Jump to content

Virus


herme3

Recommended Posts

One of my computers have been infected with a virus or worm that got past Symantec AntiVirus Corporate Edition, and ZoneAlarm Pro. In fact, the virus has disabled my ZoneAlarm Pro firewall, and I'm trying to figure out how to fix it. The virus automatically downloaded itself into my computer from a web site. It only took a few seconds to download, so I didn't have time to press the Cancel button. While it was downloading, I saw the following window:

 

viruserror.jpg

 

Then a file named 0.exe was on my hard drive. Before ZoneAlarm Pro was disabled, it warned me that 0.exe was trying to act like a server. It also warned me that 0.exe was attempting to send e-mail messages.

 

At first, I tried to delete 0.exe but I received an error message that said, "Access Denied". After that, I restarted my computer to find that ZoneAlarm Pro was disabled. Although I was able to delete 0.exe, I have a feeling that the virus/worm is still somewhere in my computer.

 

I would appreciate it if anyone could tell me something about this virus. I don't even know what it is called, and I can't get any good information by searching for "0.exe".

 

I have compressed the 0.exe file and placed it at http://www.bluealan.com/virus.zip so if there are any virus experts here, maybe they could figure out how it works.

Link to comment
Share on other sites

I don't wish to take that file because I don't have too much time to spend if I start infecting myself.

 

However I can help a bit.

 

If you think the virus may still be in your computer (which is a reasonable thought) then try getting Avast antivirus (free home edition) and then running the boot time scan, ensure that Thorough Scan and Scan Archive Files are both chosen.

 

Also if you have the file then upload here:

http://virusscan.jotti.org/

and get it scanned by like 30 (or sumin like that) different AVs and spyware scanners.

 

Also it sounds more of a home made virus than one of the biggies because, well, what professionally written virus would bring up a standard IE script prompt (that's purely my opinion).

 

Remember that some viruses can hide in the WinXP System Restore Poins so delete all of those.

 

Why is it that you think you may still be infected?

 

Also if you use a program like Process Viewer:

http://www.teamcti.com/pview/

Can you see the virus running?

More to the point can you see anything that shouldn't be there or you don't know what it is? (If there's a process you're not sure of what it is then post it here and I'll see if I can tell you)

Link to comment
Share on other sites

I'd suggest you reboot into safe mode (go to Run and type in msconfig), update Norton's virus definitions, then do a full scan. If nothing turns up, you should be fine.

 

In any case, send the zip file to Symantec (http://securityresponse.symantec.com/avcenter/submit.html) if you can, or any other a/v firm. They'll be able to tell you what it is, or if it's new.

 

And I'm desperately resisting making a crack to you about using Internet Explorer...

Link to comment
Share on other sites

I'm sure that this virus is still in my computer, and the most updated definitions of Symantec AntiVirus won't find it. I've checked all the processes, and I don't see anything unusual. I am unable to reinstall ZoneAlarm Pro because it says that the file is opened by another process. This still comes up even after a restart. Due to this problem, I am unable to reinstall ZoneAlarm Pro.

 

I don't believe that script prompt window was part of Internet Explorer. I've never seen it before, and it is called, "Explorer User Prompt". This doesn't seem to be part of Explorer.exe and Microsoft is always careful to label every part of Internet Explorer as "Internet Explorer", not just "Explorer". That prompt must have been a downloader that is part of the virus.

 

Also, I am unable to start the Windows firewall or the security center that came with Service Pack 2. When I try to start the firewall, I get a message that says, "Due to an unidentified problem, Windows cannot display Windows Firewall settings."

 

I ran a scan on the 0.exe file at http://virusscan.jotti.org/ and I got the following results:

 

BitDefender Found BehavesLike:Trojan.WinlogonHook (probable variant)

 

NOD32 Found a variant of Win32/Haxdoor

 

VBA32 Found Trojan-Downloader.Agent.87 (probable variant)

 

What does that mean?

Link to comment
Share on other sites

What does that mean?

 

 

Its probably a VBA type coded trojan, if your virus scans are not picking it up then its probably no longer there. Assuming you have deleted the files and deleted all previous restore points it should be gone which is what the virus scanner seems to confirm.

 

Cheers,

 

Ryan Jones

Link to comment
Share on other sites

And I think it's likely that Internet Explorer accidentally allowed the virus in' date=' but I'll quit nagging about that.[/quote']

 

Accidentally? It would not be surprising if Microcrap left the hole there - they do it all the time.

