WMD RTC32.DLL Cannot SAFE MODE

wirosari · April 9, 2007

Dear PC PITSTOP,

My PC infected by Rootkit or Adware.

PC status right now :

- Heavy NETWORK Traffic

- Cannot SAFE MODE

- Vshield Mc.Afee services DISABLED

Trusted Advisor urgent help needed

FZWG or Jacee please come around.

Thanks,

Wirosari

ADAWARE SE said :

Ad-Aware SE Build 1.05

Logfile Created on:Monday, April 09, 2007 3:53:21 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R164 02.04.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):10 total references

Other(TAC index:5):1 total references

Win32.Sality(TAC index:10):38 total references

Win32.TrojanProxy.Agent.dl(TAC index:7):1 total references

Win32.TrojanSpy.Goldun(TAC index:10):7 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

4-9-2007 3:53:21 PM - Scan started. (Full System Scan)

MRU List Object Recognized!

Location: : C:\Documents and Settings\TresnaTan\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

MRU List Object Recognized!

Location: : C:\Documents and Settings\TresnaTan\recent

Description : list of recently opened documents

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\excel\recent files

Description : list of recent files used by microsoft excel

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 488

ThreadCreationTime : 4-9-2007 4:50:45 AM

BasePriority : Normal

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 544

ThreadCreationTime : 4-9-2007 4:50:48 AM

BasePriority : Normal

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 572

ThreadCreationTime : 4-9-2007 4:50:51 AM

BasePriority : High

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 616

ThreadCreationTime : 4-9-2007 4:50:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 628

ThreadCreationTime : 4-9-2007 4:50:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 812

ThreadCreationTime : 4-9-2007 4:50:57 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 880

ThreadCreationTime : 4-9-2007 4:50:57 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1012

ThreadCreationTime : 4-9-2007 4:50:58 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1040

ThreadCreationTime : 4-9-2007 4:50:58 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1212

ThreadCreationTime : 4-9-2007 4:50:59 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

#:11 [cdantsrv.exe]

FilePath : C:\WINDOWS\System32\DRIVERS\

ProcessID : 1624

ThreadCreationTime : 4-9-2007 4:51:05 AM

BasePriority : Normal

FileVersion : 3.25.010

ProductVersion : 3.25.010 Windows NT 2002/01/07

ProductName : CD-Secure/CD-Compress Windows NT

CompanyName : C-Dilla Ltd

FileDescription : C-Dilla RTS Service

InternalName : CDANTSRV

OriginalFilename : CDANTSRV.EXE

Comments : StringFileInfo: U.S. English

#:12 [inetinfo.exe]

FilePath : C:\WINDOWS\System32\inetsrv\

ProcessID : 1664

ThreadCreationTime : 4-9-2007 4:51:05 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

OriginalFilename : INETINFO.EXE

#:13 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1688

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 6.13.10.3082

ProductVersion : 6.13.10.3082

ProductName : NVIDIA Driver Helper Service, Version 30.82

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 30.82

InternalName : NVSVC

OriginalFilename : nvsvc32.exe

#:14 [tcpsvcs.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1720

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : TCP/IP Services Application

InternalName : TCPSVCS.EXE

OriginalFilename : TCPSVCS.EXE

#:15 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1736

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

OriginalFilename : snmp.exe

#:16 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1752

ThreadCreationTime : 4-9-2007 4:51:07 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:17 [acrotray.exe]

FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\

ProcessID : 840

ThreadCreationTime : 4-9-2007 4:51:16 AM

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

OriginalFilename : AcroTray.exe

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

"C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"Process terminated successfully

#:18 [soffice.exe]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 1020

ThreadCreationTime : 4-9-2007 4:51:20 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

OriginalFilename : SOFFICE.EXE

#:19 [soffice.bin]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 1052

ThreadCreationTime : 4-9-2007 4:51:21 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

OriginalFilename : SOFFICE.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

#:20 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1600

ThreadCreationTime : 4-9-2007 8:50:20 AM

BasePriority : Normal

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

#:21 [ad-aware.exe]

FilePath : C:\ADAWARE\Ad-Aware SE Personal\

ProcessID : 1368

ThreadCreationTime : 4-9-2007 8:53:13 AM

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

OriginalFilename : Ad-Aware.exe

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.TrojanProxy.Agent.dl Object Recognized!

Type : File

Data : winpidn.exe

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0372822.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP509\

Win32.Sality Object Recognized!

Type : File

Data : A0372850.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-16.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-18.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-21.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-22.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-23.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-24.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : A0372896.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\

Win32.Sality Object Recognized!

