Avast WEBforum
Other => Viruses and worms => Topic started by: scubamaggo on January 08, 2008, 08:47:32 PM
-
I know this topic is coming up here almost every day. I looked through the old threads and tried to get rid of it they same way as described, but it didn't work. Avast keeps finding Win32:TratBHO [trj] and i cant remove it, because the access to the .dll is denied. I downloaded combo fix and ran it, but it didn't delete the .dll. It just said it was created in the past month. HJT didn't work either. I will attach my combofix log, the infected .dll is ati3duagv.dll
edit: I'm sorry, its actually Win32:BHO-KD[trj] not Win32:TratBHO [trj]!
-
ComboFix 08-01-07.5 - Maggo 2008-01-08 20:18:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.133 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maggo\Desktop\ComboFix(2).exe
* Neuer Wiederherstellungspunkt wurde erstellt
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\rpcc.exe
.
((((((((((((((((((((((( Dateien erstellt von 2007-12-08 bis 2008-01-08 ))))))))))))))))))))))))))))))
.
2008-01-08 20:17 . 2008-01-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-08 20:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe.backup
2008-01-08 19:10 . 2008-01-08 19:10 <DIR> d-------- C:\Programme\Avira
2008-01-08 19:10 . 2008-01-08 19:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-01-08 01:02 . 2008-01-08 01:03 <DIR> d-------- C:\Programme\weblin
2008-01-08 01:01 . 2008-01-08 01:03 <DIR> d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\zweitgeist
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a--c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2008-01-08 00:26 . 2008-01-08 00:34 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-01-08 00:26 . 2004-01-10 06:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-08 00:25 . 2008-01-08 00:25 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-06 15:16 . 2008-01-08 19:13 49 --a------ C:\WINDOWS\transp.gif
2008-01-06 14:40 . 2008-01-06 14:40 <DIR> d-------- C:\Programme\Alwil Software
2008-01-06 14:40 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-06 14:40 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-06 14:40 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-06 14:40 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-06 14:40 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-06 14:40 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 14:40 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 14:40 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 14:40 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 14:40 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-06 14:29 . 2008-01-08 20:05 150 --a------ C:\WINDOWS\ODBC.INI
2008-01-06 14:22 . 2008-01-06 14:22 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Agnitum Shared
2008-01-06 14:22 . 2008-01-06 14:22 <DIR> d-------- C:\Programme\Agnitum
2008-01-06 14:19 . 19,584 C:\WINDOWS\system32\drivers\vkrukkpm.dat
2008-01-06 14:15 . 2008-01-06 14:19 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-06 14:15 . 2007-08-22 02:47 84,992 --a------ C:\WINDOWS\system32\ati3duagv.dll
2007-12-27 16:12 . 2007-12-27 16:12 2,400 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-27 06:31 . 2007-12-27 06:31 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-27 02:39 . 2007-12-27 02:39 <DIR> d-------- C:\Temp
2007-12-22 22:25 . 2008-01-05 23:56 1,266 --a------ C:\WINDOWS\PartyGrabber.ini
2007-12-18 00:42 . 2004-02-25 18:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-18 00:39 . 2007-12-18 00:43 <DIR> d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\fretsonfire
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 19:01 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Skype
2008-01-08 18:39 23,552 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-08 17:05 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\skypePM
2008-01-08 01:12 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2007-12-06 16:42 --------- d-----r C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Brother
2007-12-06 00:28 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-11-30 02:12 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-11-30 02:10 --------- d-----w C:\Programme\Skype
2007-11-30 02:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Skype
2007-11-30 02:10 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2007-11-29 21:25 --------- d-----w C:\Programme\ICQ
2007-11-29 21:25 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\ICQLite
2007-11-29 20:38 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2007-11-28 23:23 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\DivX
2007-11-28 02:01 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Winamp
2007-11-28 01:57 --------- d-----w C:\Programme\Winamp
2007-11-28 01:47 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2007-11-28 01:38 --------- d-----w C:\Programme\DivX
2007-11-28 00:31 --------- d-----w C:\Programme\microsoft frontpage
2007-11-28 00:30 --------- d-----w C:\Programme\Online-Dienste
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\MSSoap
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\Dienste
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\SpeechEngines
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\ODBC
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.
