Windows Activation Trojan?

Computing.Net > Forums > Security and Virus > Windows Activation Trojan?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Windows Activation Trojan?

Name: stabgotham
Date: January 15, 2008 at 16:51:58 Pacific
OS: WinXP
CPU/Ram: 3700+/1gb
Product: Home Built

Comment:

I got home today, turned on my PC and "VIOLA!" Windows tells me that there have been significant changes to my hardware since I activated and I need to reactivate within 3 days.
So, where to begin. No, I have not made any mods to my hardware lately. I have not added anything new. In fact, I haven't even opened the case to dust it in about a month in a half.
I started scouting around a little and found out there is a virus that asks you to reactivate using your CC. Mine does not request this. Additionally, the PC has just been acting screwy the past few days. Seems to be slowing down...like it's gasping or something.
I've run NOD32, which I have, nothing. I ran an online can with Housecall (because Panda Activescan is apparently down), nothing. I ran TrojanHunter, nothing. I'm currently running RootkitRevealer, but that's not looking to promising either. Not sure where to go here.
I was training in Malware Detection with Castlecops up until a month ago when I backed out, so I have a pretty decent knowledge of HijackThis logs and what not. My log comes up clean. The only other thing I can think of is to maybe pull a SilentRunners log and scope it out.
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
2GB G.SKILL DDR400
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Peppe

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: January 15, 2008 at 17:06:58 Pacific

Reply:

Please post your Hijack This log.

Response Number 2

Name: XpUser
Date: January 15, 2008 at 17:18:05 Pacific

Reply:

While following jabuck's instruction, you might want to read about Windows activation trojan known to Symantec as Trojan.Kardphisher. Symantec wrote this article last April to warn all internet users.

i_Xp/VistaUser

Response Number 3

Name: stabgotham
Date: January 15, 2008 at 19:18:32 Pacific

Reply:

Thanks, XpUser. This doesn't follow those same patterns, so I don't believe this to be that trojan necessarily. Possibly a variation or something new (if it's even a trojan at all).
Jabuck,
Here you go...I couldn't find anything, maybe you can:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:46 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\CTHELPER.exe
C:\WINDOWS\system32\CTXFIHLP.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://extranet.cps.ca.gov/rd/wfica.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/Onlin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 8850 bytes

Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
2GB G.SKILL DDR400
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Peppe

Response Number 4

Name: jabuck
Date: January 15, 2008 at 20:12:07 Pacific

Reply:

Looks clean to me.
Please download ComboFix to the desktop from this link: ComboFix

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 5

Name: stabgotham
Date: January 15, 2008 at 22:29:54 Pacific

Reply:

