dll
2009-09-28 06:19:48    3547136    ----a-w-    c:\windows\system32\nvgames.dll
2009-09-28 06:19:48    188416    ----a-w-    c:\windows\system32\nvmccss.dll
2009-09-28 06:19:48    1286144    ----a-w-    c:\windows\system32\nvmobls.dll
2009-09-28 06:19:46    86016    ----a-w-    c:\windows\system32\nvmctray.dll
2009-09-28 06:19:46    4935680    ----a-w-    c:\windows\system32\nvdisps.dll
2009-09-28 06:19:46    172100    ----a-w-    c:\windows\system32\nvsvc32.exe
2009-09-28 06:19:46    143360    ----a-w-    c:\windows\system32\nvcolor.exe
2009-09-28 06:19:46    13918208    ----a-w-    c:\windows\system32\nvcpl.dll
2009-09-28 06:19:40    229376    ----a-w-    c:\windows\system32\nvmccs.dll
2009-09-28 04:12:22    888832    ----a-w-    c:\windows\system32\nvapi.dll
2009-09-28 04:12:22    5900416    ----a-w-    c:\windows\system32\nv4_disp.dll
2009-09-28 04:12:22    490088    ----a-w-    c:\windows\system32\nvudisp.exe
2009-09-28 04:12:22    2194024    ----a-w-    c:\windows\system32\nvcuvid.dll
2009-09-28 04:12:22    2007040    ----a-w-    c:\windows\system32\nvcuda.dll
2009-09-28 04:12:22    1714792    ----a-w-    c:\windows\system32\nvcuvenc.dll
2009-09-28 04:12:22    170600    ----a-w-    c:\windows\system32\nvcodins.dll
2009-09-28 04:12:22    170600    ----a-w-    c:\windows\system32\nvcod.dll
2009-09-28 04:12:22    1604482    ----a-w-    c:\windows\system32\nvdata.bin
2009-09-28 04:12:22    10756096    ----a-w-    c:\windows\system32\nvoglnt.dll
2009-09-26 04:35:00    593920    ------w-    c:\windows\system32\ati2sgag.exe
2009-09-24 21:24:18    490088    ----a-w-    c:\windows\system32\NVUNINST.EXE
2009-09-23 22:39:28    446464    ----a-w-    c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38:26    299520    ----a-w-    c:\windows\system32\ati2dvag.dll
2009-09-23 22:21:32    204800    ----a-w-    c:\windows\system32\atipdlxx.dll
2009-09-23 22:21:14    155648    ----a-w-    c:\windows\system32\Oemdspif.dll
2009-09-23 22:21:00    26112    ----a-w-    c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20:50    43520    ----a-w-    c:\windows\system32\ati2edxx.dll
2009-09-23 22:20:36    155648    ----a-w-    c:\windows\system32\ati2evxx.dll
2009-09-23 22:19:14    602112    ----a-w-    c:\windows\system32\ati2evxx.exe
2009-09-23 22:17:44    53248    ----a-w-    c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11:02    311296    ----a-w-    c:\windows\system32\atiiiexx.dll
2009-09-23 22:09:18    3506080    ----a-w-    c:\windows\system32\ati3duag.dll
2009-09-23 21:58:16    12644352    ----a-w-    c:\windows\system32\atioglxx.dll
2009-09-23 21:53:48    2096384    ----a-w-    c:\windows\system32\ativvaxx.dll
2009-09-23 21:53:26    887724    ----a-w-    c:\windows\system32\ativva6x.dat
2009-09-23 21:36:50    65024    ----a-w-    c:\windows\system32\atimpc32.dll
2009-09-23 21:36:50    65024    ----a-w-    c:\windows\system32\amdpcom32.dll
2009-09-23 21:32:20    561152    ----a-w-    c:\windows\system32\atikvmag.dll
2009-09-23 21:31:32    45056    ----a-w-    c:\windows\system32\aticalrt.dll
2009-09-23 21:31:18    45056    ----a-w-    c:\windows\system32\aticalcl.dll
2009-09-23 21:30:08    167936    ----a-w-    c:\windows\system32\atiadlxx.dll
2009-09-23 21:29:42    17408    ----a-w-    c:\windows\system32\atitvo32.dll
2009-09-23 21:29:36    3489792    ----a-w-    c:\windows\system32\aticaldd.dll
2009-09-23 21:27:50    401408    ----a-w-    c:\windows\system32\atiok3x2.dll
2009-09-23 21:23:08    638976    ----a-w-    c:\windows\system32\ati2cqag.dll
2009-09-11 12:01:57    2560    ----a-w-    c:\windows\_MSRSTRT.EXE
2009-09-11 11:56:39    5334    ----a-w-    c:\windows\system32\unins000.dat
2009-09-11 11:56:31    716153    ----a-w-    c:\windows\system32\unins000.exe
2009-09-11 11:12:54    249856    ------w-    c:\windows\Setup1.exe
2009-09-11 11:12:53    73216    ----a-w-    c:\windows\ST6UNST.EXE
2009-09-10 13:29:21    21640    ----a-w-    c:\windows\system32\emptyregdb.dat
2009-09-10 04:24:52    315392    ----a-w-    c:\windows\HideWin.exe
2008-03-09 19:25:10    236    ----a-w-    c:\program files\common files\dx.reg