-
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA}]
2007-08-22 02:47 84992 --a------ C:\WINDOWS\System32\ati3duagv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2006-03-30 10:51 91648]
"OutpostFeedBack"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe" [2006-05-11 12:05 356420]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-01-08 19:39 23552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
R0 caiplgdr;caiplgdr;C:\WINDOWS\System32\drivers\vkrukkpm.dat []
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2006-03-30 10:53]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2006-03-30 10:53]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL [2006-03-30 10:53]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2006-03-30 10:53]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2006-03-30 10:53]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2006-03-30 10:53]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2006-03-30 10:53]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2006-03-30 10:53]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2006-03-30 10:53]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2006-03-30 10:53]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2006-03-30 10:53]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2006-03-30 10:53]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2006-03-30 10:53]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL [2006-03-30 10:53]
R4 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys []
*Newly Created Service* - PROCEXP90
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:19:18
Windows 5.1.2600 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-01-08 20:19:56
ComboFix-quarantined-files.txt 2008-01-08 19:19:41
-
Hi scubamaggo,
Can you also make a StartDreck scan and attach a logfile as an attachment.
Niksoft StartDreck Ein mächtiger Autoruns-Editor mit einem einfachen aber sehr funktionellem Design
StartDreck from Niksoft is a start-up editor for your Microsoft Windows computer. It is a useful tool for removing spyware.
Requirements
The tool will run on any Microsoft Windows operating system. This includes,
* Windows 95
* Windows 98
* Windows ME
* Windows 2000
* Windows XP
* Windows Server 2003
Approximately 400KB of disk space is required for the tool.
Download
This site is an official mirror of StartDreck.
Note: Please send all contact regarding this tool directly to the author, Niksoft.
Latest Version: 2.1.7
Download Size: 406.585 Bytes
MD5: cf15b20807e52446503ab2742e5acf55
Download from here: http://ben.cheetham.me.uk/download/niksoft/startdreck217.zip
polonus
-
If Pol's suggestion does not work then try this
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\ati3duagv.dll
C:\WINDOWS\system32\drivers\vkrukkpm.dat
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA}
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
-
ok, thanks for the quick help. At first, the Avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nilsdasa
*******************
Script file located at: \??\C:\Program Files\nfacnwrt.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Could not open file C:\WINDOWS\system32\ati3duagv.dll for deletion
Deletion of file C:\WINDOWS\system32\ati3duagv.dll failed!
Could not process line:
C:\WINDOWS\system32\ati3duagv.dll
Status: 0xc0000022
Could not open file C:\WINDOWS\system32\drivers\vkrukkpm.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\vkrukkpm.dat failed!
Could not process line:
C:\WINDOWS\system32\drivers\vkrukkpm.dat
Status: 0xc0000022
Could not open registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA} for deletion
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA} failed!
Status: 0xc0000022
Completed script processing.
*******************
Finished! Terminate.
