Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] spyware keeps reappearing after reboot


  • This topic is locked This topic is locked
10 replies to this topic

#1 dave_t

dave_t

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 03 October 2007 - 11:59 PM

Was having some problems a few weeks ago, thought it was resolved, but have run into this. If I run multiple scans, and reboot, as soon as I scan again, there are more issues found (by spybot or ad-aware). I didn't really think this was a problem, but then I ran 4 separate (spybot, adaware, avg anti-spyware and superspyware) scans in safe mode, and then immediately on reboot, spybot still found issues. Not sure what to do.

Symptoms:
- spyware keeps reappearing on reboot (most recently HitBox and Advertising.com trackers found in spybot)
- internet explorer occasionally makes a "pop" sound on opening (like blocking a pop-up, with no notification)
- seems as though I am getting more frequent CPU spikes

Maybe I should just give up and re-format? :(

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:15 AM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\JulaPan.Exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [JulaPan] JulaPan.Exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27027D-9371-47B2-A07A-1B5CC3A6F3B3}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 2603 bytes

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 October 2007 - 07:14 AM

http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 dave_t

dave_t

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 07 October 2007 - 10:28 AM

Here is the log. The web scan didn't seem to find anything and neither has my desktop version of NOD32: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2576 (20071007) # vers_arch_module=1.058 (20070906) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=b7d7ec5f2dffc547b7657dd0cf2f68d6 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2007-10-07 04:36:48 # local_time=2007-10-07 06:36:48 (+0100, Central Europe Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=413407 # found=0 # scan_time=5149 # nod_component=NOD32MOD_WINNT_ENGLISH_BASE Build:0x11081627 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base) # nod_component=NOD32MOD_WINNT_ENGLISH_INET Build:0x11081627 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support) # nod_component=NOD32MOD_WINNT_ENGLISH_STANDARD Build:0x11081627 (NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component)

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 October 2007 - 10:37 AM

What is SpyBot / Ad-aware finding, cookies?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 dave_t

dave_t

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 07 October 2007 - 11:34 AM

Hitbox and advertising.com trackers were the most common culprits. These both appeared after I scanned with the 4 scanners in safe mode, rebooted in normal mode, ran another scan (prior to opening any internet applications) and it found these two items in SpyBot. I also ran a kaspersky online scan which found this: C:\WINDOWS\system32\KgOLK40M.dll Saying it was a virus, NOD32 doesn't see it as a virus. I was also wondering if this line in my HJT log might be a problem: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 October 2007 - 11:40 AM

Nwprovau.dll: Valid Microsoft Client Services for Netware

Be sure to delete combofix if you still have it from before.

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 dave_t

dave_t

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 07 October 2007 - 11:49 AM

Combofix log:
ComboFix 07-10-07.2 - Administrator 2007-10-07 19:56:56.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1510 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 17:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-10-07 14:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 14:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-03 22:36 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-10-03 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-22 18:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-22 18:03 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-22 18:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-22 15:24 65,536 --a------ C:\WINDOWS\system32\JulaAsio.dll
2007-09-22 15:24 425,984 --a------ C:\WINDOWS\system32\JulaPan.exe
2007-09-22 15:24 29,472 --a------ C:\WINDOWS\system32\drivers\Jula.sys
2007-09-22 15:24 22,880 --a------ C:\WINDOWS\system32\drivers\JulaWdm.sys
2007-09-22 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Extensis
2007-09-22 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Extensis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 19:57 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2007-10-03 22:36 --------- d-------- C:\Program Files\MSN Messenger
2007-09-23 11:22 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-06 03:41 184320 --a------ C:\WINDOWS\system32\KgOLK40M.dll
2007-08-15 10:55 --------- d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-08-10 12:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-08-09 09:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-08 16:30 19456 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-08 10:27 --------- d-------- C:\Program Files\Enigma Software Group
2007-08-02 18:11 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 18:11 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-27 15:49 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 15:49 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JulaPan"="JulaPan.Exe" [2005-07-05 17:27 C:\WINDOWS\system32\JulaPan.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-22 18:02]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HDD temperature.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HDD temperature.lnk
backup=C:\WINDOWS\pss\HDD temperature.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^m-trip Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\m-trip Launcher.lnk
backup=C:\WINDOWS\pss\m-trip Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
; d:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
; "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
; "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
; "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
; "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
; "D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
; "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GuruClock]
; d:\Program Files\ABIT\ABIT uGuru\GuruClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
; C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDDHealth]
; d:\Program Files\HDD Health\hddhealth.exe -wl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPan]
; JulaPan.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
; KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
; KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows System Kernel]
; kernel32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
; C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
; D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
; SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
; "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
; "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PDSched"=2 (0x2)