 

Using IE is asking for doom, I woul not trust it at all... Best advice is too change browsers so this will not occur again.

 

Cheers,

 

Ryan Jones

Link to comment
Share on other sites

Accidentally? It would not be surprising if Microcrap left the hole there - they do it all the time.

 

Using IE is asking for doom' date=' I woul not trust it at all... Best advice is too change browsers so this will not occur again.

 

Cheers,

 

Ryan Jones[/quote']

 

 

I second this but am aware of the IE/other browser argument history here so wont comment more.

 

I would say that the only way you will ever know you have a "secure" or "safe" system again is if you reinstall your OS...

Link to comment
Share on other sites

I wish I could join all of the people that are blaming this on IE. Unfortunately, I must admit that I was using a web browser that I created...:-(

 

I'm not sure how many other browsers would be affected by this virus. I have been using my own browser for several months, and this is the first security problem I have ever had. I had many more virus problems when I used IE, but Symantec AntiVirus always detected them and deleted them. Symantec won't even detect this one.

 

I have already started my computer in safe mode, and I still couldn't delete ZoneAlarm Pro so I can install it again. It appears that the security engine of ZoneAlarm is still running, but it isn't working as a firewall. It is almost like the virus has hijacked ZoneAlarm Pro so it can't be deleted and reinstalled. I will try the link that Cap'n Refsmmat posted, and let you know if it works.

 

This virus seems to target firewalls. I can't get the Windows firewall to work either. Everything else on my computer seems to be working correctly.

Link to comment
Share on other sites

The one that uses the IE engine, and infact is IE just with a slightly modified frontend? As it's alot of work to write a rendering engine :|

 

Your AV scanner is probably being fooled by the virus if it is still running, this sometimes happens :|

 

A "good" trojan/worm/virus will try to take down or trick your security programs so I restate my advice of a reinstall :|

Link to comment
Share on other sites

---Jotti scan of 0.exe

 

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found BehavesLike:Trojan.WinlogonHook (probable variant)

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found a variant of Win32/Haxdoor

Norman Virus Control

Found nothing

UNA

Found nothing

VBA32

Found Trojan-Downloader.Agent.87 (probable variant)

 

---

 

Looks like most AV's are still having trouble with haxdoor.

 

Herme3... I'd suggest downloading HijackThis from here (scroll down and click the button with a flashing green light next to it). Extract the program, run it, and select 'scan system and make a log'.

 

Post the log up in this thread so we can see what we're dealing with.

Link to comment
Share on other sites

It is almost like the virus has hijacked ZoneAlarm Pro so it can't be deleted and reinstalled
Maybe, but it also sounds to me like you partially remove ZA and haven't fully removed it, so can't reinstal it.... this is nothing to do with the virus.

 

Why do you think the virus is still on your computer? ("I am" is not an answer to a 'why' question!)

Link to comment
Share on other sites

Dak, here is the log from HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:20:49 AM, on 12/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155737_mcinfo.exe /insfin

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155738_mcappins.exe /v=3 /cleanup

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120096203296

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

5614, the computer is acting different in several ways besides the problem with ZoneAlarm Pro. First, the Windows firewall is disabled and will not start. Second, the computer will not connect to my home network. Third, explorer.exe will crash when I try to access the Control Panel. When this happens, my taskbar will disappear. It will come back after a few seconds. After that, I will be able to access the Control Panel normally until the next time I start my computer.

Link to comment
Share on other sites

I was able to completely remove ZoneAlarm Pro using the Unlocker that Cap'n Refsmmat recommended. I also reinstalled ZoneAlarm Pro, and the installation was successful. However, ZoneAlarm Pro still won't work.

 

The actual security engine of ZoneAlarm Pro is vsmon.exe and that process is immediately terminated when I try to start ZoneAlarm Pro. When I tried to manually click on vsmon.exe I received an error that said, "Another program is currently using this file." I don't understand why I am receiving this error. Vsmon.exe is not running in my list of processes.

 

Although I am not sure what all of the processes are, I do not see think any of them are the virus. 0.exe has been deleted from the computer. Which process could be stopping the vsmon process from running?

Link to comment
Share on other sites

Herme3, I think you might have a root-kited variant of haxdoor.

 

Please download rootkit revealer, scan with it, and after the scan has completed goto 'file > save' to save the report.