Here you go...nothing jumps out from the 3M or last 30 days. Looks clean also.
ComboFix 08-01-09.2 - Eric 2008-01-15 22:21:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1530 [GMT -8:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-15 22:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 16:52 . 2008-01-15 16:52 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\TrojanHunter
2008-01-15 16:14 . 2008-01-15 16:15 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-15 14:06 . 2008-01-15 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 01:23 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-15 01:09 . 2008-01-15 01:09 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-15 01:07 . 2008-01-15 01:26 <DIR> d-------- C:\Documents and Settings\Eric\.housecall6.6
2008-01-14 23:09 . 2007-02-22 08:05 90,112 --a------ C:\Progr_.dll
2008-01-12 00:20 . 2008-01-13 01:52 <DIR> d-------- C:\Program Files\Eidos
2008-01-11 22:13 . 2008-01-14 23:34 <DIR> d-------- C:\Program Files\Stardock
2008-01-11 22:13 . 2008-01-15 13:58 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-01-11 18:09 . 2008-01-11 18:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-08 21:45 . 2008-01-08 21:45 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-01-08 21:26 . 2008-01-08 21:26 <DIR> d-------- C:\WINDOWS\system32\MSSecurityNS
2008-01-08 21:26 . 2008-01-08 21:26 <DIR> d-------- C:\WINDOWS\MSSecurityNi
2008-01-08 21:26 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-01-08 21:16 . 2008-01-08 21:16 <DIR> d-------- C:\Program Files\Alien Skin
2008-01-08 20:24 . 2008-01-09 18:18 <DIR> d-------- C:\Program Files\UltraISO
2008-01-08 20:24 . 2008-01-08 20:24 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-01-08 20:08 . 2008-01-09 18:15 <DIR> d-------- C:\Program Files\MagicISO
2008-01-07 15:23 . 2008-01-14 22:34 <DIR> d-------- C:\Program Files\Flagship Studios
2008-01-07 11:25 . 2008-01-07 11:25 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-07 11:25 . 2008-01-07 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-07 10:43 . 2008-01-07 10:43 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-01-06 12:43 . 2008-01-06 12:43 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Program Files\TurboTax
2008-01-06 12:40 . 2007-10-22 18:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-01-06 12:33 . 2008-01-08 21:38 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-01-04 19:59 . 2008-01-04 20:01 <DIR> d-------- C:\Program Files\Microsoft Money 2007
2008-01-04 19:16 . 2008-01-04 19:16 <DIR> d-------- C:\Program Files\ZSoft
2008-01-04 18:02 . 2008-01-04 18:02 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-04 18:02 . 2008-01-06 12:50 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Intuit
2008-01-04 18:01 . 2006-04-12 10:11 1,933,312 --a------ C:\WINDOWS\system32\cdintf251.dll
2008-01-04 17:58 . 2008-01-04 19:22 <DIR> d-------- C:\Program Files\Intuit
2008-01-04 17:58 . 2008-01-06 12:40 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-01-04 17:58 . 2008-01-06 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-04 17:56 . 2008-01-04 17:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-04 17:56 . 2008-01-04 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-01-03 22:05 . 2008-01-03 22:05 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-03 19:04 . 2008-01-03 19:04 <DIR> d-------- C:\Program Files\Handbrake
2008-01-03 19:02 . 2008-01-03 19:02 <DIR> d-------- C:\Program Files\MSBuild
2008-01-03 18:59 . 2008-01-11 18:07 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-03 18:59 . 2008-01-03 18:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-03 18:59 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-03 18:55 . 2008-01-03 18:56 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-01-01 13:04 . 2008-01-01 13:04 <DIR> d-------- C:\Program Files\LimeWire
2008-01-01 13:04 . 2008-01-01 13:04 <DIR> d-------- C:\Documents and Settings\Eric\Incomplete
2008-01-01 13:04 . 2008-01-03 19:09 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\LimeWire
2008-01-01 12:59 . 2008-01-01 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-28 16:30 . 2007-12-28 16:30 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-12-28 16:30 . 2007-12-28 16:30 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2007-12-28 16:30 . 2007-08-17 23:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-12-26 21:05 . 2007-12-27 14:51 <DIR> d-------- C:\Program Files\Steam
2007-12-25 23:40 . 2007-12-25 23:40 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-12-25 21:44 . 2007-12-25 21:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-12-24 12:22 . 2007-12-24 12:22 <DIR> d-------- C:\Program Files\Maxis
2007-12-24 12:22 . 2007-12-24 12:22 533 --a------ C:\WINDOWS\eReg.dat
2007-12-24 01:42 . 2007-12-24 01:42 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 01:42 . 2007-12-24 01:55 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-12-24 01:42 . 2007-12-24 01:42 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\SystemRequirementsLab
2007-12-24 01:41 . 2007-12-24 01:41 <DIR> d-------- C:\Program Files\Java
2007-12-24 01:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-24 01:40 . 2007-12-24 01:40 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-24 01:40 . 2007-12-24 01:41 671 --a------ C:\WINDOWS\mozver.dat
2007-12-23 13:47 . 2007-12-23 13:47 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Canon
2007-12-22 21:52 . 2007-12-22 22:11 <DIR> d-------- C:\Program Files\Xfire
