mystery virus

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #15 on: December 09, 2007, 09:34:31 PM »

Your DSS log seems to be clean, and it also looks to be a fresh machine install (not activated yet). This is actually one of the cleanest logs I've seen in a while.

The chkdsk is obviously tripping over something. Running dban in the default mode will do a fast zero wipe, but not really work the disk. Select the 5200.1 wipe, and make the most of the options, like verify after each pass, and run all 7 passes. It'll take considerably longer than 30 minutes. The DoD 5200.1 wipe sequence is the most intensive disk exerciser I've encountered. If there's a problem, this will trip over it.

The more I'm thinking about it, the more it seems to be some kind of hardware problem. There is a site I've seen referenced a lot at http://www.pcpitstop.com/ that runs a hardware diagnostic check. It's a free registration, and may give some insight as to what's going on, if it's something more than a disk drive problem (e.g. flaky controller, or a motherboard problem).

Regarding seeing file extensions, that can vary all over the place, depending on what folder you're in, and how overall system options are set. If you go into Windows Explorer, the top line toolbar, click Tools, and select Folder Options, you can mix and match as you choose. I have my systems show all extensions, just in case something tries to hide a "thisfile.txt.exe" somewhere.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #16 on: December 11, 2007, 12:28:55 PM »

well, since then i did find 2 things that concern me...

2 of the 'cd-r' files i have now contain _more sessions_ than i burned to them. one disc i burned 2 sessions to and it now contains a 'mysterious third session' the actual cd-r with my 'drivers' which was supposed to contain 1 session now contains '4 sessions' so i did run dss again on that computer... (actually i noticed all this when autorun disabled right after i had patched the machine at my parents, after cafefully removing their systems from the network etc) autorun actually worked for a few hours before it stopped working for no reason. the second dss scan did find malware, but it had a uninstaller in the windows menu... not trusting malware uninstallers i simply nuked the disk and activated windows over the telephone...

autorun should not be disabling for no apparent reason. ie shouldnt not load pages for various software removal tools. the chkdsk error could be an obscure windows bug... the only common denominator is that all my machines are AMD processors... does chkdsk not work with amd cpus right since sp2? it always worked in sp1....

btw deckards crashes on my parents computers, which are 'always' on the net, and numerous malicious software removal tool sites refuse to load in ie. since i cant run any sophisticated malware scanners its hard to tell what all might be on my parents systems... probabbly the only options would be to run some sort of scanner from say a bart's pe disk...

im not even sure what programs i would put on a barts pe to detect, possibly clean, and what to load to protect them from getting software that prevents ie from loading sites and causes removal and scanning tools to crash.

i can download and burn from vmware, which seems to bypass whatever is causing trouble on my parents machine. hijackthis does run so here is a hjt log from my mom's pc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:15 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Dena or Roy')
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Dena or Roy')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [ at ]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7475 bytes


	Logged

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #17 on: December 11, 2007, 08:15:26 PM »

And that log looks clean, so far as I can tell. Time to start suspecting there is a rootkit running around in the background, making things look nice.

Two things to try, if there is a rootkit. One is to rename the scanning programs to something else. Like having HiJackThis.exe be called this.exe, and dss.exe as that.exe. If you have the earlier results, and compare to the scan done by a renamed program, if there is any difference that you can't otherwise explain, then there is very very likely a rootkit.

The other, is to run at least one rootkit detector. There's one at sysinternals.com. Another is F-Secure Blacklight, available at http://www.f-secure.com/security_center/ Another is GMER, at http://www.gmer.net/index.php Each of these looks for slightly different things, so just running more than one would probably be a good idea. Download, then rename, and run.

Being unable to reach security sites, or download programs, is a typical defense tactic that malware uses. Check you machines "host" file. On my machine that is c:\windows\system32\drivers\etc\host
Also, your DNS cache could be "preloaded", or the nameserver lookups being diverted. A way to test that, is compare the results of a name lookup done by a known clean machine, and what your machine(s) are giving as an answer.

An alternative to BartPE, is to physically pull the disk drive out of your machine, and install it as a slave drive in another machine. Then you run any and every scanner you can on that slave drive. If need be, you could zero wipe the drive as a slave drive, and then physically reinstall into your machine, and then do a reinstall.

If you're seeing extra sessions on your cd-r's would seem to imply that those cd-r's are somehow infected. If that is the case, then any cd backups that you have may simply be re-seeding your machines.