 

Post the rootkit revealer report up for me to see please.

 

I'd also like to point out that the newer haxdoor variants have a keylogger with them, so I'd advise refraining from online-banking for now.

Link to comment
Share on other sites

Here is the report from the rootkit revealer:

 

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 12/16/2005 12:32 PM 80 bytes Data mismatch between Windows API and raw hive data.

 

C:\Documents and Settings\Owner\Local Settings\Temp\W01804300\3124.tmp 12/16/2005 12:31 PM 320 bytes Visible in Windows API, but not in MFT or directory index.

 

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6T07I5A5\CA6789AB.html 12/16/2005 12:31 PM 5.49 KB Visible in Windows API, but not in MFT or directory index.

 

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJFT7T7O\showthread[1].html 12/16/2005 12:31 PM 105.17 KB Visible in Windows API, but not in MFT or directory index.

 

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 12/16/2005 12:31 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

 

C:\WINDOWS\system32\avpe32.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API.

C:\WINDOWS\system32\avpe64.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API.

C:\WINDOWS\system32\klgcptini.dat 12/15/2005 1:07 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\system32\qz.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API.

C:\WINDOWS\system32\qz.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API.

C:\WINDOWS\system32\stt82.ini 12/16/2005 11:19 AM 320 bytes Hidden from Windows API.

C:\WINDOWS\system32\subrange.uce 8/29/2002 7:00 AM 91.51 KB Hidden from Windows API.

C:\WINDOWS\system32\subrange.x 8/29/2002 6:00 AM 91.51 KB Visible in Windows API, but not in MFT or directory index.

 

I used the Unlock application to see what process was locking vsmon.exe. It said that the file was locked by the "System" process. I thought that process was part of Windows. Why would it be locking vsmon.exe?

 

Also, I found some strange temporary files in the temp folder. There is a folder named "W01804300" and it contains all of the source codes of the web sites I have visited since the virus entered the computer. Could this be part of a spyware program? If so, why won't my AntiSpyware program detect it?

Link to comment
Share on other sites

Cap'n Refsmmat, how did you remove the virus from your computer? Do you know how I could remove the virus from my computer and get ZoneAlarm Pro to work again?

 

Does anybody see anything that could be the virus in the rootkit revealer report I posted? Isn't avpe32.dll and avpe64.sys part of Haxdoor? Should I try to manually delete those files? What about the other files that it listed?

Link to comment
Share on other sites

A well programmed virus could still start in safe mode... I like avast's boot time scan.

 

Also a standard thing if you have a virus which could be opening your computer to hackers, downloading unwanted things, sending private data etc. is to simply disconnect that computer from any network (incl. internet) that way the most damage it can do is to harm a single computer, it cannot spread to other computers nor download/upload data.

Link to comment
Share on other sites

I think this is the variant that you have:

 

http://www.sophos.com/virusinfo/analyses/trojhaxdooram.html

 

Troj/Haxdoor-AM is a Trojan for the Windows platform.

 

Troj/Haxdoor-AM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

 

Troj/Haxdoor-AM includes functionality to:

 

- stealth its files, processes, registry entries and services

- prevent itself being terminated

- prevent itself being deleted

- disable other software, including anti-virus, firewall and security related applications

- log keystrokes and steal password information

- intercept banking information

- download and execute files from a remote location

- change the default browser startpage and similar information

 

When Troj/Haxdoor-AM is installed the following files are created:

 

<System>\avpu32.dll

<System>\avpu64.sys

<System>\klgcptini.dat

<System>\qz.dll

<System>\qz.sys

<System>\stt82.ini

 

klgcptini.dat and stt82.ini are clean log files. The other files are detected as Troj/Haxdoor-AM.

 

Troj/Haxdoor-AM may attempt to inject avpu32.dll into the process explorer.exe.

 

Troj/Haxdoor-AM attempts to delete a number of registry entries under the following location:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

 

Registry entries may be created at one of the places to run code exported by avpu32.dll on startup:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32

 

HKLM\System\CurrentControlSet\Control\MPRServices\TestService

 

The file avpu64.sys may be registered as a new system driver service named "avpu32", with a display name of "TCPIP2 Kernel32" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

 

HKLM\SYSTEM\CurrentControlSet\Services\avpu32\

 

The file avpu64.sys may be registered as a new system driver service named "avpu64", with a display name of "TCPIP2 Kernel". Registry entries are created under:

 

HKLM\SYSTEM\CurrentControlSet\Services\avpu64\

 

Troj/Haxdoor-AM may set entries at the following locations to allow its components to be run in Safe Mode:

 

SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\

 

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

 

Does anybody see anything that could be the virus in the rootkit revealer report I posted? Isn't avpe32.dll and avpe64.sys part of Haxdoor? Should I try to manually delete those files? What about the other files that it listed?

