Solved Infostealer.gampass NAV failed to quarantine/delete

[Resolved] Infostealer.gampass NAV failed to quarantine/delete

WindowsBBS,

First, thanks in advance for any help you can provide in ridding me of infostealer.gampass. After reading through several posts I'm confident that your staff can ease my frustrations. I've already downloaded combofix.exe and hijackthis and have posted the logs below:

ComboFix 08-09-20.05 - Leslie 2008-09-21 22:55:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.542 [GMT -7:00]
Running from: C:\Documents and Settings\Leslie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-03 00:34 . 2008-09-03 00:34 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 10:59 --------- d-----w C:\Program Files\Warcraft III
2008-09-03 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 07:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-28 02:52 --------- d-----w C:\Documents and Settings\Leslie\Application Data\Roxio
2008-08-16 23:05 --------- d-----w C:\Program Files\Apple Software Update
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-15 20:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-08 07:57 34,632 ---ha-r C:\Documents and Settings\Leslie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control "= "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 192512]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe "= "C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"Launch Ai Booster "= "C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-01-19 1892864]
"vptray "= "C:\Program Files\NavNT\vptray.exe" [2002-01-18 73728]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe" [2004-12-22 172032]
"HPHUPD07 "= "C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-16 49152]
"HPHmon07 "= "C:\WINDOWS\System32\hphmon07.exe" [2005-03-16 622592]
"HPHped07 "= "C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe" [2005-03-17 339968]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"HydraVisionDesktopManager "= "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-06-26 270336]
"MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan "= "SOUNDMAN.EXE" [2004-01-09 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2004-11-06 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{DB0A0B68-2F3C-51D2-A901-9381E136D21A} "= "C:\WINDOWS\system32\KcrnadDrv.dll" [1989-12-31 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2 "= ATIVCR2.DLL
"VIDC.DRAW "= DVIDEO.DLL
"VIDC.VCR1 "= ATIVCR1.DLL
"VIDC.YV12 "= ATIYUV12.DLL
"VIDC.YU12 "= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\Warcraft III\\war3.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

R3 FireProx;%pgpnetMP_Desc%;C:\WINDOWS\system32\DRIVERS\fireprox.sys [2002-03-27 28237]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
C:\WINDOWS\Downloaded Program Files\AxCtp2.inf
C:\WINDOWS\System32\ImageControl.dll
C:\WINDOWS\System32\AxCtp2.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:56:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe?e?s?\?A?T?I? ?H?Y?D?R?A?V?I?S?I?O?N?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-09-21 22:58:20
ComboFix-quarantined-files.txt 2008-09-22 05:58:15

Pre-Run: 96,486,526,976 bytes free
Post-Run: 96,679,452,672 bytes free

117 --- E O F --- 2008-09-14 07:04:55

Below is the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:11 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe
O4 - HKLM\..\Run: [HPHUPD07] C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\System32\hphmon07.exe
O4 - HKLM\..\Run: [HPHped07] C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: McAfee Desktop Firewall 7.5 Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7750 bytes

Again, your help is greatly appreciated!!!

Tako

 

Hi Tako
Welcome to Windowsbbs.

I need to know where Norton is finding infostealer.

Thanks
Geri

 

Infostealer.Gampass is located in C:\WINDOWS\system32\
filename KcrnadDrv.dll

Thanks!
Tako

 

Hi
OK please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\system32\KcrnadDrv.dll
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Service load: 0% 100%

File: KcrnadDrv.dll
Status: INFECTED/MALWARE
MD5: 19e4c9b94ed7f13750f0272a1e3651b9
Packers detected: -

Scanner results
Scan taken on 23 Sep 2008 03:06:02 (GMT)
A-Squared Found Trojan-GameThief.Win32.OnLineGames.tbvu!IK
AntiVir Found TR/PSW.OnLineGa.OCJ
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.GameThief.W32.OnLineGames.tbvu
Dr.Web Found Trojan.PWS.Wow.793
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-PSW:W32/OnlineGames.TJY, Trojan-GameThief.Win32.OnLineGames.tbvu
Ikarus Found Trojan-GameThief.Win32.OnLineGames.tbvu
Kaspersky Anti-Virus Found Trojan-GameThief.Win32.OnLineGames.tbvu
NOD32 Found probably a variant of Win32/PSW.OnLineGames.OCJ (probable variant)
Norman Virus Control Found W32/OnLineGames.BRYH
Panda Antivirus Found Trj/Lineage.BZE
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-GameThief.Win32.OnLineGames.tbvu

 

Hi
OK, please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix log.