-
and now the startdeck log:
StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 21:33:28 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO
»Registry
»Run Keys
»Current User
»Run
*Skype="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
*ICQ Lite="C:\Programme\ICQ\ICQLite.exe" -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts
-
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+576=\SystemRoot\System32\smss.exe
+632=\??\C:\WINDOWS\system32\csrss.exe
+668=\??\C:\WINDOWS\system32\winlogon.exe
+720=C:\WINDOWS\system32\services.exe
+732=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1100=C:\WINDOWS\System32\svchost.exe
+1180=C:\WINDOWS\system32\Ati2evxx.exe
+1212=C:\WINDOWS\System32\svchost.exe
+1356=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1412=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1928=C:\WINDOWS\System32\sstray.exe
+1944=C:\Programme\ICQ\ICQLite.exe
+1976=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+1984=C:\Programme\Skype\Phone\Skype.exe
+188=C:\WINDOWS\System32\alg.exe
+348=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+412=E:\PostgreSQL\bin\pg_ctl.exe
+124=E:\PostgreSQL\bin\postmaster.exe
+1228=C:\WINDOWS\System32\wdfmgr.exe
+1736=E:\PostgreSQL\bin\postgres.exe
+1992=E:\PostgreSQL\bin\postgres.exe
+332=E:\PostgreSQL\bin\postgres.exe
+2360=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2828=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+3144=C:\WINDOWS\explorer.exe
+3124=C:\WINDOWS\system32\notepad.exe
+3656=E:\PostgreSQL\bin\postgres.exe
+3252=C:\Programme\Mozilla Firefox\firefox.exe
+1864=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst Alerter - on demand
*Gatewaydienst auf Anwendungsebene ALG running on demand
*Anwendungsverwaltung AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*avast! iAVS4 Control Service aswUpdSv running auto
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*avast! Antivirus avast! Antivirus running auto
*avast! Web Scanner avast! Web Scanner running on demand
*Intelligenter Hintergrundübertragungsdienst BITS running auto
*Computerbrowser Browser running auto
*Indexing Service cisvc - on demand
*Ablagemappe ClipSrv - on demand
*.NET Runtime Optimization Service v2.0.50727_X8 clr_optimization_v2. - on demand
`6
*COM+-Systemanwendung COMSysApp - on demand
*Kryptografiedienste CryptSvc running auto
*DHCP-Client Dhcp running auto
*Verwaltungsdienst für die Verwaltung logischer dmadmin - on demand
`Datenträger
*Verwaltung logischer Datenträger dmserver running auto
*DNS-Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Ereignisprotokoll Eventlog running auto
*COM+-Ereignissystem EventSystem running on demand
*Kompatibilität für schnelle Benutzerumschaltung FastUserSwitchingCom running on demand
*Hilfe und Support helpsvc running auto
*Eingabegerätezugang HidServ - disabled
*IMAPI-CD-Brenn-COM-Dienste ImapiService - on demand
*Server lanmanserver running auto
*Arbeitsstationsdienst lanmanworkstation running auto
*TCP/IP-NetBIOS-Hilfsprogramm LmHosts running auto
*Nachrichtendienst Messenger running auto
*NetMeeting-Remotedesktop-Freigabe mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Netzwerk-DDE-Dienst NetDDE - on demand
*Netzwerk-DDE-Serverdienst NetDDEdsdm - on demand
*Anmeldedienst Netlogon - on demand
*Netzwerkverbindungen Netman running on demand
*NLA (Network Location Awareness) Nla running on demand
*NT-LM-Sicherheitsdienst NtLmSsp - on demand
*Wechselmedien NtmsSvc - on demand
*Outpost Firewall Service OutpostFirewall running auto
*PostgreSQL Database Server 8.0 pgsql-8.0 running auto
*Plug & Play PlugPlay running auto
*IPSEC-Dienste PolicyAgent running auto
*Geschützter Speicher ProtectedStorage running auto
*Verwaltung für automatische RAS-Verbindung RasAuto running on demand
*RAS-Verbindungsverwaltung RasMan running on demand
*Sitzungs-Manager für Remotedesktophilfe RDSessMgr - on demand
*Routing und RAS RemoteAccess - disabled
*Remote-Registrierung RemoteRegistry running auto
*RPC-Locator RpcLocator - on demand
*Remoteprozeduraufruf (RPC) RpcSs running auto
*QoS-RSVP RSVP - on demand
*Sicherheitskontenverwaltung SamSs running auto
*Smartcard-Hilfsprogramm SCardDrv - on demand
*Smartcard SCardSvr - on demand