 

No, dont delete everything from the RKR log; some of it might be legit.

Link to comment
Share on other sites

Try this:

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

 

Save it to your desktop but do NOT run it yet.

 

Then please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

 

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

 

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

 

Could I also have a new rootkit revealer log please.

Link to comment
Share on other sites

Here are the contents of the log.txt file:

 

Log of AproposFix v1

 

************

 

Running from directory:

C:\Documents and Settings\Owner\Desktop\aproposfix

 

************

 

Registry entries found:

 

 

************

 

No service found!

 

Removing hidden folder:

No folder found!

 

Deleting files:

 

 

Backing up files:

Done!

 

Removing registry entries:

 

REGEDIT4

 

 

Done!

 

Finished!

 

Here is the new HighjackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:12:15 PM, on 12/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\My Documents\Josh\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155737_mcinfo.exe /insfin

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155738_mcappins.exe /v=3 /cleanup

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120096203296

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Here is the new Rootkit Revealer log:

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\change.log 12/16/2005 8:15 PM 9.71 KB Visible in Windows API, but not in MFT or directory index.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\change.log.15 12/16/2005 8:40 PM 9.71 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\drivetable.txt 12/16/2005 8:40 PM 310 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655 12/16/2005 8:40 PM 0 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\A0086804.ini 12/16/2005 8:05 PM 320 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\change.log 12/16/2005 8:45 PM 714 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\RestorePointSize 12/16/2005 8:40 PM 8 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\rp.log 12/16/2005 8:40 PM 536 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot 12/16/2005 8:40 PM 0 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SAM 12/16/2005 8:40 PM 28.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SECURITY 12/16/2005 8:40 PM 60.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SOFTWARE 12/16/2005 8:40 PM 25.62 MB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SYSTEM 12/16/2005 8:40 PM 5.72 MB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_.DEFAULT 12/16/2005 8:40 PM 272.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 12/16/2005 8:40 PM 232.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 12/16/2005 8:40 PM 232.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3849222359-1686840940-1901974871-1003 12/16/2005 8:40 PM 3.62 MB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3849222359-1686840940-1901974871-500 12/16/2005 8:40 PM 768.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3849222359-1686840940-1901974871-1003 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3849222359-1686840940-1901974871-500 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\ComDb.Dat 9/8/2005 5:41 PM 23.39 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\domain.txt 12/16/2005 8:40 PM 28 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository 12/16/2005 8:40 PM 0 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\$WinMgmt.CFG 12/16/2005 8:11 PM 20 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\export 12/16/2005 8:40 PM 0 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS 12/16/2005 8:40 PM 0 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\INDEX.BTR 12/16/2005 5:53 PM 1.52 MB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\INDEX.MAP 12/16/2005 8:40 PM 816 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING.VER 12/16/2005 8:40 PM 4 bytes Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING1.MAP 12/16/2005 8:40 PM 3.75 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING2.MAP 12/16/2005 8:24 PM 3.75 KB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\OBJECTS.DATA 12/16/2005 5:53 PM 5.82 MB Hidden from Windows API.

 

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\OBJECTS.MAP 12/16/2005 8:40 PM 2.96 KB Hidden from Windows API.

 

C:\WINDOWS\system32\avpe32.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API.

C:\WINDOWS\system32\avpe64.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API.

C:\WINDOWS\system32\klgcptini.dat 12/15/2005 1:07 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\system32\qz.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API.

C:\WINDOWS\system32\qz.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API.

C:\WINDOWS\system32\stt82.ini 12/16/2005 8:45 PM 320 bytes Hidden from Windows API.

C:\WINDOWS\system32\subrange.uce 5/23/2004 6:14 PM 91.51 KB Hidden from Windows API.

C:\WINDOWS\system32\subrange.x 8/29/2002 7:00 AM 91.51 KB Visible in Windows API, but not in MFT or directory index.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.