8 replies to this topic

[enf1945]

also wanted to mention to save time that Conbofix already
deleted a trojan from an entry windows notify registry.
by a rerun of combofix doesnt find anything anymore.
in the meantime that BHO enrty i put as disables in IE . i dont know if im protected by doing that.
still seems that hcuvcbb.dll still cant be deleted, although it doesnt
show as a loaded dll on my PC. it must be in use by IE .
here is new combofix log :

ComboFix 09-04-15.08 - bob 04/15/2009 16:20.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\bob\Application Data\PKWARE
2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\All Users\Application Data\PKWARE
2009-04-15 06:21 . 2009-04-15 06:21 9479 ----a-w C:\rollback.ini
2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-15 06:03 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-15 05:43 . 2009-04-15 05:43 -------- d-----w c:\windows\system32\DRVSTORE
2009-04-15 05:43 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-15 05:41 . 2009-04-15 05:41 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\ulutjskx
2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Application Data\ulutjskx
2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ulutjskx
2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Application Data\ulutjskx
2009-04-14 20:00 . 2009-04-14 20:00 -------- d-----w c:\documents and settings\bob\Application Data\Malwarebytes
2009-04-14 19:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 19:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 13:43 . 2009-04-14 13:43 -------- d-sh--w C:\FOUND.000
2009-04-04 18:37 . 2009-04-04 18:37 -------- d-----w c:\documents and settings\bob\Application Data\TradeStation Technologies
2009-03-24 01:13 . 2009-03-24 01:13 -------- d-----w C:\Right Web Monitor
2009-03-23 23:20 . 2009-03-23 23:20 0 ----a-w c:\windows\nsreg.dat
2009-03-23 23:20 . 2009-03-23 23:20 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\Mozilla
2009-03-20 17:08 . 2007-04-30 03:24 61440 ----a-w c:\windows\system32\digitbox.ocx
2009-03-20 00:25 . 2009-03-20 00:25 135 ----a-w c:\windows\REDEMUNINS.INI
2009-03-20 00:25 . 2009-03-20 00:25 -------- d-----w c:\documents and settings\bob\Application Data\Redemption