R3 ipgd;IC Plus IP1000 Family Gigabit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ipgdnd51.sys
R3 JULA_01;Service for Juli@ 1;C:\WINDOWS\system32\drivers\JulaWdm.sys
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);C:\WINDOWS\system32\drivers\Jula.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 19:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 19:58:45
.
--- E O F --

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:01 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\JulaPan.Exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
d:\progra~1\azureus\Azureus.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [JulaPan] JulaPan.Exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27027D-9371-47B2-A07A-1B5CC3A6F3B3}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 2817 bytes

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 October 2007 - 12:00 PM

Have you been downloading files / programs with Bittorrent (Azureus)

Usually those are clean of any spyware unless it's Bittorrent Ultra, but the stuff that gets downloaded can be infected.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\KgOLK40M.dll


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 dave_t

dave_t

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 07 October 2007 - 12:18 PM

I use Azureus to download files but try to stick to private trackers where I would hope that there is less of a chance of getting infected files. I also scan the majority of downloads with NOD32 before opening them.

There was a problem when Combofix ran on reboot, I have attached a screenshot. Immediately after I clicked on "Don't Send" Combofix showed an error that xxxxxx.bat (it was gone too quickly), couldn't be deleted (or used) because it was already in use. I unfortunately didn't catch it as it was gone so quickly.

Here is the Combofix log, the screenshot is attached:

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\KgOLK40M.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\KgOLK40M.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 17:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-10-07 14:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 14:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-03 22:36 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-10-03 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-22 18:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-22 18:03 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-22 18:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-22 15:24 65,536 --a------ C:\WINDOWS\system32\JulaAsio.dll
2007-09-22 15:24 425,984 --a------ C:\WINDOWS\system32\JulaPan.exe
2007-09-22 15:24 29,472 --a------ C:\WINDOWS\system32\drivers\Jula.sys
2007-09-22 15:24 22,880 --a------ C:\WINDOWS\system32\drivers\JulaWdm.sys
2007-09-22 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Extensis
2007-09-22 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Extensis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 20:24 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2007-10-03 22:36 --------- d-------- C:\Program Files\MSN Messenger
2007-09-23 11:22 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-15 10:55 --------- d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-08-10 12:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-08-09 09:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-08 10:27 --------- d-------- C:\Program Files\Enigma Software Group
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JulaPan"="JulaPan.Exe" [2005-07-05 17:27 C:\WINDOWS\system32\JulaPan.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-22 18:02]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HDD temperature.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HDD temperature.lnk
backup=C:\WINDOWS\pss\HDD temperature.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^m-trip Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\m-trip Launcher.lnk
backup=C:\WINDOWS\pss\m-trip Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
; d:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
; "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
; "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
; "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
; "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
; "D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
; "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GuruClock]
; d:\Program Files\ABIT\ABIT uGuru\GuruClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
; C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDDHealth]
; d:\Program Files\HDD Health\hddhealth.exe -wl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPan]
; JulaPan.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
; KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
; KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows System Kernel]
; kernel32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
; C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
; D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
; SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
; "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
; "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PDSched"=2 (0x2)

R3 ipgd;IC Plus IP1000 Family Gigabit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ipgdnd51.sys
R3 JULA_01;Service for Juli@ 1;C:\WINDOWS\system32\drivers\JulaWdm.sys
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);C:\WINDOWS\system32\drivers\Jula.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 20:25:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 20:26:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 20:26
C:\ComboFix2.txt ... 2007-10-07 19:58
.
--- E O F ---

Attached Thumbnails

  • Untitled_1.jpg


#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 October 2007 - 12:25 PM

Click Start > Run > type in ComboFix /u
Note the space, it needs to be there.

I don't see anything else :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 October 2007 - 04:09 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users