Thanks
Geri

 

Geri,

Prior to running Combofix.exe, the following were disabled: NAV realtime protection, McAfee Desktop firewall, Windows XP firewall. I am not sure if I properly disabled teatimer. Below is the combofix log.

Thanks!

ComboFix 08-09-20.05 - Leslie 2008-09-22 21:31:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.549 [GMT -7:00]
Running from: C:\Documents and Settings\Leslie\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-21 23:01 . 2008-09-21 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 00:34 . 2008-09-03 00:34 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 10:59 --------- d-----w C:\Program Files\Warcraft III
2008-09-03 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 07:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-28 02:52 --------- d-----w C:\Documents and Settings\Leslie\Application Data\Roxio
2008-08-16 23:05 --------- d-----w C:\Program Files\Apple Software Update
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-15 20:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-08 07:57 34,632 ---ha-r C:\Documents and Settings\Leslie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-09-21_22.57.57.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-22 05:42:15 62,460 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-23 03:05:34 62,460 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-22 05:42:15 401,372 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-23 03:05:34 401,372 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control "= "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 192512]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe "= "C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"Launch Ai Booster "= "C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-01-19 1892864]
"vptray "= "C:\Program Files\NavNT\vptray.exe" [2002-01-18 73728]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe" [2004-12-22 172032]
"HPHUPD07 "= "C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-16 49152]
"HPHmon07 "= "C:\WINDOWS\System32\hphmon07.exe" [2005-03-16 622592]
"HPHped07 "= "C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe" [2005-03-17 339968]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"HydraVisionDesktopManager "= "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-06-26 270336]
"MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan "= "SOUNDMAN.EXE" [2004-01-09 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2004-11-06 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{DB0A0B68-2F3C-51D2-A901-9381E136D21A} "= "C:\WINDOWS\system32\KcrnadDrv.dll" [1989-12-31 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2 "= ATIVCR2.DLL
"VIDC.DRAW "= DVIDEO.DLL
"VIDC.VCR1 "= ATIVCR1.DLL
"VIDC.YV12 "= ATIYUV12.DLL
"VIDC.YU12 "= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\Warcraft III\\war3.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

R3 FireProx;%pgpnetMP_Desc%;C:\WINDOWS\system32\DRIVERS\fireprox.sys [2002-03-27 28237]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
C:\WINDOWS\Downloaded Program Files\AxCtp2.inf
C:\WINDOWS\System32\ImageControl.dll
C:\WINDOWS\System32\AxCtp2.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 21:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe?e?s?\?A?T?I? ?H?Y?D?R?A?V?I?S?I?O?N?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-09-22 21:33:59
ComboFix-quarantined-files.txt 2008-09-23 04:33:41
ComboFix2.txt 2008-09-22 05:58:21

Pre-Run: 96,726,249,472 bytes free
Post-Run: 96,735,309,824 bytes free

124 --- E O F --- 2008-09-14 07:04:55

 

Hi
OK sorry, I was going to have you download the new version of Combofix.
But that's OK.

Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\KcrnadDrv.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
 "{DB0A0B68-2F3C-51D2-A901-9381E136D21A} "=- 

Please post the combofix log.

Thanks
Geri

 

Geri,

As requested, I dragged the CFScript.txt file on to the combofix.exe icon. During the process, it asked me for the latest update and I agreed. Below is the resulting combofix log followed by a fresh hijack this log.

ComboFix 08-09-22.06 - Leslie 2008-09-23 19:21:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.552 [GMT -7:00]
Running from: C:\Documents and Settings\Leslie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Leslie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\KcrnadDrv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\KcrnadDrv.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-21 23:01 . 2008-09-21 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 00:34 . 2008-09-03 00:34 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 10:59 --------- d-----w C:\Program Files\Warcraft III
2008-09-03 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 07:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-28 02:52 --------- d-----w C:\Documents and Settings\Leslie\Application Data\Roxio
2008-08-16 23:05 --------- d-----w C:\Program Files\Apple Software Update
2008-01-15 20:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-08 07:57 34,632 ---ha-r C:\Documents and Settings\Leslie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-09-21_22.57.57.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-22 05:42:15 62,460 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-24 01:57:20 62,460 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-22 05:42:15 401,372 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-24 01:57:20 401,372 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control "= "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-11-20 192512]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe "= "C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"Launch Ai Booster "= "C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-01-19 1892864]
"vptray "= "C:\Program Files\NavNT\vptray.exe" [2002-01-18 73728]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe" [2004-12-22 172032]
"HPHUPD07 "= "C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-16 49152]
"HPHmon07 "= "C:\WINDOWS\System32\hphmon07.exe" [2005-03-16 622592]
"HPHped07 "= "C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe" [2005-03-17 339968]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"HydraVisionDesktopManager "= "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-06-26 270336]
"MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan "= "SOUNDMAN.EXE" [2004-01-09 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2004-11-06 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2 "= ATIVCR2.DLL
"VIDC.DRAW "= DVIDEO.DLL
"VIDC.VCR1 "= ATIVCR1.DLL
"VIDC.YV12 "= ATIYUV12.DLL
"VIDC.YU12 "= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\Warcraft III\\war3.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