*Taskplaner Schedule running auto
*Sekundäre Anmeldung seclogon running auto
*Systemereignisbenachrichtigung SENS running auto
*Internetverbindungsfirewall/Gemeinsame Nutzung SharedAccess running auto
`der Internetverbindung
*Shellhardwareerkennung ShellHWDetection running auto
*Druckwarteschlange Spooler running auto
*Systemwiederherstellungsdienst srservice running auto
*SSDP-Suchdienst SSDPSRV running on demand
*Windows-Bilderfassung (WIA) stisvc - on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Leistungsdatenprotokolle und Warnungen SysmonLog - on demand
*Telefonie TapiSrv running on demand
*Terminaldienste TermService running on demand
*Designs Themes running auto
*Telnet TlntSvr - on demand
*Überwachung verteilter Verknüpfungen (Client) TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Upload-Manager uploadmgr running auto
*Universeller Plug & Play-Gerätehost upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volumeschattenkopie VSS - on demand
*Windows-Zeitgeber W32Time running auto
*WebClient WebClient running auto
*Windows-Verwaltungsinstrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Treibererweiterungen für Windows-Verwaltungsins Wmi - on demand
`trumentation
*WMI-Leistungsadapter WmiApSrv - on demand
*Automatische Updates wuauserv running auto
*Konfigurationsfreie drahtlose Verbindung WZCSVC running auto
»Application specific
-
Well Avenger didn't kill it - lets try Icesword
Please download and unzip Icesword (http://"http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip")to its own folder
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red colour. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.
Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red coloured service entry indicates that it’s rooted. Note the name of this service.
Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.
Now post all of the data collected under the headings
Processes
Win32 Services
SSDT
-
Hi scubammago,
This was only part of StartDreck, do the following. In the tool you see at the bottom of the window:
Refresh Config New Search Save. Now click with Save this: drive:\StartDreck\startdreck217\StartDreck.log
and put it on your desktop, go to Attach and browse to StartDreck\startdreck217\StartDreck.log
and post it,
pol
-
Processes and Win32 Services didn't have any red entries.
SSDT
0x101 0xB2F80330 \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8056C6DC NtTerminateProcess
0x115 0xB2F80290 \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8057F7E6 NtWriteVirtualMemeroy
-
@polonos hm.. i thought i did this. ok, 2nd try:
StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 22:01:00 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO
»Registry
»Run Keys
»Current User
»Run
*Skype="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
*ICQ Lite="C:\Programme\ICQ\ICQLite.exe" -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts
-
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+580=\SystemRoot\System32\smss.exe
+636=\??\C:\WINDOWS\system32\csrss.exe
+672=\??\C:\WINDOWS\system32\winlogon.exe
+724=C:\WINDOWS\system32\services.exe
+736=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1080=C:\WINDOWS\System32\svchost.exe
+1128=C:\WINDOWS\System32\svchost.exe
+1152=C:\WINDOWS\system32\Ati2evxx.exe
+1352=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1404=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1804=C:\WINDOWS\Explorer.EXE
+1936=C:\WINDOWS\System32\sstray.exe
+1952=C:\Programme\ICQ\ICQLite.exe
+1984=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+2016=C:\Programme\Skype\Phone\Skype.exe
+264=C:\WINDOWS\System32\alg.exe
+388=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+532=E:\PostgreSQL\bin\pg_ctl.exe
+1332=E:\PostgreSQL\bin\postmaster.exe
+1204=C:\WINDOWS\System32\wdfmgr.exe
+2288=E:\PostgreSQL\bin\postgres.exe
+2324=E:\PostgreSQL\bin\postgres.exe
+2340=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2624=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+2892=C:\Programme\Mozilla Firefox\firefox.exe
+3324=C:\WINDOWS\system32\NOTEPAD.EXE
+3992=D:\PartyPoker\PartyGaming.exe
+2252=<unkown>
+3076=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst Alerter - on demand