And, I run AMD processor systems also. Not a problem, and none reported that I know of. Anything that would be a problem would be reported loudly and quickly, by Intel if nobody else.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #18 on: December 13, 2007, 07:13:33 PM »

renaming 'deckards' allowed it to run, however i didn't re dl it (the file had been sitting there all this time) so im going to to post what it's results are and then try to re dl deckards and rename it and run it again.

Main.txt
Deckard's System Scanner v20071014.68
Run by Ryan on 2007-12-13 18:13:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
13: 2007-12-14 00:13:22 UTC - RP13 - Deckard's System Scanner Restore Point
12: 2007-12-13 13:15:41 UTC - RP12 - System Checkpoint
11: 2007-12-12 09:00:16 UTC - RP11 - Software Distribution Service 3.0
10: 2007-12-12 04:06:20 UTC - RP10 - System Checkpoint
9: 2007-12-11 03:26:19 UTC - RP9 - System Checkpoint

-- First Restore Point --
1: 2007-12-04 00:16:19 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).

-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:20 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Documents and Settings\Ryan\Desktop\that.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Dena or Roy')
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Dena or Roy')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [ at ]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7556 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&5840
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&5840
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-09-29 15:26:23 288 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

-- Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-06 16:28:55 0 d-------- C:\Program Files\Trend Micro
2007-12-03 17:08:43 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 20:39:48 0 d-------- C:\Program Files\Ubisoft
2007-11-25 18:07:41 0 d-------- C:\Program Files\3DO
2007-11-23 09:49:23 229 --a------ C:\WINDOWS\PowerReg.dat
2007-11-22 13:49:03 0 d-------- C:\Program Files\Hasbro Interactive
2007-11-22 13:48:57 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-11-22 13:48:55 0 d-------- C:\Documents and Settings\Ryan\WINDOWS
2007-11-15 11:40:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-11-13 05:24:11 0 d-------- C:\Documents and Settings\Dena or Roy\Application Data\Google

-- Find3M Report ---------------------------------------------------------------

2007-12-13 18:09:29 0 d-------- C:\Documents and Settings\Ryan\Application Data\VMware
2007-12-03 18:06:09 0 d-------- C:\Program Files\Winamp
2007-12-03 17:55:43 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-03 17:53:28 0 d-------- C:\Program Files\Google
2007-11-25 20:39:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 10:19:09 0 d-------- C:\Documents and Settings\Ryan\Application Data\Google
2007-11-08 18:38:34 0 d-------- C:\Program Files\Java
2007-10-23 17:27:07 0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2007-10-16 10:49:14 0 d-------- C:\Program Files\InfraRecorder
2007-10-16 10:36:47 0 d-------- C:\Documents and Settings\Ryan\Application Data\InfraRecorder
2007-10-16 09:06:03 0 d-------- C:\Documents and Settings\Ryan\Application Data\DMCache
2007-09-23 11:06:53 106525 --a------ C:\WINDOWS\War3Unin.dat
2007-09-23 10:46:53 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-09-23 10:46:53 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-09-23 09:20:15 21643294 --a------ C:\sdat5125.exe <Not Verified; McAfee, Inc.; McAfee Core Components>
2007-09-21 11:48:14 0 -rahs---- C:\MSDOS.SYS
2007-09-21 11:48:14 0 -rahs---- C:\IO.SYS
2007-09-21 11:48:14 0 --a------ C:\CONFIG.SYS
2007-09-21 11:48:14 0 --a------ C:\AUTOEXEC.BAT
2007-09-21 11:45:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-21 06:36:34 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [09/21/2007 04:22 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [08/21/2007 06:56 PM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 07:51 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 04:22 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 11:05 AM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 05:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 11:49 AM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 09:02 PM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 04:09 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 04:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/15/2007 05:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 2:15:54 AM]

-- End of Deckard's System Scanner: finished at 2007-12-13 18:15:47 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2600+
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 511.49 MiB / 71.88 MiB
Pagefile Memory (total/avail): 1248.76 MiB / 804.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 93.15 GiB total, 32.46 GiB free.
D: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - ST3100011A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[ at ]xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[ at ]xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[ at ]xpsp2res.dll,-22019"
"C:\\Program Files\\Cerberus\\Cerberus.exe"="C:\\Program Files\\Cerberus\\Cerberus.exe:*:Enabled:Cerberus FTP Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[ at ]xpsp3res.dll,-20000"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ryan\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NONE-D2B0CC9969
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ryan
LOGONSERVER=\\NONE-D2B0CC9969
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
USERDOMAIN=NONE-D2B0CC9969
USERNAME=Ryan
USERPROFILE=C:\Documents and Settings\Ryan
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Dena or Roy (admin)
Ryan (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL[ at ]16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Axis & Allies Iron Blitz --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Axis & Allies Iron Blitz\Uninst.isu"
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Cerberus FTP Server --> MsiExec.exe /I{889BE503-D5B7-4670-9DA8-19720CA1DCAD}
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GTK+ 2.10.13 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Heroes of Might and Magic V - Tribes of the East --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200092}\setup.exe" -l0x9
Heroes of Might and Magic® III --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes3\Uninst.isu" -c"C:\Program Files\3DO\Heroes3\uninst.dll
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
InfraRecorder --> C:\Program Files\InfraRecorder\uninstall.exe
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
The GIMP 2.2.17 --> "C:\Program Files\GIMP-2.0\unins000.exe"
VMware Player --> MsiExec.exe /I{A53A11EA-0095-493F-86FA-A15E8A86A405}
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type404 / Error
Event Submitted/Written: 12/13/2007 06:09:25 PM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type396 / Error
Event Submitted/Written: 12/11/2007 11:38:56 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type395 / Error
Event Submitted/Written: 12/11/2007 10:49:43 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type394 / Error
Event Submitted/Written: 12/10/2007 10:16:16 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type393 / Error
Event Submitted/Written: 12/10/2007 10:16:08 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2013 / Warning
Event Submitted/Written: 12/13/2007 05:46:21 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1924 / Warning
Event Submitted/Written: 12/11/2007 01:36:27 PM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1920 / Warning
Event Submitted/Written: 12/11/2007 10:55:20 AM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1912 / Warning
Event Submitted/Written: 12/10/2007 10:19:53 AM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1886 / Warning
Event Submitted/Written: 12/09/2007 03:54:18 PM / 12/09/2007 03:54:19 PM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

-- End of Deckard's System Scanner: finished at 2007-12-13 18:15:47 ------------


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #19 on: December 13, 2007, 07:34:28 PM »

wierd. the deckard's log is a different size _every_ time i run it. here is the 'second' run.

Deckard's System Scanner v20071014.68
Run by Ryan on 2007-12-13 18:33:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).

-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:34 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Documents and Settings\Ryan\Desktop\nyet.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Dena or Roy')
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Dena or Roy')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [ at ]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7556 bytes

-- Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-06 16:28:55 0 d-------- C:\Program Files\Trend Micro
2007-12-03 17:08:43 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 20:39:48 0 d-------- C:\Program Files\Ubisoft
2007-11-25 18:07:41 0 d-------- C:\Program Files\3DO
2007-11-23 09:49:23 229 --a------ C:\WINDOWS\PowerReg.dat
2007-11-22 13:49:03 0 d-------- C:\Program Files\Hasbro Interactive
2007-11-22 13:48:57 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-11-22 13:48:55 0 d-------- C:\Documents and Settings\Ryan\WINDOWS
2007-11-15 11:40:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-11-13 05:24:11 0 d-------- C:\Documents and Settings\Dena or Roy\Application Data\Google

-- Find3M Report ---------------------------------------------------------------

2007-12-13 18:09:29 0 d-------- C:\Documents and Settings\Ryan\Application Data\VMware
2007-12-03 18:06:09 0 d-------- C:\Program Files\Winamp
2007-12-03 17:55:43 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-03 17:53:28 0 d-------- C:\Program Files\Google
2007-11-25 20:39:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 10:19:09 0 d-------- C:\Documents and Settings\Ryan\Application Data\Google
2007-11-08 18:38:34 0 d-------- C:\Program Files\Java
2007-10-23 17:27:07 0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2007-10-16 10:49:14 0 d-------- C:\Program Files\InfraRecorder
2007-10-16 10:36:47 0 d-------- C:\Documents and Settings\Ryan\Application Data\InfraRecorder
2007-10-16 09:06:03 0 d-------- C:\Documents and Settings\Ryan\Application Data\DMCache
2007-09-23 11:06:53 106525 --a------ C:\WINDOWS\War3Unin.dat
2007-09-23 10:46:53 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-09-23 10:46:53 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-09-23 09:20:15 21643294 --a------ C:\sdat5125.exe <Not Verified; McAfee, Inc.; McAfee Core Components>
2007-09-21 11:48:14 0 -rahs---- C:\MSDOS.SYS
2007-09-21 11:48:14 0 -rahs---- C:\IO.SYS
2007-09-21 11:48:14 0 --a------ C:\CONFIG.SYS
2007-09-21 11:48:14 0 --a------ C:\AUTOEXEC.BAT
2007-09-21 11:45:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-21 06:36:34 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [09/21/2007 04:22 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [08/21/2007 06:56 PM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 07:51 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 04:22 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 11:05 AM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 05:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 11:49 AM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 09:02 PM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 04:09 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 04:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/15/2007 05:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 2:15:54 AM]