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 19:42 . 2009-04-15 06:24 2012 ----a-w C:\aaw7boot.log
2009-04-15 16:38 . 2004-08-27 19:40 104448 ----a-w c:\windows\system32\ceozgof.dll
2009-04-15 06:40 . 2009-04-15 06:40 -------- d-----w c:\program files\Trend Micro
2009-04-15 06:12 . 2006-08-17 04:48 45760 ----a-w c:\documents and settings\bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 16:02 . 2009-04-14 16:02 -------- d-----w c:\program files\Support Tools
2009-04-14 16:02 . 2004-08-27 19:51 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 15:28 . 2009-04-14 15:28 -------- d-----w c:\program files\Debugging Tools for Windows (x86)
2009-04-04 18:38 . 2009-04-04 18:38 -------- d-----w c:\program files\TradeStation 8.5 (Build 2289)
2009-03-24 00:59 . 2009-03-24 00:59 -------- d-----w c:\program files\WebMon
2009-03-20 17:08 . 2009-03-20 17:08 -------- d-----w c:\program files\Alarm
2009-03-17 14:20 . 2007-06-26 16:51 39156 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-16 03:51 . 2009-03-16 03:51 -------- d-----w c:\program files\DIY DataRecovery DiskPatch
2009-03-12 22:54 . 2009-03-12 22:53 -------- d-----w c:\program files\Floppy Image
2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-25 15:16 . 2008-02-27 21:53 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2006-08-28 05:43 . 2006-08-28 05:43 126 ----a-w c:\documents and settings\bob\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}]
2004-08-04 09:00 104448 ----a-w c:\windows\system32\hcuvcbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Power2GoExpress"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Guard"="c:\program files\Phoenix Technologies\Applications\Guard\Guard.exe" [2006-05-15 679936]
"Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" [2006-05-25 131072]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86102]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\bob\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-6-14 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.D263"= xl_x263dec.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\se32.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\MircRT\\MIRC32.EXE"=
"c:\\mircIP\\mirc32.exe"=
"c:\\mirc\\mirc32.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\AdSubtract\\adsub.exe"=
"c:\\Program Files\\limewire\\LimeWire.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\StubInstaller.exe"=
"c:\\MircRT\\mirc.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\mirc\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [2008-02-03 425988]
R3 huadio;huadio; [x]
S0 gkatjihp;gkatjihp;c:\windows\system32\drivers\gkatjihp.sys [2004-08-04 23424]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-10-18 8320]
S1 DCDisk;DCDisk; [x]
S1 se32;EnTech softEngine;c:\windows\system32\Drivers\se32.sys [2007-05-03 12112]
S2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-12-02 8832]
S2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2003-08-13 2304]
S2 PhnxPsaService;Phoenix PSA Service;c:\windows\system32\PhxPsSvr.exe [2006-04-05 40960]
S2 PhnxVaultService;Phoenix Vault Service;c:\windows\system32\PhxVtSvr.exe [2005-12-14 53248]
S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\Drivers\PhnxVcd.sys [2006-03-21 47488]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc941b2-325c-11db-b69b-00161777ace5}]
\Shell\AutoRun\command - E:\PC.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9667f638-14cf-11de-bbb9-00161777ace5}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
Trusted Zone: ameritrade.com
Trusted Zone: datek.com\public.answerbox
Trusted Zone: etrade.com\us
Trusted Zone: financialchat.com\www
Trusted Zone: live365.com\www
Trusted Zone: londonstockexchange.com\www
Trusted Zone: noaa.gov\weather
Trusted Zone: nyc.gov\a836-acris
Trusted Zone: tdameritrade.com
Trusted Zone: thedaytradegroup.com
Trusted Zone: tnto.com\www
Trusted Zone: tradearca.com\datasvr
Trusted Zone: urbansherpany.com\www
Trusted Zone: usgs.gov\earthnow
Trusted Zone: weather.gov\radar
DPF: {065FD296-2A8A-48C3-9634-7E167BF2C6C2} - hxxp://www.terranovaonline.com/INVESTOR/TALTNInvestor.cab
DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab
DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} - hxxp://www.tegosoft.com/ActiveX/TegoLoad.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02b.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\xlb3e9mq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 16:22
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2523675433-3985973265-1301256737-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(140)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-15 16:23
ComboFix-quarantined-files.txt 2009-04-15 20:23
ComboFix2.txt 2009-04-15 16:42

Pre-Run: 109,898,465,280 bytes free
Post-Run: 109,911,900,160 bytes free

210

[miekiemoes]

Hi,

Not sure if you have used latest malwarebytes database version, because it should detect and delete this one as well now. Anyway, do next please:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\gkatjihp.sys
c:\windows\system32\hcuvcbb.dll
c:\windows\system32\ceozgof.dll
Driver::
gkatjihp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way, is there any reason why you don't have an Antivirus installed?

[enf1945]

miekiemoes, on Apr 15 2009, 07:48 PM, said:

Hi,

Not sure if you have used latest malwarebytes database version, because it should detect and delete this one as well now. Anyway, do next please:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way, is there any reason why you don't have an Antivirus installed?

I have etrust antivirus. i ahd it turned off for these repairs.

also i updated malwarebytes and it still wouldnt remove these entries

below is the Combofile log.
Combofile has trouble deleting those files. if i try to delete them manually it says they are in use.


ComboFix 09-04-15.08 - bob 04/15/2009 20:42.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.566 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ceozgof.dll
c:\windows\system32\drivers\gkatjihp.sys
c:\windows\system32\hcuvcbb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ceozgof.dll . . . . failed to delete
c:\windows\system32\drivers\gkatjihp.sys . . . . failed to delete
c:\windows\system32\hcuvcbb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GKATJIHP
-------\Service_gkatjihp


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\bob\Application Data\PKWARE
2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\All Users\Application Data\PKWARE
2009-04-15 06:21 . 2009-04-15 06:21 9479 ----a-w C:\rollback.ini
2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-15 06:03 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-15 05:43 . 2009-04-15 05:43 -------- d-----w c:\windows\system32\DRVSTORE
2009-04-15 05:43 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-15 05:41 . 2009-04-15 05:41 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\ulutjskx
2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Application Data\ulutjskx
2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ulutjskx
2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Application Data\ulutjskx
2009-04-14 20:00 . 2009-04-14 20:00 -------- d-----w c:\documents and settings\bob\Application Data\Malwarebytes
2009-04-14 19:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 19:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 13:43 . 2009-04-14 13:43 -------- d-sh--w C:\FOUND.000
2009-04-04 18:37 . 2009-04-04 18:37 -------- d-----w c:\documents and settings\bob\Application Data\TradeStation Technologies
2009-03-24 01:13 . 2009-03-24 01:13 -------- d-----w C:\Right Web Monitor
2009-03-23 23:20 . 2009-03-23 23:20 0 ----a-w c:\windows\nsreg.dat
2009-03-23 23:20 . 2009-03-23 23:20 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\Mozilla
2009-03-20 17:08 . 2007-04-30 03:24 61440 ----a-w c:\windows\system32\digitbox.ocx
2009-03-20 00:25 . 2009-03-20 00:25 135 ----a-w c:\windows\REDEMUNINS.INI
2009-03-20 00:25 . 2009-03-20 00:25 -------- d-----w c:\documents and settings\bob\Application Data\Redemption

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 00:45 . 2009-04-15 06:24 2684 ----a-w C:\aaw7boot.log
2009-04-16 00:43 . 2004-08-27 19:40 23424 ----a-w c:\windows\system32\drivers\pgrvplcf.sys
2009-04-15 16:38 . 2004-08-27 19:40 104448 ----a-w c:\windows\system32\ceozgof.dll
2009-04-15 06:40 . 2009-04-15 06:40 -------- d-----w c:\program files\Trend Micro
2009-04-15 06:12 . 2006-08-17 04:48 45760 ----a-w c:\documents and settings\bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 16:02 . 2009-04-14 16:02 -------- d-----w c:\program files\Support Tools
2009-04-14 16:02 . 2004-08-27 19:51 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 15:28 . 2009-04-14 15:28 -------- d-----w c:\program files\Debugging Tools for Windows (x86)
2009-04-04 18:38 . 2009-04-04 18:38 -------- d-----w c:\program files\TradeStation 8.5 (Build 2289)
2009-03-24 00:59 . 2009-03-24 00:59 -------- d-----w c:\program files\WebMon
2009-03-20 17:08 . 2009-03-20 17:08 -------- d-----w c:\program files\Alarm
2009-03-17 14:20 . 2007-06-26 16:51 39156 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-16 03:51 . 2009-03-16 03:51 -------- d-----w c:\program files\DIY DataRecovery DiskPatch
2009-03-12 22:54 . 2009-03-12 22:53 -------- d-----w c:\program files\Floppy Image
2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-25 15:16 . 2008-02-27 21:53 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2006-08-28 05:43 . 2006-08-28 05:43 126 ----a-w c:\documents and settings\bob\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-15_16.41.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-27 19:40 . 2004-08-04 09:00 23424 c:\windows\system32\drivers\pgrvplcf.sys
+ 2004-08-27 19:40 . 2009-04-16 00:43 23424 c:\windows\system32\drivers\pgrvplcf.sys
+ 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-27 19:54 . 2009-04-14 20:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-27 19:54 . 2009-04-14 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-27 19:54 . 2009-04-14 16:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:44 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-15 16:39 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}]
2004-08-04 09:00 104448 ----a-w c:\windows\system32\hcuvcbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Power2GoExpress"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Guard"="c:\program files\Phoenix Technologies\Applications\Guard\Guard.exe" [2006-05-15 679936]
"Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" [2006-05-25 131072]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86102]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\bob\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-6-14 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.D263"= xl_x263dec.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\se32.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\MircRT\\MIRC32.EXE"=
"c:\\mircIP\\mirc32.exe"=
"c:\\mirc\\mirc32.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\AdSubtract\\adsub.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\StubInstaller.exe"=
"c:\\MircRT\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15513:TCP"= 15513:TCP:Emule
"12577:UDP"= 12577:UDP:Emule
"18774:UDP"= 18774:UDP:limewireUDP
"18774:TCP"= 18774:TCP:limewireTCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [2008-02-03 425988]
R3 huadio;huadio; [x]
S0 gkatjihp;gkatjihp;c:\windows\system32\drivers\gkatjihp.sys [2004-08-04 23424]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-10-18 8320]
S1 DCDisk;DCDisk; [x]
S1 se32;EnTech softEngine;c:\windows\system32\Drivers\se32.sys [2007-05-03 12112]
S2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-12-02 8832]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2003-08-13 2304]
S2 PhnxPsaService;Phoenix PSA Service;c:\windows\system32\PhxPsSvr.exe [2006-04-05 40960]
S2 PhnxVaultService;Phoenix Vault Service;c:\windows\system32\PhxVtSvr.exe [2005-12-14 53248]
S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\Drivers\PhnxVcd.sys [2006-03-21 47488]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - GKATJIHP

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc941b2-325c-11db-b69b-00161777ace5}]
\Shell\AutoRun\command - E:\PC.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9667f638-14cf-11de-bbb9-00161777ace5}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
Trusted Zone: ameritrade.com
Trusted Zone: nyc.gov\a836-acris
Trusted Zone: tdameritrade.com
Trusted Zone: thedaytradegroup.com
Trusted Zone: tnto.com\www
Trusted Zone: tradearca.com\datasvr
Trusted Zone: urbansherpany.com\www
Trusted Zone: usgs.gov\earthnow
Trusted Zone: weather.gov\radar
DPF: {065FD296-2A8A-48C3-9634-7E167BF2C6C2} - hxxp://www.terranovaonline.com/INVESTOR/TALTNInvestor.cab
DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab
DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} - hxxp://www.tegosoft.com/ActiveX/TegoLoad.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02b.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\xlb3e9mq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 20:46
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2523675433-3985973265-1301256737-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\APC\APC POWERCHUTE PERSONAL EDITION\MAINSERV.EXE
c:\program files\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\CA\ETRUST ANTIVIRUS\INORPC.EXE
c:\program files\CA\ETRUST ANTIVIRUS\INORT.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\CA\ETRUST ANTIVIRUS\INOTASK.EXE
c:\program files\LEXMARK X5100 SERIES\LXBABMON.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\CA\SHAREDCOMPONENTS\SCANENGINE\INODIST.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-16 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 00:48
ComboFix2.txt 2009-04-15 20:23
ComboFix3.txt 2009-04-15 16:42

Pre-Run: 109,675,642,880 bytes free
Post-Run: 109,755,531,264 bytes free

261

[miekiemoes]

Hi,

Quote

c:\windows\system32\ceozgof.dll . . . . failed to delete
c:\windows\system32\drivers\gkatjihp.sys . . . . failed to delete
c:\windows\system32\hcuvcbb.dll . . . . failed to delete

The malware isn't supposed to act like this. Do you have any file/folder lock programs installed? Does PKWare have this functionality? If so, then please uninstall it temporay. Could also because of the FAT32 here.

Can you also please also allow Combofix install the Recovery Console?