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D FINISH: 12:53:33.01 =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

Hijackthis

=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:22 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager
\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine.3.0.44\NSS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data
\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=3D69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
=3D http://go.microsoft.com/fwlink/?LinkId=3D54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=3D54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=3D69157
O2 - BHO: AcroIEHelperStub - -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - -
(no file)
O2 - BHO: FDMIECookiesBHO Class -
- C:\Program Files\Free
Download Manager\iefdm2.dll
O2 - BHO: Java=99 Plug-In 2 SSV Helper - {DBC80044-A445-435b-
BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-
EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie
\jqs_plugin.dll
O3 - Toolbar: (no name) - - (no
file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView
\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS
\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS
\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE
\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\UltraVPN\bin\openvpn-
gui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe
\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM
.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin
\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings
\Administrator\Local Settings\Application Data\Google\Update
\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) -
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic
\xpnetdiag.exe
O9 - Extra button: Messenger -
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D6DBB7-7AE8-47E2-
A68D-004688814060}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS
\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) -
Unknown owner - C:\Program Files\NVIDIA Corporation
\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:
\Program Files\NVIDIA Corporation\NetworkAccessManager
\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS
\system32\oodag.exe

--
End of file - 5032 bytes

=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/10/2009 1:34:41 AM
System Uptime: 12/7/2009 12:36:39 PM (0 hours ago)

Motherboard: FOXCONN |  | MCP73M05
Processor:               Intel(R) Pentium(R) D CPU 3.00GHz | Socket
775 | 3000/200mhz

=3D=3D=3D=3D Disk Partitions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

C: is FIXED (NTFS) - 31 GiB total, 2.198 GiB free.
D: is FIXED (NTFS) - 33 GiB total, 0.087 GiB free.
E: is FIXED (NTFS) - 900 GiB total, 835.932 GiB free.
F: is FIXED (NTFS) - 564 GiB total, 0.664 GiB free.
G: is CDROM ()
H: is CDROM ()

=3D=3D=3D=3D Disabled Device Manager Items =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D

Class GUID:
Description:
Device ID: HDAUDIO
\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001&1C86A133&0&0001
Manufacturer:
Name:
PNP Device ID: HDAUDIO
\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001&1C86A133&0&0001
Service:

=3D=3D=3D=3D System Restore Points =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D

RP67: 12/6/2009 10:48:44 AM - System Checkpoint
RP68: 12/7/2009 11:05:02 AM - Removed Opera 10.10.
RP69: 12/7/2009 11:05:13 AM - Installed Opera 10.10.