Type : File

Data : A0372897.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-16.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-18.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-21.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-22.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-23.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : MFEX-24.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

Win32.Sality Object Recognized!

Type : File

Data : A0372957.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

Win32.Sality Object Recognized!

Type : File

Data : A0373002.rbf

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

Win32.Sality Object Recognized!

Type : File

Data : A0373007.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

Win32.Sality Object Recognized!

Type : File

Data : A0373188.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

Win32.Sality Object Recognized!

Type : File

Data : A0373189.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

Win32.Sality Object Recognized!

Type : File

Data : A0373242.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\

Win32.Sality Object Recognized!

Type : File

Data : A0373243.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\

Win32.Sality Object Recognized!

Type : File

Data : A0373283.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373444.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373445.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373461.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373539.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373540.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373541.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373548.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373549.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : A0373550.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0373655.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

Win32.Sality Object Recognized!

Type : File

Data : rgoqmn.sys

Category : Malware

Comment :

Object : C:\WINDOWS\system32\drivers\

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\system32\

Win32.Sality Object Recognized!

Type : File

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 56

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 56

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 56

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 57

4:00:52 PM Scan Complete

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:07:30.953

Objects scanned:136392

Objects identified:39

Objects ignored:0

New critical objects:39

HIJACKTHIS 99 said :

ComboScan log is here :

ComboScan v20070226.18 run by Tres on 2007-04-09 at 09:25:08

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis Clone -------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1

Scan saved at 2007-04-09 09:25:29

Platform: Windows XP (5.01.2600)

MSIE: Internet Explorer (6.0.2600.0000)

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDANTSRV.EXE

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.bin

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\inetsrv\davcdata.exe

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winwtqgpw.exe

C:\ADAWARE\VirTools\comboscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL

O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: AVSync Manager (AvSynMgr) - "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: C-DillaSrv - C:\WINDOWS\system32\drivers\CDANTSRV.EXE

O23 - Service: Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe

O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe

O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com

O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService

O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe

O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: IIS Admin (IISADMIN) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe

O23 - Service: Infrared Monitor (Irmon) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"

O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe

O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V

O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe

O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe

O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Client Service for NetWare (NWCWorkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe

O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe

O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss

O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe

O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe

O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe

O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Simple TCP/IP Services (SimpTcp) - C:\WINDOWS\system32\tcpsvcs.exe

O23 - Service: Simple Mail Transfer Protocol (SMTP) (SMTPSVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: SNMP Service (SNMP) - C:\WINDOWS\system32\snmp.exe

O23 - Service: SNMP Trap Service (SNMPTRAP) - C:\WINDOWS\system32\snmptrap.exe

O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe

O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc

O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966}

O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Telnet (TlntSvr) - C:\WINDOWS\system32\tlntsvr.exe

O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe

O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe

O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: World Wide Web Publishing (W3SVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Portable Media Serial Number (WmdmPmSp) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe

O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

-- Files created between 2007-03-09 and 2007-04-09 ------------------------------

2007-04-09 09:19:22 81920 --a------ C:\WINDOWS\System32\wmdconf32.dll<WMDCON~1.DLL>

2007-04-05 16:41:26 1923046 --a------ C:\WINDOWS\System32\SBSP.dat

2007-04-05 16:41:24 5477 --a------ C:\WINDOWS\System32\drivers\rgoqmn.sys

2007-04-05 16:41:14 313 --a------ C:\WINDOWS\System32\SBRC.dat

2007-04-05 16:41:14 306 --a------ C:\WINDOWS\System32\SBFC.dat

2007-04-05 16:41:13 40960 --a------ C:\WINDOWS\System32\wmdrtc32.dll

2007-04-05 16:40:26 54200 --a------ C:\WINDOWS\System32\drivers\sbapifs.sys

2007-04-04 11:14:25 0 d-------- C:\Documents and Settings\TresnaTan\DoctorWeb<DOCTOR~1>