*Gatewaydienst auf Anwendungsebene ALG running on demand
*Anwendungsverwaltung AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*avast! iAVS4 Control Service aswUpdSv running auto
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*avast! Antivirus avast! Antivirus running auto
*avast! Web Scanner avast! Web Scanner running on demand
*Intelligenter Hintergrundübertragungsdienst BITS running auto
*Computerbrowser Browser running auto
*Indexing Service cisvc - on demand
*Ablagemappe ClipSrv - on demand
*.NET Runtime Optimization Service v2.0.50727_X8 clr_optimization_v2. - on demand
`6
*COM+-Systemanwendung COMSysApp - on demand
*Kryptografiedienste CryptSvc running auto
*DHCP-Client Dhcp running auto
*Verwaltungsdienst für die Verwaltung logischer dmadmin - on demand
`Datenträger
*Verwaltung logischer Datenträger dmserver running auto
*DNS-Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Ereignisprotokoll Eventlog running auto
*COM+-Ereignissystem EventSystem running on demand
*Kompatibilität für schnelle Benutzerumschaltung FastUserSwitchingCom running on demand
*Hilfe und Support helpsvc running auto
*Eingabegerätezugang HidServ - disabled
*IMAPI-CD-Brenn-COM-Dienste ImapiService - on demand
*Server lanmanserver running auto
*Arbeitsstationsdienst lanmanworkstation running auto
*TCP/IP-NetBIOS-Hilfsprogramm LmHosts running auto
*Nachrichtendienst Messenger running auto
*NetMeeting-Remotedesktop-Freigabe mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Netzwerk-DDE-Dienst NetDDE - on demand
*Netzwerk-DDE-Serverdienst NetDDEdsdm - on demand
*Anmeldedienst Netlogon - on demand
*Netzwerkverbindungen Netman running on demand
*NLA (Network Location Awareness) Nla running on demand
*NT-LM-Sicherheitsdienst NtLmSsp - on demand
*Wechselmedien NtmsSvc - on demand
*Outpost Firewall Service OutpostFirewall running auto
*PostgreSQL Database Server 8.0 pgsql-8.0 running auto
*Plug & Play PlugPlay running auto
*IPSEC-Dienste PolicyAgent running auto
*Geschützter Speicher ProtectedStorage running auto
*Verwaltung für automatische RAS-Verbindung RasAuto running on demand
*RAS-Verbindungsverwaltung RasMan running on demand
*Sitzungs-Manager für Remotedesktophilfe RDSessMgr - on demand
*Routing und RAS RemoteAccess - disabled
*Remote-Registrierung RemoteRegistry running auto
*RPC-Locator RpcLocator - on demand
*Remoteprozeduraufruf (RPC) RpcSs running auto
*QoS-RSVP RSVP - on demand
*Sicherheitskontenverwaltung SamSs running auto
*Smartcard-Hilfsprogramm SCardDrv - on demand
*Smartcard SCardSvr - on demand
*Taskplaner Schedule running auto
*Sekundäre Anmeldung seclogon running auto
*Systemereignisbenachrichtigung SENS running auto
*Internetverbindungsfirewall/Gemeinsame Nutzung SharedAccess running auto
`der Internetverbindung
*Shellhardwareerkennung ShellHWDetection running auto
*Druckwarteschlange Spooler running auto
*Systemwiederherstellungsdienst srservice running auto
*SSDP-Suchdienst SSDPSRV running on demand
*Windows-Bilderfassung (WIA) stisvc - on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Leistungsdatenprotokolle und Warnungen SysmonLog - on demand
*Telefonie TapiSrv running on demand
*Terminaldienste TermService running on demand
*Designs Themes running auto
*Telnet TlntSvr - on demand
*Überwachung verteilter Verknüpfungen (Client) TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Upload-Manager uploadmgr running auto
*Universeller Plug & Play-Gerätehost upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volumeschattenkopie VSS - on demand
*Windows-Zeitgeber W32Time running auto
*WebClient WebClient running auto
*Windows-Verwaltungsinstrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Treibererweiterungen für Windows-Verwaltungsins Wmi - on demand
`trumentation
*WMI-Leistungsadapter WmiApSrv - on demand
*Automatische Updates wuauserv running auto
*Konfigurationsfreie drahtlose Verbindung WZCSVC running auto
»Application specific
-
Hi scubamaggo,
Verstehen Sie wie dies getan wird, sehe hinunter, da habe ich soetwas beigefuegt. Tun Sie das auch mit StartDrecklog in aehnlicher Weise,
pol
-
Hi Pol you are the expert on this (still reading)
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
this is the one to go
-
ok, like this?