=3D=3D=3D=3D Installed Programs =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D

7-Zip 4.65
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
CPUID CPU-Z 1.52.2
DirectX10 RC2 Pre Fix 3
FileMenu Tools
Free Download Manager 3.0
Free Extended Task Manager
Google Chrome
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Processor ID Utility
Java(TM) 6 Update 17
K-Meleon 1.5.3 en-US (remove only)
Malwarebytes' Anti-Malware
MFC RunTime files
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSXML 6.0 Parser (KB925673)
Norton Security Scan
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nView Desktop Manager
O&O Defrag Professional
Opera 10.10
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.83
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Safari
UltraVPN
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XXConsole: Super Console Generator  ver 0.96

=3D=3D=3D=3D Event Viewer Messages From Past Week =3D=3D=3D=3D=3D=3D=3D

12/7/2009 12:37:11 PM, error: sr [1]  - The System Restore filter
encountered the unexpected error '0xC0000001' while processing the
file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring
the volume.
12/7/2009 12:37:02 PM, error: Service Control Manager [7026]  - The
following boot-start or system-start driver(s) failed to load:  uagp35
ViaIde ViBus videX32 ViPrt
12/4/2009 10:25:01 AM, error: W32Time [34]  - The time service has
detected that the system time needs to be  changed by +401699 seconds.
The time service will not change the system  time by more than +54000
seconds. Verify that your time and time zone  are correct, and that
the time source time.windows.com (ntp.m|0x1|115.133.48.23:123-
Quoted text here. Click to load it
11/30/2009 5:51:40 PM, error: Service Control Manager [7000]  - The
Parallel port driver service failed to start due to the following
error:  The service cannot be started, either because it is disabled
or because it has no enabled devices associated with it.
11/30/2009 5:43:47 AM, error: Service Control Manager [7034]  - The
Java Quick Starter service terminated unexpectedly.  It has done this
1 time(s).
11/30/2009 5:15:56 AM, error: Service Control Manager [7034]  - The
O&O Defrag service terminated unexpectedly.  It has done this 1 time
(s).

=3D=3D=3D=3D End Of File =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Re: Weird things happen !



pg wrote:
Quoted text here. Click to load it

Those are simply the effect of not having the security center keep flashing
that tray balloon when you don't have an external FW, AV, or auto-update.
MBAM started including those some three or four months ago. Last time I tried
it I was able to get it to ignore those in a subsequent scan.

Re: Weird things happen !




| Last nite everything was fine.

| This morning all my browsers except Google Chrome are dead.

| The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

Kill all software on PC and perform a scan using Gmer.

http://www.gmer.net/#files


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Weird things happen !




ADDENDUM:

In addition, don't install BOTH Avast and Norton.  It is one or the other, and
Avast is
preferred, as it is contrindicated to install more than one fully installed AV
application
performing both "On Demand" and "On Acess" scanning on any singular PC.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Weird things happen !



Okay, thanks !!

wrote:
Quoted text here. Click to load it

Re: Weird things happen !

wrote:
Quoted text here. Click to load it

Report from GMER:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-07 18:53:38
Windows 5.1.2600 Service Pack 3
Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\awtdapow.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)                         ZwClose
[0xF1B6F6B8]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)                         ZwCreateKey
[0xF1B6F574]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDeleteValueKey [0xF1B6FA52]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDuplicateObject [0xF1B6F14C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)                         ZwOpenKey
[0xF1B6F64E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwOpenProcess [0xF1B6F08C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)                         ZwOpenThread
[0xF1B6F0F0]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwQueryValueKey [0xF1B6F76E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)                         ZwRestoreKey
[0xF1B6F72E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwSetValueKey [0xF1B6F8AE]

INT
0x62        ?
FCC112AC
INT
0x63        ?
FC8B2634
INT
0x73        ?
FC8B19B4
INT
0x83        ?
FCC61E54
INT
0x93        ?
FC89F754
INT
0xA3        ?
FC89AE54
INT
0xA4        ?
FCA1A6EC
INT
0xB1        ?
FCCAD2AC
INT
0xB4        ?
FCA4F6DC

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS
\ati2mtag.sys
section is writeable [0xF55E4000, 0x21F557, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]  00380002
IAT             C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [KERNEL32.dll!CreateProcessW]        00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs
\Ntfs
aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL
Software)
AttachedDevice  \Driver\Tcpip \Device
\Ip
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device
\Tcp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device
\Udp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device
\RawIp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MinEncryptionLevel                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Callback                            0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@CallbackNumber
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Comment                             System
Console
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Domain
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InitialProgram
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InputBufferLength                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardLayout                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardName                        \REGISTRY
\Machine\System\CurrentControlSet\Services\Kbdclass
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxConnectionTime                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxDisconnectionTime                0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxIdleTime                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MouseName                           \REGISTRY
\Machine\System\CurrentControlSet\Services\Mouclass
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufCount                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufDelay                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufLength                        0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Password
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdClass                             1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdDll
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdFlag                              30
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdName                              console
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@UserName
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdDll                               wdcon
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdFlag                              36
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdName                              Console
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WorkDirectory
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritAutoLogon                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallback                    0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallbackNumber              0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritInitialProgram              0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxDisconnectionTime        0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxIdleTime                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxSessionTime              0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritReconnectSame               0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritResetBroken                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritShadow                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fLogonDisabled                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fPromptForPassword                  1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fReconnectSame                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fResetBroken                        0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fUseDefaultGina                     0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Shadow                              1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceClass                          268435465
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceDebugger                       1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceEnable                         12
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fEnableWinStation                   1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdClass                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdDLL
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdFlag                          0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdName
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CfgDll                          RDPCFGEX.DLL
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@InteractiveDelay                50
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@OutBufDelay                     100
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdClass                         2
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdDLL                           tdtcp
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdFlag                          78
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdName                          tcp
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdDLL                           rdpwd
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdFlag                          52
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdName                          Microsoft RDP
5.1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdPrefix                        RDP
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WsxDLL                          rdpwsx
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CfgDll                              RDPCFGEX.DLL
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fEnableWinStation                   1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxInstanceCount                    -1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdName                              tcp
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdClass                             2
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdDLL                               tdtcp
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdFlag                              78
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufLength                        530
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufCount                         6
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufDelay                         100
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InteractiveDelay                    50
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PortNumber                          3389
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeepAliveTimeout                    0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@LanAdapter                          0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdName                              Microsoft RDP
5.1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdDLL                               rdpwd
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WsxDLL                              rdpwsx
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdFlag                              54
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InputBufferLength                   2048
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdClass                             0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdName
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdDLL
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdFlag                              0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Comment
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoLogon                   1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritResetBroken                 1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritReconnectSame               1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritInitialProgram              1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallback                    0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallbackNumber              1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritShadow                      1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxSessionTime              1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxDisconnectionTime        1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxIdleTime                 1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoClient                  1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritSecurity                    0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritColorDepth                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fPromptForPassword                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fResetBroken                        0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fReconnectSame                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fLogonDisabled                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientDrives                   1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientLpts                     1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fForceClientLptDef                  1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableEncryption                  1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fHomeDirectoryMapRoot               0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fUseDefaultGina                     0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCpm                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCdm                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCcm                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableLPT                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableClip                        0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableExe                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCam                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Username
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Domain
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Password
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WorkDirectory
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InitialProgram
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CallbackNumber
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Callback                            0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Shadow                              1
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxConnectionTime                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxDisconnectionTime                0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxIdleTime                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeyboardLayout                      0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MinEncryptionLevel                  2
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@NWLogonServer
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WFProfilePath
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdPrefix                            RDP
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceEnable                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceDebugger                       0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceClass                          0
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@ColorDepth                          3
Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\System
Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\System@OODEFRAG11.00.00.01WORKSTATION
0C04FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E1=
27BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794BA=
7FD869164D67949280D8D7302FCC58A748D546B25B4C46155CF1082839BBB035AF617C9A29E=
1029A17F42D6BA01A6D4C9CB21ED020702B0FA16D77ECFB4387C0CC76F86CF57FBE40C9DB3B=
38225F246CDD34483FA247A72CC483FC3EB1AA1B87E022C1ACF580D2D53F3E88A52DCB0EF36=
56E27F3A3B23991724AF89B00A2F50B8F99D482D40877D4AF954F2292143173213A52473717=
53086F197EE4DD6097EB8F56637B8E3BD758E51DFE0373EE852011B196F7C4DC5C7F100F586=
3979FF1722D98D305F646151F43D1390147987852CB35F12608702B093F0C02BF509BEC88C6=
DF3FF131D6430FBBF8D53759D0EA08796A18D810C390D97BB5AA87FA98E23ECFF4737BB8A0E=
82F5818DC26C7DA3161D739F1784149CD4CD6F5392FE0D92445CF6070BB5AD903ABB37B1033=
857E9424B8CC195255FB995EF6F8440C1F2A72746270EE3339BC81D380B15F275807D3B77F9=
65F96D3579C3217301AD8A6D605C735B7D444C987481C808E722C5CC49DA9A849C55DA05BF5=
0D85CFB9B3BBB208DD0D8C423756FE309D8D29A355818A182C3EDD859E6D0E365924D2D71FF=
69119F842088736FCE60411935B81948631DC1263118938C