-- End of Deckard's System Scanner: finished at 2007-12-13 18:34:07 ------------


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #20 on: December 13, 2007, 07:59:34 PM »

here is a complete list of 'symptoms' i've noticed.

1. autoplay disabled
2. 3-5 times a day the 'desktop' appears (while playing full screen games)
3. certain websites are 'unavailable' in ie, (sorta like a transparent proxy would do for sites the admin banned, EXCEPT it doesnt affect vmware (linux)) i double checked ie, no proxy is set in lan settings.
4. recodrdable 'multi-session' cd-r add 'mysterious sessions' 1 disc still loaded in linux(only 1 extra session), the second disk was unreadable in linux (3 extra sessions had been written to that 1)
5. extentions mysteriously became unhidden (i rarely change this on a test system, this was how i figured out that a cd-r i though was clean actually had the virus on it)
6. on at least 1 system built-in cd recording 'crashed' instead of opening an 'add files window'
7. screen saver/power managment settings 'reset' to default windows settings (10 min sreen saver/ 20 min monitor off) when certain applications launched (so far my list of application that were effected included dvd shrink and comodo a/v)
8. my dad's pc is running really slowly lately (he has the slowest system, the filesystem was just reinstalled a month ago so its not fragmentaion... i know the cpu was upgraded to try to keep the system from being slow, and it's almost as fast as the cpu in my mom's pc but his runs wayyyyy slower) i was thinking it was because he 'upgraded' mcafee to their full 'suite' and only had 256mb of ram, but i test ran his system with my 512mb module and it was still slow.


	Logged

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #21 on: December 13, 2007, 08:46:10 PM »

The two DSS logs show the same content, so far as a diff can tell. Some report format differences, but nothing in terms of executables.

But, that it took renaming DSS to get a run is a very strong indication there is a rootkit installed. Another indication of a problem is this, from the log

Quote

-- System Event Log ------------------------------------------------------------

Event Record #/Type2013 / Warning
Event Submitted/Written: 12/13/2007 05:46:21 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

That would imply that something has taken over port 123/UDP, and is keeping the time service from doing its job. There are reports of malware doing just that. If you can get a clear system, and get Wireshark, or some other packet sniffer, and check port 123 traffic, you could confirm that guess.

And to confirm this entry:

Quote

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled: [ at ] xpsp2res.dll,-22019"
"C:\\Program Files\\Cerberus\\Cerberus.exe"="C:\\Program Files\\Cerberus\\Cerberus.exe:*:Enabled:Cerberus FTP Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled: [ at ] xpsp3res.dll,-20000"

That you do have an FTP server installed?

And your notation

Quote

3. certain websites are 'unavailable' in ie, (sorta like a transparent proxy would do for sites the admin banned, EXCEPT it doesnt affect vmware (linux)) i double checked ie, no proxy is set in lan settings.

is consistent with malware controlling your TCP/IP stack and DNS lookups.

The next step is getting a rootkit scan done. I'd suggest doing all three of the scanners listed in my earlier post. A rootkit problem with these kinds of symptoms is leading me to believe that the only certain cleanup is going to be a zero wipe of the disk, and a reinstall from vendor original media. We're not to that point yet, but it looks to be leading that way, as there still isn't an identification of what the thing is so as to be able to use the tools to get rid of it.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #22 on: December 16, 2007, 07:05:09 PM »

i installed cerberus to transfer back up files from old linux/bsd partitions using a vmware linux program. some of those hds failed in mid process it was far overdue to get my files onto backed up media...

okay the 1st site (rootkitrevealer) was 'unable to start service' and failed to install. im doing the 2nd site now.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #23 on: December 16, 2007, 07:18:27 PM »

f-secure 'failed to dl' running gmer now. and yeah the cd-r media was how my system that is at home was getting re-infected. once i burned a 'clean' mobo driver disc from vmware (vmware busies the cd-r drive so windows doesn't interupt it) i was able to remove all symptoms from That pc.
so far gmer has found 2 'red' entries. and it said it found rootkit activity.
i can't paste the whole thing so here is the 'red flaged listing' if you need more of it i can break it up.