-
Hi essexboy,
We do this together, one, two, three,
Let Scubammago fire up StartDreck, inside there he must highlight by clicking on
the lines (these lines turn blue)
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
and then Scubammago clicks Disable,
Thats all there is folks,
pol
-
ok, i disabled the file and restarted my pc. its still disabled in startdeck, nevertheless i cant delete it through avast or manually. Avast is still giving me the warning. Should i press the delete button in startdreck?
-
Hi scubammago,
Yes you may do that now, delete but only these two lines that essexboy spelled out for us,
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
I hope we don't have to use OTMOveIt2 for ati3duagv.dll, but it might work in one go,
push delete, and hope for the best, Keith keep your fingers crossed,
pol
-
hm.. it disappeared from the Startdreck log, but its still on my computer and i still cant delete it manually
-
Hi scuammago,
Please download the OTMoveIt by OldTimer from: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
C:\WINDOWS\System32\ati3duagv.dll
* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
* Click the red Moveit! button.
* Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
* Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
Now post a new hjt log attachment
polonus
-
Hi scubammago,
Also search for these files in system32, if any are found on your computer:
# 1 :%DESKTOP%\BIN_101.EXE
# 2 :%WINDIR%\SYSTEM32\3DRB.DLL
# 3 :%WINDIR%\SYSTEM32\A3DA.DLL
# 4 :%WINDIR%\SYSTEM32\AAAAMONAB.DLL
# 5 :%WINDIR%\SYSTEM32\ACLEDITV.DLL
# 6 :%WINDIR%\SYSTEM32\ADSNTV.DLL
# 7 :%WINDIR%\SYSTEM32\ADVAPI32VV.DLL
# 8 :%WINDIR%\SYSTEM32\AHQCPURESB.DLL
# 9 :%WINDIR%\SYSTEM32\APPMGRA.DLL
# 10:%WINDIR%\SYSTEM32\APPUPDATES.DLL
# 11:%WINDIR%\SYSTEM32\ATI3DUAGB.DLL
# 12:%WINDIR%\SYSTEM32\ATI3DUAGV.DLL
# 13:%WINDIR%\SYSTEM32\ATIOGLXXBS.DLL
# 14:%WINDIR%\SYSTEM32\ATIVVAXXV.DLL
# 15:%WINDIR%\SYSTEM32\ATLV.DLL
polonus
-
File/Folder *{ACE42F47-341D-427F-84BB-297751AA19CA} not found.
File/Folder `InprocServer32=C:\WINDOWS\System32\ati3duagv.dll not found.
File/Folder not found.
LoadLibrary failed for C:\WINDOWS\System32\ati3duagv.dll
C:\WINDOWS\System32\ati3duagv.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\ati3duagv.dll scheduled to be moved on reboot.