---- EOF - GMER 1.0.15 ----

Re: Weird things happen !



pg wrote:
Quoted text here. Click to load it

I'm surprised that Dave didn't advise against posting the full GMER report,
as it's as big or bigger than HJT.  

Re: Weird things happen !




| wrote:

Quoted text here. Click to load it



| Report from GMER:

| GMER 1.0.15.15279 - http://www.gmer.net
| Rootkit scan 2009-12-07 18:53:38
| Windows 5.1.2600 Service Pack 3
| Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \awtdapow.sys


I have seen some logs but I haven't seen ...
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Shown so much in a Gmer log.

Remove ~nospam~ from my posting address and send me the full Gmer log file.

I will Ping Gmer and see what he says about it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Weird things happen !



Dear Mr. Lipman,

Email sent, with attachments of the full GMER log (zipped), along with
OTL files (extra.zip, otl.zip), from my hotmail account.

Thank you very much !!

wrote:
Quoted text here. Click to load it

Re: Weird things happen !



wrote:
Quoted text here. Click to load it


I ran a search on terminal server and found "Backdoor.Botnachala"

http://www.offensivecomputing.net/?q=3Dnode/110


Could my system already hacked from the outside?

Re: Weird things happen !



pg wrote:
Quoted text here. Click to load it

One thing I do when I'm trying to eliminate malware that antivirus scans
don't find is to look for files that have had their permissions locked. An
easy way to do this is try to change a file attribute such as the archive
bit or read only bit for all the files in a directory, usually system32 is
where I start as most malware hangs out in there.

Any file that won't let its attributes be changed is suspicious and worth
Googling to see what it does. If it's a nasty then I search the registry for
any references to that filename, delete those entries then delete the file
itself from within the Recovery Console if it can't be deleted normally.

However if the corruption has already spread so far that things like System
Restore and other key components no longer work it's probably quicker and
more thorough to just do a complete reinstall.
--
Dave Baker



Re: Weird things happen !



What is weird now is even when I want to run Kaspersky's online virus
scan, I can't !

Kaspersky told me to deactivate my resident virus scan, I did, and
still the online scan won't run.

Susequently I removed the avast! virus scanner from my computer, and
still something is blocking Kaspersky's online virus scan !

Site Timeline