Then try again.. and create the following CFScript and drag it into Combofix:

File::
c:\windows\system32\drivers\gkatjihp.sys
c:\windows\system32\drivers\pgrvplcf.sys
c:\windows\system32\hcuvcbb.dll
c:\windows\system32\ceozgof.dll
Driver::
gkatjihp
pgrvplcf
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}]

It may be better to do this from Windows safe mode.

[enf1945]

Hi,

i ran combofix again and it worked this time !

i would like to thanks you for your efforts . You guys are great .

i got this by being on a normal everyday site that asked me to update Adobe Flash.
i think the site was hacked.

btw before running this i was able
to change a reistry setting for the driver gkatjihp.sys to make it run inactive.

also for HBO's i suggest one go into explorer tools - manage add ons - enable or disable add ons -
look for the malware HBO and click disable.
do this until its deleted by malwarebytes or combofix or whatever .
note - this is not a fix. it will become enabled again.

i did ths to minimize damage before its fixed.

curious as to why booting into a DOS disk and deleting these files under DOS doesnt work.

thanks

miekiemoes, on Apr 16 2009, 01:40 AM, said:

Hi,



The malware isn't supposed to act like this. Do you have any file/folder lock programs installed? Does PKWare have this functionality? If so, then please uninstall it temporay. Could also because of the FAT32 here.

Can you also please also allow Combofix install the Recovery Console?

Then try again.. and create the following CFScript and drag it into Combofix:

File::
c:\windows\system32\drivers\gkatjihp.sys
c:\windows\system32\drivers\pgrvplcf.sys
c:\windows\system32\hcuvcbb.dll
c:\windows\system32\ceozgof.dll
Driver::
gkatjihp
pgrvplcf
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}]

It may be better to do this from Windows safe mode.

[miekiemoes]

Hi,

Quote

btw before running this i was able
to change a reistry setting for the driver gkatjihp.sys to make it run inactive.

Well, whatever you did there failed, because the malware is still active and running... and I guess it's because of that that other tools can't deal with it either there. Not sure what you have done, but in case you have set permissions there, please undo this, because you're really making things worse and may explain why everything now fails.

Can you perform the steps with Combofix please?

Quote

curious as to why booting into a DOS disk and deleting these files under DOS doesnt work.

Yes, that should work without any problems, unless you broke something.

[enf1945]

i ran combofix and it cleared it. thanks.

yes gkatjihp was still loaded as a driver but at least it wasnt running to do damage. it was listed as a manual activation.
its just temporary till its deleted.
it still had to be deleted by combofix.


as far as deleting these files in a DOS disk, i didnt try it myself .
i guess i was concerned that windows wouldnt start if these files were deleted by a DOS disk
and the registry entries to get them started still wanted them to run.
is this a legitimate concern ?

anyway everything is cleared up. i ran your program and 0 malware found.
thanks.

miekiemoes, on Apr 16 2009, 11:43 AM, said:

Hi,

Well, whatever you did there failed, because the malware is still active and running... and I guess it's because of that that other tools can't deal with it either there. Not sure what you have done, but in case you have set permissions there, please undo this, because you're really making things worse and may explain why everything now fails.

Can you perform the steps with Combofix please?

Yes, that should work without any problems, unless you broke something.

[miekiemoes]

Hi,

Quote

i ran combofix and it cleared it. thanks.

Good to hear. So this time no "failed to delete" message in your log anymore? Anyway, you would notice the difference if it's gone or not though. Also, if still present, then the BHO would be still present and malwarebytes should detect it then.

Yes, you could actually do this via the Recovery Console (DOS Disk) as well. The registry keys attached to the files here are not really a concern, especially not the BHO. The driver registered in the registry shouldn't cause problems either if the file was deleted, however, for drivers/services, if you want to delete it via the Recovery Console commands, then it's a good idea to use the "disable servicename" first before you perform the del command for the file. So in this case it would be "disable gkatjihp" (as this was actually the one still active)


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.