R3 FireProx;%pgpnetMP_Desc%;C:\WINDOWS\system32\DRIVERS\fireprox.sys [2002-03-27 28237]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S4 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 52808]

*Newly Created Service* - ASUSGIO
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 19:24:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\WINDOWS\system32\CBA\PDS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\CBA\XFR.EXE
C:\WINDOWS\system32\MSGSYS.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-23 19:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 02:29:59
ComboFix2.txt 2008-09-23 04:34:00
ComboFix3.txt 2008-09-22 05:58:21

Pre-Run: 96,680,316,928 bytes free
Post-Run: 96,695,447,552 bytes free

126 --- E O F --- 2008-09-14 07:04:55


And Here's the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:55 PM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe
C:\WINDOWS\System32\hphmon07.exe
C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb99.exe
O4 - HKLM\..\Run: [HPHUPD07] C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\System32\hphmon07.exe
O4 - HKLM\..\Run: [HPHped07] C:\PROGRA~1\HP\{C8EEA~1\pexpress\hphPED07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: McAfee Desktop Firewall 7.5 Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7364 bytes

I'll be anxiously awaiting the results!!!

Thanks!
Tako

 

Hi

Please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.

Empty your recycle bin.

Now run a scan with NAV and let me know if you still get the warning.

Thanks
Geri

 

Geri,

I got a little ahead of myself and did some of the things you mentioned prior to receiveng your instruction. Just to make sure that everything I did was okay, I'll list what I did prior to reading your post.

First, I turned on real-time protection for NAV. I then proceeded to scan the entire computer for viruses. NAV did report finding KcrnadDrv.dll.vir in C:\QooBox\Quarantine\C\WINDOWS\system32\ (notice the slight variation in file type and the location). This time NAV sucessfully quarantined the file. I made the conclusion that combofix placed the file here after dragging and dropping the CFScript file on the icon. Through NAV, I deleted the file which was now in quarantine. After doing so, I scanned the whole computer again and came up virus free. That's when I saw your reply and followed your instruction to perform combofix /u at the run window. I then proceeded to empty the recycle bin. I also took the computer out of safeboot mode and am now running normal. As a confirmation, I re-scanned the entire computer with NAV and again came up virus free. Will anything I have done afected what you told me to do in your instruction? Also, was the dll file never suppose to have been in the system32 directory. I'm just concerned that maybe a valid program needed it to perform properly. Please let me know.

Thanks!!!
Tako

 

Hi
What you did was OK, just the long way around. and yes C:\QooBox is the quarantine folder for combofix.

The file is rogue, it was not suppose to be there so it will not effect any other programs.

Lets get a on line scan to make sure everything is good.

Please do this.

Empty you NAV quarantine folder.


Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program. (If you use firefox please do those instructions also)
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Firefox.
If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  
  Now the scan.
  
  Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
  
  Thanks
  Geri

 

Geri,

I ran the ATF cleaner as well as Panda's Activescan. Below is the log file for Panda's scan.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-24 22:17:53
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Antivirus Corporate Edition 7.6 No Yes
Norton Antivirus Edition 7.5 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
03738670 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncPlanObserver.exe
03738670 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\All Users\Application Data\Apple\Installer Cache\Apple Mobile Device Support 1.1.4.7\AppleMobileDeviceSupport.msi[unk_0049][SyncPlanObserver.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Cu
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Cu
;===================================================================================================================================================================================
120815 HIGH MS06-022 Cu
;===================================================================================================================================================================================

Thanks,
Tako

 

Hi
Ok those two that Panda found are OK.

Apple Mobile Device
AppleMobileDeviceService.exe
Added by iTunes 7.3 to interface with Apple mobile devices. Allows iTunes to interact with iPhone when connected to the computer.

If your virus protection is flagging these then I would set it to ignore them.

Nothing else is showing. Please do another scan with NAV and let me know if anything is found. and if so where it is found.

Thanks
Geri

 

Geri,

NAV came up virus free! Am I in the clear?

Thanks!!!
Tako

 

Hi
Yes, you should be good to go.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely.
Geri