OTMoveIt2 v1.0.5 log created on 01082008_233030
-
# 12:%WINDIR%\SYSTEM32\ATI3DUAGV.DLL
found this on my computer
-
Download BruteForceUninstaller from here:
http://www.majorgeeks.com/downloadget.php?id=4714&file=10&evp=a8e58ad4eb27c21c7c352bc2253cf345
Save code below in Notepad as scubmaggo.bfu
FileDelete %WINDIR%\SYSTEM32\ATI3DUAGV.DLL
FileDelete C:\WINDOWS\system32\ati3duagv.dll
FileDelete C:\WINDOWS\system32\drivers\vkrukkpm.dat
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*{ACE42F47-341D-427F-84BB-297751AA19CA}
Now run scubmaggo.bfu in BruteForceUninstaller, and then the malware should be gone,
so where it says scriptfile to execute, and then click execute!
Start BFU again and try again, Nota Bene! I just cleansed the script.
polonus
-
did that and the file is still there :(
-
Hi Scubamaggo,
Did you once installed Trustbar on your computer?
pol
-
If no succes give this a try:
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Don't run it yet
File::
C:\WINDOWS\System32\drivers\vkrukkpm.dat
C:\WINDOWS\System32\ati3duagv.dll
Driver::
caiplgdr
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
This will start ComboFix . Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.
-
Yes we follow this up, because the driver file puts it back all the time, Scub follow oldman's advice,
polonus
-
ooook, it seems it worked. The .dll file is now in C:\QooBox\Quarantine
buuuut... now on startup a window pops up that says: Generic Host Process for Win32 Services. It wants me to sent a logfile to windows of this error message. ah, and whenever i press Dont Send it pops up again.
-
Hi scubammaggo,
Boot safemode and back
Info find here: http://www.bleepingcomputer.com/tutorials/tutorial61.html
If that does not stop it then
Try this - Go to "Control Panel" - "System" - "Advanced" - "Error Reporting" - "Disable".
polonus
-
wohooo, i love you guys. Thanks a lot for the help!
-
Hi scubamaggo,
OK, welcome to the forums also on behalf of oldman and essexboy,
surf safe my friend and stay free of malware,
polonus aka Damian
-
scubamaggo
I think you should post the combofix log and the HJT log as there may be more left.
-
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:59:18 PM, on 01/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Programme\ICQ\ICQLite.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Skype\Phone\Skype.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Maggo\Desktop\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQ\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQ\ICQLite.exe -trayboot
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyPoker\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196275538295
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - E:\PostgreSQL\bin\pg_ctl.exe
-
combofix:
ComboFix 08-01-07.5 - Maggo 2008-01-10 20:00:24.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.147 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maggo\Desktop\ComboFix(2).exe
.
((((((((((((((((((((((( Dateien erstellt von 2007-12-10 bis 2008-01-10 ))))))))))))))))))))))))))))))
.
2008-01-08 20:17 . 2008-01-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-08 20:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe.backup
2008-01-08 19:10 . 2008-01-08 20:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-01-08 01:02 . 2008-01-08 01:03 <DIR> d-------- C:\Programme\weblin
2008-01-08 01:01 . 2008-01-08 01:03 <DIR> d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\zweitgeist
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a--c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2008-01-08 00:26 . 2008-01-08 00:34 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-01-08 00:26 . 2004-01-10 06:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-08 00:25 . 2008-01-08 00:25 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-06 15:16 . 2008-01-10 19:37 49 --a------ C:\WINDOWS\transp.gif
2008-01-06 14:40 . 2008-01-06 14:40 <DIR> d-------- C:\Programme\Alwil Software
2008-01-06 14:40 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-06 14:40 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-06 14:40 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-06 14:40 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-06 14:40 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-06 14:40 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 14:40 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 14:40 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 14:40 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 14:40 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-06 14:29 . 2008-01-10 19:37 150 --a------ C:\WINDOWS\ODBC.INI
2008-01-06 14:22 . 2008-01-06 14:22 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Agnitum Shared
2008-01-06 14:22 . 2008-01-06 14:22 <DIR> d-------- C:\Programme\Agnitum
2008-01-06 14:15 . 2008-01-09 17:23 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-27 16:12 . 2007-12-27 16:12 2,400 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-27 06:31 . 2007-12-27 06:31 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-27 02:39 . 2007-12-27 02:39 <DIR> d-------- C:\Temp