2007-04-04 09:50:54 0 d-------- c:\!KillBox

2007-03-21 08:08:01 0 d-------- C:\Program Files\Common Files\Nero

2007-03-21 08:07:36 241664 --a------ C:\WINDOWS\System32\mpg4dmod.dll

2007-03-21 08:07:36 384512 --a------ C:\WINDOWS\System32\mp4sdmod.dll

2007-03-21 08:07:36 316040 --a------ C:\WINDOWS\System32\mp43dmod.dll

2007-03-21 08:07:35 816264 --a------ C:\WINDOWS\System32\wmvdmod.dll

2007-03-21 08:07:35 486536 --a------ C:\WINDOWS\System32\wmspdmod.dll

2007-03-21 08:07:34 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll

2007-03-21 08:07:34 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll

2007-03-21 08:07:34 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll

2007-03-21 08:07:34 760968 --a------ C:\WINDOWS\System32\wmsdmod.dll

2007-03-21 08:07:34 410248 --a------ C:\WINDOWS\System32\wmadmod.dll

2007-03-21 08:07:33 670208 --a------ C:\WINDOWS\System32\wmadmoe.dll

2007-03-21 08:07:33 241664 --a------ C:\WINDOWS\System32\qasf.dll

2007-03-21 08:07:33 6656 --a------ C:\WINDOWS\System32\laprxy.dll

2007-03-21 08:07:32 981504 --a------ C:\WINDOWS\System32\wmnetmgr.dll

2007-03-21 08:07:32 143360 --a------ C:\WINDOWS\System32\wmidx.dll

2007-03-21 08:07:32 81408 --a------ C:\WINDOWS\System32\logagent.exe

2007-03-21 08:07:31 2058888 --a------ C:\WINDOWS\System32\wmvcore.dll

2007-03-21 08:07:30 218112 --a------ C:\WINDOWS\System32\wmasf.dll

2007-03-21 08:07:28 253952 --a------ C:\WINDOWS\System32\msnetobj.dll

2007-03-21 08:07:28 232960 --a------ C:\WINDOWS\System32\blackbox.dll

2007-03-21 08:07:27 678912 --a------ C:\WINDOWS\System32\drmv2clt.dll

2007-03-21 08:07:27 82432 --a------ C:\WINDOWS\System32\drmstor.dll

2007-03-21 08:07:26 301712 --a------ C:\WINDOWS\System32\drmclien.dll

2007-03-21 08:06:12 106496 --a------ C:\WINDOWS\System32\TwnLib20.dll

2007-03-21 08:06:09 471040 -----n--- C:\WINDOWS\System32\ImagXRA7.dll

2007-03-21 08:06:08 262144 -----n--- C:\WINDOWS\System32\ImagXR7.dll

2007-03-21 08:06:08 476320 -----n--- C:\WINDOWS\System32\ImagXpr7.dll

2007-03-21 08:06:08 1568768 -----n--- C:\WINDOWS\System32\ImagX7.dll

2007-03-21 08:06:07 184320 --a------ C:\WINDOWS\System32\NeroCheck.exe<NEROCH~1.EXE>

2007-03-21 08:06:00 0 d-------- C:\Program Files\Common Files\Ahead

2007-03-13 17:57:51 0 d---s---- C:\Documents and Settings\TresnaTan\UserData

-- Find3M Report ----------------------------------------------------------------

2007-04-09 08:21:59 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\OpenOffice.org2<OPENOF~1.ORG>

2007-03-30 08:37:39 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Identities<IDENTI~1>

2007-03-21 08:06:13 0 d-------- C:\Program Files\Ahead

2007-03-09 15:54:03 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Canon

-- Registry Dump ----------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SBRegRebootCleaner"="C:\\ADAWARE\\CounterSpy\\SBRC.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RUNDLL32"

"hkey"="HKLM"

"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwiz"

"hkey"="HKLM"

"command"="nwiz.exe /install"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winampa"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

-- End of ComboScan: finished at 2007-04-09 at 09:25:39 -------------------------

FZWG · April 9, 2007

Please download HaxFix.exe

Save it to the Desktop.

Double click on haxfix.exe to install.
Check: "Create a desktop icon"
Click: "Next"
When the installation is completed, make sure "Launch HaxFix" is checked.
Click "Finish"

A red "DOS window" opens with options:

1. Make logfile

2. Run auto fix

3. Run manual fix

E. Exit Haxfix

Select option Option 2, Run auto fix by typing 2 and then pressing Enter
Haxfix starts scanning the computer, and performs a reboot
When finished, a logfile opens: haxlog.txt
Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt)

====

Next, download SuperAntiSpyware Home Edition Free Version

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Install the program

Run SuperAntiSpyware and click: Check for updates

Once the update is finished, on the main screen, click: Scan your computer

Check: Perform Complete Scan

Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.

Make sure everything found has a check next to it, and press: Next

Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences

Click the Statistics/Logs tab

Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

====

Please post the contents of C:\haxfix.txt, the SuperAntiSpyware log, and a new HijackThis log.

wirosari · April 10, 2007

Dear FZWG,

Hope you still here at these hours.

Here is the Log

(Sorry, other log while in progress...)

HAXFIX logfile - by Marckie

version 4.39

Tue 04/10/2007 9:47:16.34

--- Auto Haxdoorfix ---

searching for files:

no infections found

--- Goldunfix ---

searching for files:

wmdconf32.dll

checking iexplore.exe

iexplore.exe is not infected

searching for SSODLkeys:

no SSODLkeys found

searching for notifykeys:

no notifykeys found

searching for services:

no services found

.....rebooting the computer.....

searching for ssodlkeys

not needed

searching for notifykeys

not needed

searching for services

not needed

searching for safeboot services

not needed

searching for files

wmdconf32.dll exists

deleting wmdconf32.dll

wmdconf32.dll has been deleted

checking for other files

No other files found

checking for a3d files

no a3d files found

Finished

Thank you Mr. Advisor to support us!

Edited April 10, 2007 by wirosari

FZWG · April 10, 2007

HaxFix did its thing.

Next, post the SuperAntiSpyware log, and a new HijackThis log when you can.

By the way, you have some serious infections on that system as a result of not keeping Windows updated!! :nono:

The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently.

Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches:

http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Reboot after applying the update.

wirosari · April 10, 2007

Dear Sir,

This is the SuperAntiSpyware Log.

Thanks a lot for enlightment!

SUPERAntiSpyware Scan Log

Generated 04/10/2007 at 10:24 AM

Application Version : 3.6.1000

Core Rules Database Version : 3216

Trace Rules Database Version: 1226

Scan type : Complete Scan

Total Scan Time : 00:24:45

Memory items scanned : 376

Memory threats detected : 0

Registry items scanned : 4418

Registry threats detected : 0

File items scanned : 25360

File threats detected : 5

Trojan.Unknown Origin

C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINNHYMHK.EXE

C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINOVGAA.EXE

Spyware.PWS-Kuku/Resident

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0373911.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0374104.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0375311.DLL

Edited April 10, 2007 by wirosari

wirosari · April 10, 2007

Dear Advisor,

I try AVZ Anti Viral Toolkit by Oleg Zaytsev to Restore my Safe Mode.

The PC now can be in Safe Mode.

But the connection still busy/active!

The HJT Log looks like this :

Logfile of HijackThis v1.99.1

Scan saved at 11:06:32 AM, on 4/10/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\ADAWARE\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O20 - Winlogon Notify: !SASWinLogon - C:\ADAWARE\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited April 10, 2007 by wirosari

wirosari · April 10, 2007

Dear advisor,

AVZ Anti viral seems clean it, and restore registry of Safe Mode.

These procedure has been done.

But Ad-aware still detected these 2 files.

The networks still heavy.

Please advice and thanks

FZWG · April 10, 2007

AdAware still detected these 2 files

Which files is it detecting???

Please run the AdAware program again, and post its Full System Scan results.

Also, you are still in the hole...you have not installed SP1.

If you do not, we are just doing this routine for exercise.

You will be infected again, and again, and again, and again, and again, and again...... Posted Image

Edited April 10, 2007 by FZWG

wirosari · April 11, 2007

Which files is it detecting???

Dear advisor,

the file is :

File : c:\windows\system32\WMDRTC32.DLL

File : c:\windows\system32\drivers\RGOQMN.SYS

I will update the hole, but since the traffic crowded, it is rather difficult

Thanks for support.

The Ad-Aware mention this :

Ad-Aware SE Build 1.05

Logfile Created on:Wednesday, April 11, 2007 9:59:20 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R164 02.04.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Sality(TAC index:10):8 total references

Win32.TrojanSpy.Goldun(TAC index:10):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

4-11-2007 9:59:20 AM - Scan started. (Full System Scan)

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 480

ThreadCreationTime : 4-11-2007 2:54:37 AM

BasePriority : Normal

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 536

ThreadCreationTime : 4-11-2007 2:54:39 AM

BasePriority : Normal

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 568

ThreadCreationTime : 4-11-2007 2:54:42 AM

BasePriority : High

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 616

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 628

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 796

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 864

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 996

ThreadCreationTime : 4-11-2007 2:54:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1112

ThreadCreationTime : 4-11-2007 2:54:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1248

ThreadCreationTime : 4-11-2007 2:54:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

#:11 [cdantsrv.exe]

FilePath : C:\WINDOWS\System32\DRIVERS\

ProcessID : 1404

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 3.25.010

ProductVersion : 3.25.010 Windows NT 2002/01/07

ProductName : CD-Secure/CD-Compress Windows NT

CompanyName : C-Dilla Ltd

FileDescription : C-Dilla RTS Service

InternalName : CDANTSRV

OriginalFilename : CDANTSRV.EXE

Comments : StringFileInfo: U.S. English

#:12 [inetinfo.exe]

FilePath : C:\WINDOWS\System32\inetsrv\

ProcessID : 1436

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

OriginalFilename : INETINFO.EXE

#:13 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1468

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 6.13.10.3082

ProductVersion : 6.13.10.3082

ProductName : NVIDIA Driver Helper Service, Version 30.82

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 30.82

InternalName : NVSVC

OriginalFilename : nvsvc32.exe

#:14 [tcpsvcs.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1508

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : TCP/IP Services Application

InternalName : TCPSVCS.EXE

OriginalFilename : TCPSVCS.EXE

#:15 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1524

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

OriginalFilename : snmp.exe

#:16 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1560

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:17 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 540

ThreadCreationTime : 4-11-2007 2:55:13 AM

BasePriority : High

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

"C:\WINDOWS\Explorer.EXE"Process terminated successfully

#:18 [ad-aware.exe]

FilePath : C:\ADAWARE\Ad-Aware SE Personal\

ProcessID : 688

ThreadCreationTime : 4-11-2007 2:55:13 AM

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

OriginalFilename : Ad-Aware.exe

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Sality Object Recognized!

Type : File

Data : temp.fr22C3

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

Win32.Sality Object Recognized!

Type : File

Data : temp.frA8D6

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0376288.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

Win32.Sality Object Recognized!

Type : File

Data : A0376296.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

Win32.Sality Object Recognized!

Type : File

Data : A0376297.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

Win32.Sality Object Recognized!

Type : File

Data : rgoqmn.sys

Category : Malware

Comment :

Object : C:\WINDOWS\system32\drivers\

Win32.Sality Object Recognized!

Type : File

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 9

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

10:08:19 AM Scan Complete

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:08:58.937

Objects scanned:137676

Objects identified:7

Objects ignored:0

New critical objects:7

FZWG · April 11, 2007

Let's get rid of what is in this Temp folder:

C:\Documents and Settings\TresnaTan\Local Settings\Temp

Please launch Notepad, (Start > Run, type in: notepad)

Copy/paste the blue text below to it:

del %windir%\temp\*.* /f

del C:\Documents and Settings\*\local settings\temp\*.* /f

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: clean.bat

Save as Type: All files

Click: Save

Exit out of Notepad.

Next, on the Desktop, double click on clean.bat

====

To remove the bogus driver and file:

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to the Desktop

2. Copy the blue text below by highlighting it and pressing (Ctrl+C):

Files to Delete

C:\WINDOWS\system32\wmdrtc32.dll

Drivers to delete

rgoqmn.sys

3. Now, start The Avenger program by clicking on its icon on the Desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which opens a new window titled "View/edit script"
Paste the blue text copied into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger automatically does the following:

It restarts the computer, and in cases where the code to execute contains Drivers to Unload, the Avenger actually restarts the system twice.
On reboot, it briefly opens a black command window on the Desktop, and this is normal.
After the restart, it creates and opens a log file with the results of Avenger’s actions. This log file is located at C:\avenger.txt
The Avenger also backs up all the files, etc., it deletes, and zips them and moves the zip archives to C:\avenger\backup.zip

Please provide the content of C:\avenger.txt in your reply along with a new HJT log .

wirosari · April 11, 2007

Dear advisor,

It seem that, even in the SAFE MODE.

the file WMDRTC32DLL still active!

The log is like this :

ÿþL o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ k l a n p s u g

* * * * * * * * * * * * * * * * * * *

S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ W I N D O W S \ b x n w i o u m . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

S c r i p t f i l e r e a d s u c c e s s f u l l y

B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r

* * * * * * * * * * * * * * * * * * *

B e g i n n i n g t o p r o c e s s s c r i p t f i l e :

F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ w m d r t c 3 2 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e D r i v e r s t o d e l e t e : n o t f o u n d !

D e l e t i o n o f f i l e D r i v e r s t o d e l e t e : f a i l e d !

C o u l d n o t p r o c e s s l i n e :

D r i v e r s t o d e l e t e :

S t a t u s : 0 x c 0 0 0 0 0 3 4

F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ d r i v e r s \ r g o q m n . s y s d e l e t e d s u c c e s s f u l l y .

C o m p l e t e d s c r i p t p r o c e s s i n g .

* * * * * * * * * * * * * * * * * * *

F i n i s h e d ! T e r m i n a t e .

the HJT log is :

Logfile of HijackThis v1.99.1

Scan saved at 4:26:06 PM, on 4/11/2007