2007-12-22 21:52 . 2008-01-13 00:16 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Xfire
2007-12-22 16:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-21 14:38 . 2008-01-09 18:14 <DIR> d-------- C:\Program Files\iTunes
2007-12-21 14:38 . 2007-12-21 14:38 <DIR> d-------- C:\Program Files\iPod
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-21 14:37 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-21 14:30 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-21 14:30 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-19 16:12 . 2007-12-19 16:13 <DIR> d-------- C:\Program Files\Total Training
2007-12-19 16:06 . 2007-12-19 16:06 <DIR> d-------- C:\Program Files\QuickTime
2007-12-19 16:06 . 2007-12-19 16:06 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-19 16:06 . 2007-12-19 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-19 16:03 . 2007-12-27 19:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2007-12-19 15:52 . 2008-01-15 19:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 15:52 . 2007-12-19 15:52 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 15:49 . 2007-12-21 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-19 14:26 . 2008-01-11 18:09 <DIR> d-------- C:\TEMP
2007-12-19 14:17 . 2007-12-19 14:17 408 --a------ C:\WINDOWS\PowerReg.dat
2007-12-19 14:16 . 2007-12-19 14:16 <DIR> d-------- C:\WINDOWS\Corel
2007-12-19 14:16 . 2007-12-19 14:18 <DIR> d-------- C:\Program Files\KnockOut 2
2007-12-19 01:31 . 2008-01-09 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-19 01:31 . 2008-01-09 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-19 01:31 . 2008-01-09 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-19 01:30 . 2008-01-09 18:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-19 01:27 . 2008-01-09 18:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 01:27 . 2007-12-19 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\SUPERAntiSpyware.com
2007-12-19 01:27 . 2007-12-19 01:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 01:26 . 2007-12-19 01:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 01:45 . 2007-12-18 01:45 <DIR> d-------- C:\Program Files\Winamp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 07:19 --------- d-----w C:\Documents and Settings\Eric\Application Data\uTorrent
2008-01-15 06:54 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 06:46 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-14 06:46 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-13 09:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 02:13 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-10 02:07 --------- d-----w C:\Program Files\Bonjour
2008-01-08 21:46 --------- d-----w C:\Program Files\Starcraft
2007-12-24 09:42 --------- d-----w C:\Documents and Settings\Eric\Application Data\IGN_DLM
2007-12-18 07:56 --------- d-----w C:\Documents and Settings\Eric\Application Data\foobar2000
2007-12-17 02:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-15 07:07 --------- d-----w C:\Documents and Settings\Eric\Application Data\Mp3tag
2007-12-15 07:06 --------- d-----w C:\Program Files\Mp3tag
2007-12-15 06:52 --------- d-----w C:\Program Files\foobar2000
2007-12-15 04:45 --------- d-----w C:\Program Files\Creative
2007-12-15 04:43 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-14 21:43 --------- d-----w C:\Program Files\America's Army Server Manager
2007-12-14 21:43 --------- d-----w C:\Program Files\America's Army
2007-12-14 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-12-14 15:29 --------- d-----w C:\Program Files\uTorrent
2007-12-14 07:07 --------- d-----w C:\Program Files\Citrix
2007-12-14 07:07 --------- d-----w C:\Documents and Settings\Eric\Application Data\ICAClient
2007-12-14 06:30 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 03:36 --------- d-----w C:\Program Files\SpeedFan
2007-12-14 03:07 --------- d-----w C:\Program Files\RegCleaner
2007-12-14 02:52 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-14 02:47 --------- d-----w C:\Program Files\Ahead
2007-12-14 02:45 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-13 23:52 70,656 ----a-w C:\WINDOWS\ScUnin.exe
2007-12-13 21:54 --------- d-----w C:\Documents and Settings\Eric\Application Data\ImgBurn
2007-12-13 21:53 --------- d-----w C:\Program Files\ImgBurn
2007-12-13 08:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-13 08:19 --------- d-----w C:\Program Files\2K Games
2007-12-13 08:19 --------- d-----w C:\Documents and Settings\Eric\Application Data\InstallShield
2007-12-13 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 00:26 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-13 00:23 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-13 00:23 --------- d--h--r C:\Documents and Settings\Eric\Application Data\SecuROM
2007-12-13 00:22 22,328 ----a-w C:\Documents and Settings\Eric\Application Data\PnkBstrK.sys
2007-12-13 00:15 --------- d-----w C:\Program Files\Activision
2007-12-12 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-12 17:53 --------- d-----w C:\Program Files\Microsoft Works
2007-12-12 17:38 --------- d-----w C:\Program Files\Common Files\Control Panels
2007-12-12 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2007-12-12 17:24 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-12 17:20 --------- d-----w C:\Program Files\Download Manager
2007-12-12 16:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-12 16:29 --------- d-----w C:\Program Files\Canon
2007-12-12 16:27 --------- d--h--w C:\Program Files\CanonBJ