2007-12-22 22:25 . 2008-01-05 23:56 1,266 --a------ C:\WINDOWS\PartyGrabber.ini
2007-12-18 00:42 . 2004-02-25 18:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-18 00:39 . 2007-12-18 00:43 <DIR> d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\fretsonfire
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 18:54 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Skype
2008-01-10 18:37 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\skypePM
2008-01-09 23:14 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-01-08 18:39 23,552 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-06 16:42 --------- d-----r C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Brother
2007-12-06 00:28 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-11-30 02:12 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-11-30 02:10 --------- d-----w C:\Programme\Skype
2007-11-30 02:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Skype
2007-11-30 02:10 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2007-11-29 21:25 --------- d-----w C:\Programme\ICQ
2007-11-29 21:25 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\ICQLite
2007-11-29 20:38 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2007-11-28 23:23 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\DivX
2007-11-28 02:01 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Winamp
2007-11-28 01:57 --------- d-----w C:\Programme\Winamp
2007-11-28 01:47 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2007-11-28 01:38 --------- d-----w C:\Programme\DivX
2007-11-28 00:31 --------- d-----w C:\Programme\microsoft frontpage
2007-11-28 00:30 --------- d-----w C:\Programme\Online-Dienste
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\MSSoap
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\Dienste
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\SpeechEngines
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\ODBC
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
-
((((((((((((((((((((((((((((( snapshot@2008-01-08_20.19.24.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-01-09 16:23:37 86,016 ----a-w C:\WINDOWS\system32\AppCert\hb13a.dll
- 2007-12-02 14:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-01 14:27:42 70,580 ----a-w C:\WINDOWS\system32\perfc007.dat
+ 2008-01-08 19:29:37 70,580 ----a-w C:\WINDOWS\system32\perfc007.dat
- 2007-12-01 14:27:42 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-08 19:29:37 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-01 14:27:42 405,118 ----a-w C:\WINDOWS\system32\perfh007.dat
+ 2008-01-08 19:29:37 405,118 ----a-w C:\WINDOWS\system32\perfh007.dat
- 2007-12-01 14:27:42 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-08 19:29:37 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-10 18:36:49 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_584.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2006-03-30 10:51 91648]
"OutpostFeedBack"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe" [2006-05-11 12:05 356420]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-01-08 19:39 23552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2006-03-30 10:53]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2006-03-30 10:53]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL [2006-03-30 10:53]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2006-03-30 10:53]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2006-03-30 10:53]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2006-03-30 10:53]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2006-03-30 10:53]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2006-03-30 10:53]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2006-03-30 10:53]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2006-03-30 10:53]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2006-03-30 10:53]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2006-03-30 10:53]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2006-03-30 10:53]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL [2006-03-30 10:53]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 20:01:13
Windows 5.1.2600 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-01-10 20:01:42
ComboFix-quarantined-files.txt 2008-01-10 19:01:33
ComboFix2.txt 2008-01-08 23:51:37
ComboFix3.txt 2008-01-08 22:06:51
ComboFix4.txt 2008-01-08 21:38:36
ComboFix5.txt 2008-01-08 20:20:48
.
2008-01-09 16:25:30 --- E O F ---
-
Hi scubamaggo
Please submit the following files for analysis
To submit a file to virustoal, please click om this link
www.virustotal.com
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\WINDOWS\system32\AppCert\hb13a.dll
scroll down a bit and click "send file", wait for the results and post then in your next reply.
-
Hi "oldman" and scubaamaggo,
The results for this file:
Service
Service load: 0% 100%
File: hb13a.dll
Status: OK
MD5: badeceb29d993be9e674c666597c2809
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 14 Jan 2008 15:29:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
This just for the record,
polonus