Hi,

We have a preliminary step to do first. But, before I do anything, I need to ask what this:

Ultimate Password Cracker .exe

is doing on your system. Given what we do, we do not provide support to any potentially illegal activities, and password cracking is one of them. So, I need an explanation of that item before we proceed.

PC:

I originally downloaded that to crack a password I put on one of my own word documents. I haven't used it since. I can't even remember if it worked.

I just erased it. Apologies.

Arc

Hi,

Thank you. We are very strict on that issue, but deleting the file from your system is adequate for us to proceed. I need to do a preliminary step now. It shouldn't take long, and then I am going to start to clean up everything we have found so far, including the rootkit.

One of the things I was doing was trying to find the file name associated with the rootkit driver so we could try to capture it. So far, I have been unsuccessful.

I want to install a Recovery Console on your system, so if the system ever becomes unbootable, we can boot via the RC. The XP recovery console is more powerful and versatile than the W2K one, so we are going to install that instead. Please go to this post and follow the instructions in that one post, including the download:

/p1080155-New_Log_cant_get_rid_of_backdoor_sdbot_gen_trojan.html#1080155

Then post your boot.ini and I will provide editing instructions for you.

Okay I'm mostly certain I did that right.

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

Regards,

Arc

I assume that copy of boot.ini is from your C:\ root folder. Save a copy of it and call it boot.bak to your C:\ folder.

Now edit the file to be the following (or copy and paste if you wish):

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Make sure that you have clicked on the Format menu of Notepad and unchecked Word Wrap. Carefully compare your edit to the above. Then do a Save As, saving the file as boot.ini.

Next, implement the steps in this article:

http://wiki.castlecops.com/User:PCBruiser/Registry_Maintenance

What have we done? From now on, each time you boot, your system will pause for two seconds while offering a choice of whether to boot to either Microsoft Windows 2000 Professional or Microsoft Windows Recovery Console. The default and automatic choice is to boot to W2K. But, if we need the recovery console in an emergency, we can now get there via the modified boot sequence, and we have available the somewhat more powerful XP version of it as well.

The second step created an automatic daily, or on-demand backup system for your Registry. And, each day's, or on-demand backup can be restored using the erdnt.exe file inside each backup's folder which can be found in your WINNT folder under ERDNT. A nice backup feature to have that will save your behind one day. Trust me, it has saved mine several times. And, you can run that from within the RC, Safe Mode or Windows.

Next, I am going to develop a script to start to fix your system, and get rid of a lot of malware. This may take a while, and I may or may not be able to complete it until tomorrow, although it might be done later today.

Awesome. Thanks PC.

I don't think I'll have time for this tonight. I'll post back in the morning after I completed what you instructed.

Regards,

Arc

PC:

Okay, that was a lot easier than I thought it would be. Faster too. Kinda fun.

So all the registry voodoo is done as per instructions. Interested in what is next. Thanks again.

Regards,

Arc

Hi,

Under step 1 there is a code box. Please look at this item:

C:\Documents and Settings\X\Application Data\ctln.exe

under Files::. My question, is the folder actually called "X" or did you edit that line to take out a name you didn't want public. If you edited that item, I need you to change that line of code to use the actual folder name instead of "X". That file is malware, a Trojan, and it is active on your system until I kill it with this step. I need this file gone, so please edit that line if necessary.

I also got rid of F-Protect, stopped all the AVG components from auto-running, but left AVG in place, but have not done anything with Tiny/Sunbelt. If you want me to get rid of them, uninstall them after completing the steps in this post, install OnlineArmor, and then run ComboFix one more time. Post that second CF log plus a fresh HJT log, and I will make sure all of Tiny/Sunbelt is gone and OA has installed correctly.

1. Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:

Save this to your Desktop as CFScript.txt.

2. Close all open browsers.




3. Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

4. Please post the following:

a. combofix.txt
b. a fresh HJT log

_________________
Don't read? Can't learn!

Hi:

Nope X is correct so the code should work.

I will get to this right now!

Arc

Sorry for the delay I had some problems and had a visitor.

I had to do this in safemode and it still said some kind of registry error but I think it still worked. HJT log next.

ComboFix 08-04-20.1 - X 20/04/2008 14:11:17.2 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.411 [GMT -7:00]
Running from: C:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\X\Desktop\CFScript.txt

FILE ::
C:\Documents and Settings\X\Application Data\ctln.exe
C:\WINNT\system32\Drivers\FSTOPW.SYS
C:\WINNT\system32\Drivers\FSTOPW.sys
C:\WINNT\system32\sdkdt32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FSI
C:\Program Files\FSI\F-Prot\banner.jpg
C:\Program Files\FSI\F-Prot\ENGLISH.TX0
C:\Program Files\FSI\F-Prot\F-Sched.dat
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-Start.dat
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe
C:\Program Files\FSI\F-Prot\FP-Win.exe
C:\Program Files\FSI\F-Prot\FPATCL.dll
C:\Program Files\FSI\F-Prot\FPATCL_ENG.dll
C:\Program Files\FSI\F-Prot\fpav-help.chm
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\FSI\F-Prot\fpcmd.exe
C:\Program Files\FSI\F-Prot\FpENGDLL.dll
C:\Program Files\FSI\F-Prot\Fpio16.dll
C:\Program Files\FSI\F-Prot\fpio32.dll
C:\Program Files\FSI\F-Prot\friskstyle.css
C:\Program Files\FSI\F-Prot\info.html
C:\Program Files\FSI\F-Prot\info.txt
C:\Program Files\FSI\F-Prot\logo.gif
C:\Program Files\FSI\F-Prot\MACRO.DEF
C:\Program Files\FSI\F-Prot\NOMACRO.def
C:\Program Files\FSI\F-Prot\OSVIL.dll
C:\Program Files\FSI\F-Prot\Report.txt
C:\Program Files\FSI\F-Prot\SchedEng.dll
C:\Program Files\FSI\F-Prot\SchedSett.dat
C:\Program Files\FSI\F-Prot\shexthk.dll
C:\Program Files\FSI\F-Prot\SIGN.DEF
C:\Program Files\FSI\F-Prot\SIGN2.DEF
C:\WINNT\system32\Drivers\FSTOPW.SYS

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FPA_RTP
-------\Service_FPA_RTP
-------\Service_NDMONPROTO


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 14:18 . 16,384 C:\WINNT\system32\Perflib_Perfdata_534.dat
2008-04-20 14:06 . 08-04-20 14:06 833,416 ---h----- C:\WINNT\ShellIconCache
2008-04-20 12:28 . 08-04-20 12:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_22c.dat
2008-04-20 12:25 . 06-11-01 13:06 215,928 --a------ C:\pagedfrg.exe
2008-04-20 12:25 . 08-04-20 12:25 25,992 --a------ C:\WINNT\system32\pgdfgsvc.exe
2008-04-20 12:25 . 00-07-23 18:58 8,419 --a------ C:\pagedfrg.hlp
2008-04-20 12:22 . 08-04-20 12:22 <DIR> d-------- C:\Program Files\NT Registry Optimizer
2008-04-20 12:20 . 08-04-20 12:20 <DIR> d-------- C:\Program Files\ERUNT
2008-04-18 23:08 . 08-04-18 23:08 <DIR> d-------- C:\WINNT\ERUNT
2008-04-18 23:02 . 08-04-19 00:38 <DIR> d-------- C:\SDFix
2008-04-11 17:34 . 08-04-11 23:04 250 --a------ C:\WINNT\gmer.ini
2008-03-22 13:57 . 08-03-22 13:57 <DIR> d-------- C:\WINNT\PaltalkScene
2008-03-22 13:57 . 08-03-22 13:57 <DIR> d-------- C:\Program Files\Paltalk Messenger
2008-03-22 13:57 . 08-03-22 14:00 <DIR> d-------- C:\Documents and Settings\X\Application Data\Paltalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 05:55 --------- d-----w C:\Documents and Settings\X\Application Data\AVG7
2008-04-18 02:06 --------- d-----w C:\Program Files\Trend Micro
2008-03-29 22:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:20 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-15 22:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 22:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 22:12 691,545 ----a-w C:\WINNT\unins000.exe
2008-03-08 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 19:39 --------- d-----w C:\Program Files\Microsoft Games
2008-03-08 19:38 --------- d-----w C:\Program Files\Doom 3
2008-03-06 03:41 107,888 ----a-w C:\WINNT\system32\CmdLineExt.dll
2008-03-06 03:05 --------- d-----w C:\Program Files\THQ
2003-04-13 14:57 271 ---h--w C:\Program Files\desktop.ini
2003-04-13 14:57 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-03-10 10:05 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

------- Sigcheck -------

02-07-24 05:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
02-07-24 05:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@Sat 2008-04-19_12.58.43.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\20-04-2008\ERDNT.EXE
+ 2008-04-20 19:31:55 4,734,976 ----a-w C:\WINNT\erdnt\20-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-20 19:31:55 430,080 ----a-w C:\WINNT\erdnt\20-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\ERDNT.EXE
+ 2008-04-20 19:29:30 4,734,976 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-20 19:29:30 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2008-04-20 21:20:15 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_458.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NeroCheck"="C:\WINNT\System32\NeroCheck.exe" [02-05-22 14:46 155648]
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" [02-04-20 08:00 364544]
"IPInSightMonitor 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" [02-04-20 08:00 102400]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03-11-25 22:10 335872]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [08-03-29 10:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\X\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\DL\Training\Schedule.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 01-11-02 10:50 24636 C:\WINNT\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINNT\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bginfo.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bginfo.exe
backup=C:\WINNT\pss\Bginfo.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINNT\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINNT\pss\NetAssistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 04-04-27 15:18 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desk Buddy Lite]
C:\Program Files\Jalco Software\Desk Buddy Lite\DeskBud.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 05-02-17 09:37 2903636 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE]
--a------ 02-08-29 08:14 91136 C:\Program Files\Internet Explorer\IEXPLORE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 06-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 02-10-31 09:14 327680 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 06-03-29 23:05 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 03-06-08 01:47 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 02-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 04-02-22 23:44 32881 C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray Temperature]
C:\DOCUME~1\X\LOCALS~1\Temp\MiniBug.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-03-29 10:31 ]
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [07-03-11 20:26 ]
R1 fwdrv;Tiny Personal Firewall Driver;C:\WINNT\system32\Drivers\fwdrv.sys [01-10-22 17:54 ]
R1 LUMDriver;LUMDriver;C:\WINNT\system32\drivers\LUMDriver.sys [05-04-23 01:21 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 08:34 ]
R2 BBDemon;Backbone Service;C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe [05-01-29 13:12 ]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [02-03-06 11:44 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S3 AdLM;Autodesk License Manager;C:\WINNT\System32\ad_elmd.exe [00-04-11 20:20 ]
S3 NTSTAP1;NTSTAP1;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\NTSTAP1.SYS [02-03-06 11:42 ]
S3 RAWESR;RAWESR;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\RAWESR.SYS [02-03-06 11:39 ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\TAPBIND1.SYS [02-03-06 11:42 ]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 00:15:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 14:19:04
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32\Perflib_Perfdata_458.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-20 14:30:58 - machine was rebooted [X]
ComboFix-quarantined-files.txt 2008-04-20 21:30:47
ComboFix2.txt 2008-04-19 19:58:53

Pre-Run: 14,383,443,968 bytes free
Post-Run: 13,733,281,792 bytes free

203

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:00 PM, on 20/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\rsvp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PRDIE - {A8FA9135-E1DD-4AA8-971A-1FE4DCEE6365} - C:\Program Files\Privacy Defender\prd.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194763853046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT5\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\MDT5\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT5\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINNT\System32\ad_elmd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - Unknown owner - C:\Program Files\FSI\F-Prot\fpavupdm.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O24 - Desktop Component 0: (no name) - C:\DL\Training\Schedule.htm

--
End of file - 11869 bytes

Okay, done!

Yes I definitely want to install OA. However, I'm running out of time at the moment. It will be safer if I just say tonight.

Not sure what is next. Thanks PC.

Regards,

Arc

Hi,

That's looking good now. What did you decide on the firewall?

What I need now is to have you rerun GMER using the same instructions that negster22 gave you earlier. I am looking for three things, first that NDMONPROTO is now gone from GMER, second that there are no other rootkits (of the malware kind), and third I still would like to try to find and capture the driver file responsible for NDMONPROTO. It should still be on your system, although it likely isn't working now. If we can identify and locate it, then we can upload it to our Unknown Files forum and find out how it works.

Go to c:\Qoobox\quarantine\ and zip two files: ctln.exe and sdkdt32.dll, they are both malware (the other two files were from F-Protect). Upload them for nosirrah to Unknown Files and to be analyzed as well. I think that both will be fairly well recognized, but it still makes sense to make sure they have been dealt with.

Post the GMER log for me to review.

Good.

I decided on Online armour like you suggested.

Now should I do the firewall stuff first or the GMER stuff in your last post first? Or does it matter?

However, I'll have to do that tonight. Sorry for the delay.

I'll be back in about 5 hours. Then however long this will take and I'll post. Ciao.

Regards,

Arc

I was posting back to you when you posted the HJT log.

I see that I didn't successfully kill AVG yet. Let's do it this way. Please follow these instructions carefully:

Open Notepad by clicking on Start, then Run, and entering the word:

Notepad

in the run box. Next tap <Enter>. Open the Notepad Format Menu and uncheck Word Wrap. Then copy and paste the following code in GREEN to Notepad:

Wow!

Okay just to clarify the steps here:

1. GMER
2. Run the above fix.bat
3. OA

...Phew!

Leaving shortly.