---- Processes - GMER 1.0.13 ----

Library C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll (*** hidden *** ) [ at ] C:\WINDOWS\Explorer.EXE [1224] 0x011A0000
Library C:\Documents (*** hidden *** ) [ at ] C:\Documents [3936] 0x00400000

---- EOF - GMER 1.0.13 ----


	Logged

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #24 on: December 16, 2007, 07:40:37 PM »

I'd like to eyeball the full report that gmer produces. You can attach it as a txt file to a posting here, or upload it to a file service. One such service that I've seen used in these kinds of situations is at savefile.com. You would create a free account, upload your file up to 60meg, and post a link here. Either an attachment here, or a link, is your choice.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #25 on: December 16, 2007, 08:00:17 PM »

full log


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #26 on: December 16, 2007, 08:35:38 PM »

well something is definitely wrong with the filesystem. i tried to boot an ubuntu 7.10 cd (i burned it for my mp3 playing computer) and it kept giving this 'squashfs' error about a specific block on the filesystem. after about 20 minutes and 768 of the same errors i gave up on it, and reboted to windows, so i am a bit worried about trying to scan the drive as a 'slave' if the rootkit can spread by connecting the drive to another windows machine that would double my work. it took me quite a while to figure out how to get my system that is off the net to operate without getting reinfected.

building a bart pe scanning media would be easier since if the cd-r is finalized it doesnt matter if the virus tries to write itself to the end of the disk because the original session is the only valid one when a disk is finalized. plus i can burn to a blank dvd, since only my system has a dvd-rw drive and my parents only have dvd-rom/cd-rw drives that would be fool proof.


	Logged

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #27 on: December 16, 2007, 09:06:01 PM »

Got the log. Thank you. I've been going thru it, but beyond those two processes you pointed out, I'm not seeing anything. The CmdLineExt02 seems to be related to gameplay. The C:\Documents is definitely out of place, and I'm suspecting it is a controller process. I suspect that it will re-seed itself as soon as it gets stopped. Before stopping it, I'd like to check the two more common ways of programs getting restarted: the Windows equivalent of a cron job, that Windows knows as a "Scheduled Task", and a background service.

Windows keeps scheduled tasks in C:\Windows\Tasks\. If there is a re-seed task here, it will likely be in one or more hidden files, and kick up every 5 or 10 minutes. Check the folder to see whats there, and show all file names, extensions, hidden & system files, the whole works. Either move files that look suspicious off to another directory (so you can restore them later, if need be), or rename then so the task scheduler can't find them. Moving is better than renaming.

Use the GMER "Services" tab to see what services are running. Order by "started" will make searching easier, to find Auto, Boot, and System services. Look at the path names, and see if there is anything unusal. Especially executables running out of \temp folders, or under the "documents and settings" tree.

The goal is to kill the C:\documents process, and it's reseeder at the same time. Then it should be possible to get a good for-real DSS scan, and get this thing malware nailed down.


	Logged

kesuki

Comodo Family Member

Offline

Posts: 54

Re: mystery virus

« Reply #28 on: December 16, 2007, 09:11:08 PM »

here's the thing... i dont own a copy of unreal tournament, much less play it. that was the first google link for the file.


	Logged

grue155

Global Moderator
Comodo's Hero

Offline

Posts: 980

Re: mystery virus

« Reply #29 on: December 16, 2007, 09:13:51 PM »

Quote from: kesuki on December 16, 2007, 08:35:38 PM

building a bart pe scanning media would be easier since if the cd-r is finalized it doesnt matter if the virus tries to write itself to the end of the disk because the original session is the only valid one when a disk is finalized. plus i can burn to a blank dvd, since only my system has a dvd-rw drive and my parents only have dvd-rom/cd-rw drives that would be fool proof.

Not knowing your hardware, I don't know if this would make sense. But would it be possible to more the cd-r burner to your working machine? Just for a while, to get a clean bartpe build.

Running a disk as a slave drive is a safe thing to do, so long as you are very very careful not to run anything from the slave drive itself. In a FreeBSD environment, the equivalent would be a "mount -o noexec". To my knowledge, Windows has no such equivalent, so it would mean running very carefully. The cd-r would be safer, if you can get one.


	Logged

Tags:

Pages: 1 [2] 3 4 5

« previous next »