2007-12-12 16:27 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-12 16:25 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-12 16:25 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-12 16:25 --------- d-----w C:\Documents and Settings\Eric\Application Data\Creative
2007-12-12 16:24 --------- d-----w C:\Program Files\CCleaner
2007-12-12 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2007-12-12 16:13 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-05 10:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.exe
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 09:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 09:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 09:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 09:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 09:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 09:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 09:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 09:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 09:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 09:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 09:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 09:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 09:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 09:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 09:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 09:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 09:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 09:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 09:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 09:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 09:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 09:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 09:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 09:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 09:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 09:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 09:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 09:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 09:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 09:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 09:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 17:30 1191936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"UpdReg"="C:\WINDOWS\UpdReg.exe" [2000-05-11 01:00 90112]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" [2007-04-05 16:56 94720]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" [2007-06-28 13:18 335872]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R1 SandBox;Outpost Firewall Sandbox Driver;C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [2007-06-26 19:01]
R1 VFILT;Outpost Firewall Kernel Driver;C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [2007-04-05 16:56]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [2007-04-05 16:57]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL [2007-04-05 16:57]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [2007-04-05 16:57]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [2007-04-05 16:57]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [2007-04-05 16:57]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [2007-04-05 16:57]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [2007-04-05 16:57]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [2007-04-05 16:57]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [2007-04-05 16:57]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [2007-04-05 16:57]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [2007-04-05 16:57]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [2007-04-05 16:57]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL [2007-04-05 16:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc32d41-a852-11dc-9320-806d6172696f}]
\Shell\AutoRun\command - D:\Msetup4.exe
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:47:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:24:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-15 22:25:13
.
2008-01-10 01:18:05 --- E O F ---

Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
2GB G.SKILL DDR400
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Peppe

Windows Media Connect 2 epfwtdir.sys+download windows redirect trojan	groovemonitor sptd.sys sptd.sys
See More

Response Number 6

Name: jabuck
Date: January 16, 2008 at 03:56:36 Pacific

Reply:

Download SDFix to your desktop from the following link:
SDFix.exe.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.

Response Number 7

Name: dodobrowns
Date: January 29, 2008 at 08:26:56 Pacific

Reply:

I have the same trojan

Sponsored Link

Ads by Google

Rogue Helper/Imposter

g2p3s.exe removal?

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Windows Activation Trojan?

Help with Trojan! Can't narrow down

Summary

www.computing.net/answers/security/help-with-trojan-cant-narrow-down/5985.html

Trojans as spam robots

Summary

www.computing.net/answers/security/trojans-as-spam-robots/9951.html

resycled\ntldr Trojan

Summary

www.computing.net/answers/security/resycledntldr-trojan/24343.html

From the Geek Dictionary
Proc - Geek for processor or CPU.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Best CD/DVD Printers

pc powers on but no boot

need mouse

After an XP reinstall, backup drives go RAW

Computer will not boot

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE