Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

http://noahfear.geekstogo.com/click%20counter/click.php?id=1 [RES


  • This topic is locked This topic is locked

#16
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
These folders are still present.

C:\Documents and Settings\sm\Application Data\SystemDoctor 2006 Free
C:\Program Files\SystemDoctor 2006 Free



Did your run Gmer yet?
  • 0

Advertisements


#17
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi

I am trying to download GMER but it keeps crashing all the time and I have to restart computer. Pop ups worse now. While I was trying to download GMER there were 32 windows waiting in the bar at the bottom. Will keep trying
  • 0

#18
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I am not able to download GMER at the moment. I have tried about 10 times and it is not happening. The icon that normally is rotating in the top right hand corner stops and nothing else happens. I will keep trying. Is it possible to download it onto a memory stick on another computer and then load it onto this one
  • 0

#19
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, you can download from another computer and move it over.

I don't know if it will make any difference, but here is another rootkit detector that you can try.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the RootkitRevealer folder and double-click RootkitRevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go to File > Save. Choose to save the log to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please don't surf or do anything else during the scan with RootkitRevealer, or it may interfere with the results and show legitimate entries.


I'd still like to see a Gmer log though if at all possible.
  • 0

#20
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Still not able to download GMER.

Tried to dowload Rootkit revealer. It says ' The feature you are trying to use is on a CD-ROM or other removable disk that is not available. Insert the microsoft office 2000 premium disk and click OK.

I tried with a blank CD and it says the microsoft office 2000 premium is not a valid installation package for the product microsoft office 2000 premium. Try to find the installation package 'DATA.MS1 in a folder from which you can install microsoft office 2000 premium.

HELP!!
  • 0

#21
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I just sent you a PM.


Were you able to delete these folders for good yet?

C:\Documents and Settings\sm\Application Data\SystemDoctor 2006 Free
C:\Program Files\SystemDoctor 2006 Free



Give me an update on how your computer is working now?
It's unusual that you would not be able to download or run these tools. Are you having other problems besides the popups?
  • 0

#22
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Sam,

When I copy and paste the folders you say are still there in search my computer, it is telling me they are not found. Thank you for the GMER link. I hope I have done it right as I am not the most computer literate person.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-25 16:10:46
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.10 ----

SSDT 814FD908 ZwConnectPort

---- Processes - GMER 1.0.10 ----

Process C:\winnt\system32\kafctmrd.exe (*** hidden *** ) 1192 <-- ROOTKIT !!!
Library C:\winnt\system32\kafctmrd.exe (*** hidden *** ) @ C:\winnt\system32\kafctmrd.exe [1192] 0x00400000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] c:\winnt\system32\kafctmrd.exe kafctmrd
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] c:\winnt\system32\kafctmrd.exe kafctmrd

---- Files - GMER 1.0.10 ----

File C:\WINNT\system32\kafctmrd.exe
File C:\WINNT\system32\kafctmrd.dat
File C:\WINNT\system32\kafctmrd_navps.dat
File C:\WINNT\system32\kafctmrd_nav.dat

---- EOF - GMER 1.0.10 ----


You asked how the computer is running. Its much slower than normal and pop ups continue. It also crashes quite a bit ( if that is the right term) just comes to a standstill and that didnt happen before.

Many thanks for all your help.
  • 0

#23
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try this the easy way first.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINNT\system32\kafctmrd.exe
    C:\WINNT\system32\kafctmrd.dat
    C:\WINNT\system32\kafctmrd_navps.dat
    C:\WINNT\system32\kafctmrd_nav.dat




  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.

==========


Please post a new log from Combofix.
That is where those folders will show up if they are still there.
  • 0

#24
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi

I have a problem downloading the killbox link. It says check address, connection or fiewall

I have typed in the address that comes up when I try to download from the link on the internet and it says page not available.

If you can specifiy exactly which one I need I will try and download from internet

Thanks :whistling:
  • 0

#25
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
It worked when I tried again. Here is the killboot log

Pocket Killbox version 2.0.0.648
Running on Windows 2000 as sm(Administrator)
was started @ Saturday, August 26, 2006, 12:15 PM

# 1 [Delete on Reboot]
Path = C:\WINNT\system32\kafctmrd.exe


# 2 [Delete on Reboot]
Path = C:\WINNT\system32\kafctmrd.dat


# 3 [Delete on Reboot]
Path = C:\WINNT\system32\kafctmrd_navps.dat


# 4 [Delete on Reboot]
Path = C:\WINNT\system32\kafctmrd_nav.dat


I Rebooted @ 12:19:36 PM
Pocket Killbox version 2.0.0.648
Running on Windows 2000 as sm(Administrator)
was started @ Saturday, August 26, 2006, 12:24 PM

hERE IS COMBOFIX LOG

sm - Sat 2006-08-26 12:29:51.40
ComboFix 06.08.24 - Running from: C:\Documents and Settings\sm\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-26 to 2006-08-26 ))))))))))))))))))))))))))))))))))


2006-08-13 16:57 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2006-08-11 18:06 82,432 --a------ C:\WINNT\system32\drmstor.dll
2006-08-11 18:06 301,712 --a------ C:\WINNT\system32\drmclien.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-20 13:10 -------- d-------- C:\Program Files\Hijackthis
2006-08-17 12:01 28672 --a------ C:\WINNT\system32\drivers\CO_Mon.sys
2006-08-14 12:27 -------- d-------- C:\Documents and Settings\sm\Application Data\SystemDoctor 2006 Free
2006-08-13 16:57 -------- d-------- C:\Program Files\SystemDoctor 2006 Free
2006-07-29 16:57 -------- d-------- C:\Program Files\Real
2006-07-29 16:56 -------- d-------- C:\Documents and Settings\sm\Application Data\Real
2006-07-25 06:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-21 16:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 12:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe
2006-06-16 08:05 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-06-16 08:04 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\BTBROA~1\\HELP\\SMARTB~1\\BTHelpNotifier.exe"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 205 ADSL Router\\Adsl\\dslagent.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"projselector"="\"C:\\Program Files\\Common Files\\Roxio Shared\\Project Selector\\projselector.exe\" -r"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"SNPSTD2"="C:\\WINNT\\vsnpstd2.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"kafctmrd"="c:\\winnt\\system32\\kafctmrd.exe kafctmrd"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"DrvMon.exe"="C:\\WINNT\\system32\\DrvMon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.google.co...ges/t3h_en.gif"
"SubscribedURL"="http://www.google.co...ges/t3h_en.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,44,02,00,00,21,01,00,00,3c,00,00,00,0f,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,68,02,00,00,e7,00,00,00,99,02,00,00,27,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,99,00,00,00,21,01,00,00,99,02,00,00,0f,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sat 2006-08-26 12:31:01.51
ComboFix2.txt
ComboFix.txt

tHANKS
  • 0

Advertisements


#26
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Aha!

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kafctmrd"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


=========


If you look at your Combofix log you can see where those folders are still present.

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-20 13:10 -------- d-------- C:\Program Files\Hijackthis
2006-08-17 12:01 28672 --a------ C:\WINNT\system32\drivers\CO_Mon.sys
2006-08-14 12:27 -------- d-------- C:\Documents and Settings\sm\Application Data\SystemDoctor 2006 Free
2006-08-13 16:57 -------- d-------- C:\Program Files\SystemDoctor 2006 Free
2006-07-29 16:57 -------- d-------- C:\Program Files\Real
2006-07-29 16:56 -------- d-------- C:\Documents and Settings\sm\Application Data\Real
2006-07-25 06:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-21 16:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 12:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe
2006-06-16 08:05 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-06-16 08:04 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE

Don't do a search for them, just navigate through My Computer to find them.


Reboot and post a new hijackthis log.
How are things working now? Any improvement?

Edited by Buckeye_Sam, 26 August 2006 - 06:16 AM.

  • 0

#27
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I need some guidance please through the last instruction

I have copied code into notepad but not sure how to change save as type to all files. Can you explain how I do this please. Also I cannot find fixme.reg on my desktop.

Many thanks again
  • 0

#28
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
When you save the file from notepad you'll have three boxes down at the bottom of that window and then a Save button and a Cancel button.

In the first box, enter in fixme.reg
In the next box, it will probably say Text Documents (*.txt). Click the down arrow to change it to "All Files".
The last box doesn't need to be changed at all and should read ANSI.

Click the Save button and you're done.
  • 0

#29
morlet

morlet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I am having difficulty locating C/Documents+Settings/sm/application data/system doctor 2006 free. I have deleted lots from the Cdrive/sm folders but it still shows on the combofix log after rebooting. I cannot see application data folder only user data. I am posting what it says they are as you may be able to detect it

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=5imdbyekaiqkj355miuvsx45" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=qvceyfeqcbb2hy55pygxep45" />

<ROOTSTUB width="220" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=qvceyfeqcbb2hy55pygxep45" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=mmwjve45hb5ygpijgqws4s2t" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=5imdbyekaiqkj355miuvsx45" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=qvceyfeqcbb2hy55pygxep45" />

<ROOTSTUB />

ROOTSTUB fc_prod_view_Merchant_ES___ES_Hotel_Silken_Puerta_De_Valencia_Localized_220905_Hotel___No_Promotion="true" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=qvceyfeqcbb2hy55pygxep45" stream_od20700157-01_imagePath="http://sib1.od2.com/...ck.brandingimg" stream_od20700157-01_smartHelp="Added to Stream Player" stream_od20700157-01_cursor="hand" stream_od20700157-01_disabled="false" stream_od20700157-01="1" />

<ROOTSTUB ASP.NET_SessionId="ASP.NET_SessionId=mmwjve45hb5ygpijgqws4s2t" />

These are all in the user data folder in sm in Documents & Settings.

Shall I delete them all?
  • 0

#30
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm not sure what that is. Those aren't files. And we don't need to be in the User Data folder.


Click Start -> My Computer
Double click on Local Disk (C:)
Double click on Documents and Settings
Double click on SM

Now up at the top click Tools -> Folder options
Select the View tab.
Scroll down and select "Show hidden files and folders"
Click Apply and then Ok.


Now you should see the Application Data folder - double click on it.
Right click on SystemDoctor 2006 Free and select Delete.


Let me know how it goes.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP