Spyware Search and Destroy has detected it on my system. When I try to remove it with SSD, it says it can't because some part of it is in use. I'm running XP Pro SP1 and this worm does it's thing on Win 9x, and ME. XP isn't mentioned in anything I've read about it. I still want it gone. I disconnected from the net and tried it too since I figgured it wouldn't be "in use" that way. No help.

I downloaded the removal tool and it can detect nothing. Trial version of NOD 32 says I'm clean also. What's the deal?


MK ???

Hi mklangelo,

Could you post the Spybot S&D log?

And have a look here: http://www.sophos.com/support/disinfection/w32opaserv.html

Regards,

Pieter

Pieter,

I can find no log file. According to my settings, it should be named "checks.log" It is not in the SBSD directory or anywhere else for that matter.

Could you post your HijackThis log (http://www.tomcoyote.org/hjt/)
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

Pieter,

Here it is.

Logfile of HijackThis v1.97.7
Scan saved at 7:52:44 AM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\Mike Burns\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Ecuc] C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe
O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate MX\frntgate.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://download.yahoo.com/dl/sbcybeta/yinst.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}: NameServer = 65.43.19.26 206.141.192.60

Quite some adware, but no virus in sight.
Let´s see if cleaning you out helps.

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\smss.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [Ecuc] C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

O4 - Startup: PowerReg Scheduler.exe

Then reboot and delete:
C:\WINDOWS\smss.exe
C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

Regards,

Pieter

Pieter,

I appreciate your time on this. This forum has been quite helpful to me.


Regards,

Mike

My pleasure. :)

Pieter

Pieter,

The same notification (OpaServ.A) shows up. Two of the files named to delete after final reboot did not exist:

C:\WINDOWS\smss.exe
C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

Plus in the post you closed, I mentioned a new detection that showed up.

A quote from the closed thread is below:

"When I do run a full scan with TrojanHunter, NOD32 will notify on Stealth.Poly.Crypt.Tsr.Driver.

I might have been more clear in the post, I did mention two seperate issues. My mistake!

Hi mklangelo,

It would really help a lot if we knew where these files were found. (Full path and filename)
Make some screenshots if you can't find the logfiles.

Regards,

Pieter

To get the log from Spybot S&D:
After the scan click Tools > View Report > View Report and copy & paste the content of the main screen into your post.

Regards,

Pieter

I see you are using NOD-32. won't this detect it and remove it?

con

{QUOTE-> quoting: controler link=board=31;threadid=21343;start=0#msg128798 date=1076257598]
I see you are using NOD-32. won't this detect it and remove it?

con
<-QUOTE}

I don't think so if one is using the trial version.

Here is the full information from SSD, TrojanHunter and NOD32:

--- Search result list ---

--- Spybot-S&D version: 1.2 ---
2004-01-22 Includes\Cookies.sbi
2004-01-22 Includes\Dialer.sbi
2004-01-31 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2004-01-25 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-01-22 Includes\Security.sbi
2004-01-26 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2004-01-22 Includes\Tracks.uti
2004-01-25 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB823980
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB826939
/ Windows XP / SP2: Windows XP Hotfix - KB828039
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q322011
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606


--- Startup entries list ---
Spybot-S&D Startup list report, 2/8/2004 10:12:15 AM

Located: HK_CU:Run, RemoteCenter
file: C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
MD5: 06D83E9BBF14471EDB1572564B55C5EB

Located: HK_CU:Run, Creative Detector
file: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

Located: HK_CU:Run, MtdAcq
file: C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s

Located: HK_CU:Run, Ccch
file: C:\Documents and Settings\Mike Burns\Application Data\aeca.exe
MD5: BE6356B5B707C366F4DD0ADBF0E72D38

Located: HK_LM:Run, SBDrvDet
file: C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

Located: HK_LM:Run, ATIPTA
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MD5: 76E9ECD6253BD9D1549CBE32621AD897

Located: HK_LM:Run, IntelliType
file: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

Located: HK_LM:Run, Zone Labs Client
file: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
MD5: 9472F49967BD0FCF5AEB6C1497B9083A

Located: HK_LM:Run, USRpdA
file: C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

Located: HK_LM:Run, AsioReg
file: REGSVR32.EXE /S CTASIO.DLL

Located: HK_LM:Run, CTSysVol
file: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
MD5: C88806E6C9AE0AD88D20E1BDA995355A

Located: HK_LM:Run, CTDVDDet
file: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
MD5: 49530EA45EBD73E2C11C74DFEBC30D57

Located: HK_LM:Run, nod32kui
file: C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

Located: HK_LM:Run, THGuard
file: "C:\Program Files\TrojanHunter 3.8\THGuard.exe"

Located: HK_LM:Run, CTHelper
file: CTHELPER.EXE

Located: HK_LM:Run, NeroCheck (DISABLED)
file: C:\WINDOWS\System32\\NeroCheck.exe
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, C-Media Mixer (DISABLED)
file: Mixer.exe /startup



--- Browser helper object list ---
Spybot-S&D Browser helper object report, 2/8/2004 10:12:15 AM

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Class file: AcroIEHelper.dll
Attributes: archive
Date: 5/15/2003 12:47:54 AM
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Short name: ACROIE~1.DLL
Size: 50376 bytes
Version: 0.6.0.0
Class name: AcroIEHlprObj Class
CLSID database: legitimate software
Description: Adobe Acrobat reader
Filename: ACROIEHELPER.OCX

{53707962-6F74-2D53-2644-206D7942484F}
Class file: SDHelper.dll
Attributes: archive
Date: 3/16/2003 1:02:00 AM
MD5: 423CBD3CFAEEB62C5C97A9449567B474
Path: C:\PROGRA~1\SPYBOT~1\
Short name:
Size: 711168 bytes
Version: 255.255.255.255
CLSID database: legitimate software
Description: Spybot-S&D IE Browser plugin
Filename: SDHelper.dll

{AA58ED58-01DD-4d91-8333-CF10577473F7}
Class file: googletoolbar_en_2.0.95-big.dll
Attributes: archive
Date: 8/4/2003 11:23:18 PM
MD5: 391C19C7EF7E9AF44CCEA95B5051508D
Path: c:\windows\
Short name: GOOGLE~1.DLL
Size: 741376 bytes
Version: 0.2.0.0
Class name: Google Toolbar Helper
CLSID database: open for discussion
Description: Google toolbar
Filename: Googletoolbar.dll


--- ActiveX list ---
Spybot-S&D ActiveX report, 2/8/2004 10:12:15 AM

DirectAnimation Java Classes
Name: DirectAnimation Java Classes
Version: 5,1,15,1014

Microsoft XML Parser for Java
Name: Microsoft XML Parser for Java
Version: 1,0,9,2

{0E5F0222-96B9-11D3-8997-00104BD12D94}
Class file: PCPITS~1.DLL
Attributes: archive
Date: 9/2/2003 10:52:30 AM
MD5: BCA44EAEFCEA0133B35551664570351F
Path: C:\WINDOWS\DOWNLO~1\
Short name: PCPITS~1.DLL
Size: 249856 bytes
Version: 0.1.0.0
Class name: PCPitstop Utility
CLSID database: unknown class
Description: Gateway tools
Filename: PCPITSTOP.DLL
Contains file: DiskFAU.dll
Attributes: archive
Date: 4/18/2003 1:59:44 PM
MD5: 5689C59C70EC84831FFFDAD1DAA8DA3A
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 53248 bytes
Version: 0.1.0.0
Contains file: pcpbios.exe
Attributes: archive
Date: 3/14/2002 1:00:26 PM
MD5: 68C5BB8A734A1C6F38705E61923C3317
Path: C:\WINDOWS\System32\
Short name:
Size: 38567 bytes
Version: 255.255.255.255
Contains file: PCPitstop.dll
Attributes: archive
Date: 9/2/2003 10:52:30 AM
MD5: BCA44EAEFCEA0133B35551664570351F
Path: C:\WINDOWS\Downloaded Program Files\
Short name: PCPITS~1.DLL
Size: 249856 bytes
Version: 0.1.0.0
Contains file: sysres.dll
Attributes: archive
Date: 8/16/1998 6:00:00 AM
MD5: 4DB16572BB9FC4EC4840EF55FB91F375
Path: C:\WINDOWS\System32\
Short name:
Size: 4096 bytes
Version: 255.255.255.255
Download location: http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
Last modified: Tue, 02 Sep 2003 15:03:17 GMT
Version: 1,0,0,121

{1DB3B8DD-5801-443F-B2D5-9BF8912B980E}
Class file: dmgrax2.dll
Attributes: archive
Date: 9/12/2003 4:19:12 PM
MD5: E7C20C81DDB7C9DE2E59035BF6AAA82C
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 167936 bytes
Version: 0.1.0.1
Class name: dmgrax2Ctrl Class
Contains file: dmgrax2.dll
Attributes: archive
Date: 9/12/2003 4:19:12 PM
MD5: E7C20C81DDB7C9DE2E59035BF6AAA82C
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 167936 bytes
Version: 0.1.0.1
Download location: http://www.lxsystems.com/downloads/Install.cab
Last modified: Fri, 12 Sep 2003 21:20:17 GMT
Version: 1,1,1,4

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
Class file: yinsthelper.dll
Attributes: archive
Date: 9/9/2003 5:39:42 PM
MD5: A74AB5DEF14CC298CC8821CE80A62405
Path: C:\WINDOWS\Downloaded Program Files\
Short name: YINSTH~1.DLL
Size: 124352 bytes
Version: 7.211.0.9
Class name: YInstStarter Class
Contains file: yinsthelper.dll
Attributes: archive
Date: 9/9/2003 5:39:42 PM
MD5: A74AB5DEF14CC298CC8821CE80A62405
Path: C:\Program Files\Yahoo!\common\
Short name: YINSTH~1.DLL
Size: 124352 bytes
Version: 7.211.0.9
Contains file: yinsthelper.dll
Attributes: archive
Date: 9/9/2003 5:39:42 PM
MD5: A74AB5DEF14CC298CC8821CE80A62405
Path: C:\WINDOWS\Downloaded Program Files\
Short name: YINSTH~1.DLL
Size: 124352 bytes
Version: 7.211.0.9
Download location: http://download.yahoo.com/dl/sbcybeta/yinst.cab
Last modified: Fri, 12 Sep 2003 22:08:18 GMT
Version: 2003,9,9,1

{38578BF0-0ABB-11D3-9330-0080C6F796A1}
Class file: AxCtp.dll
Attributes: archive
Date: 10/10/2003 12:34:22 PM
MD5: F55BCD60698CCD82317A554A57E0EA2A
Path: C:\WINDOWS\System32\
Short name:
Size: 1187840 bytes
Version: 0.3.0.1
Class name: Create & Print ActiveX Plug-in
Contains file: AxCtp.dll
Attributes: archive
Date: 10/10/2003 12:34:22 PM
MD5: F55BCD60698CCD82317A554A57E0EA2A
Path: C:\WINDOWS\System32\
Short name:
Size: 1187840 bytes
Version: 0.3.0.1
Download location: http://www.imgag.com/cp/install/AxCtp.cab
Last modified: Fri, 10 Oct 2003 20:31:03 GMT
Version: 3,1,0,0

{8AD9C840-044E-11D1-B3E9-00805F499D93}
Class file: npjpi140_01.dll
Attributes: archive
Date: 4/16/2002 2:28:48 PM
MD5: 5049C83AC4E513D0B0AC4FFEA6431162
Path: C:\Program Files\Java\j2re1.4.0_01\bin\
Short name: NPJPI1~1.DLL
Size: 86122 bytes
Version: 0.1.0.4
Class name: Java Plug-in 1.4.0_01
CLSID database: legitimate software
Description: Sun Java
Filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
Download location: http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
Name: Java Runtime Environment 1.4.0_01
Version: 1,4,0,1

{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
Contains file: activate.dll
Attributes: archive
Date: 3/19/2003 4:39:08 PM
MD5: 4F159E0135ECA7EB948B66AC9910A7D5
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 118784 bytes
Version: 255.255.255.255
Download location: http://toolbar.google.com/data/GoogleActivate.cab
Last modified: Fri, 21 Mar 2003 16:46:06 GMT
Version: 0,0,0,1

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
Class file: asinst.dll
Attributes: archive
Date: 8/7/2003 9:02:50 AM
MD5: BF100C75EBD536E45B2BE67A685DD39C
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 110592 bytes
Version: 0.55.0.2
Class name: ActiveScan Installer Class
Contains file: asinst.dll
Attributes: archive
Date: 8/7/2003 9:02:50 AM
MD5: BF100C75EBD536E45B2BE67A685DD39C
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 110592 bytes
Version: 0.55.0.2
Download location: http://www.pandasoftware.com/activescan/as5/asinst.cab
Last modified: Thu, 07 Aug 2003 07:11:58 GMT
Version: 55,2,0,0

{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
Class file: npjpi140_01.dll
Attributes: archive
Date: 4/16/2002 2:28:48 PM
MD5: 5049C83AC4E513D0B0AC4FFEA6431162
Path: C:\Program Files\Java\j2re1.4.0_01\bin\
Short name: NPJPI1~1.DLL
Size: 86122 bytes
Version: 0.1.0.4
Class name: Java Plug-in 1.4.0_01
Download location: http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
Name: Java Runtime Environment 1.4.0_01
Version: 1,4,0,1

{D27CDB6E-AE6D-11CF-96B8-444553540000}
Class file: Flash.ocx
Attributes: archive
Date: 9/4/2003 2:17:58 PM
MD5: B414D4BA7BFB6218AE6B224B46C81D60
Path: C:\WINDOWS\System32\macromed\flash\
Short name:
Size: 917504 bytes
Version: 0.7.0.0
Class name: Shockwave Flash Object
CLSID database: legitimate software
Description: Macromedia Shockwave Flash Player
Download location: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Last modified: Fri, 05 Sep 2003 18:36:03 GMT
Version: 7,0,14,0


--- Process list ---
Spybot-S&D process list report, 2/8/2004 10:12:15 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 340 ( 4) \SystemRoot\System32\smss.exe
PID: 392 ( 340) \??\C:\WINDOWS\system32\csrss.exe
PID: 416 ( 340) \??\C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 460 ( 416) C:\WINDOWS\system32\services.exe
PID: 472 ( 416) C:\WINDOWS\system32\lsass.exe
PID: 636 ( 460) C:\WINDOWS\System32\Ati2evxx.exe
PID: 660 ( 460) C:\WINDOWS\system32\svchost.exe
PID: 696 ( 460) C:\WINDOWS\System32\svchost.exe
PID: 828 ( 460) C:\WINDOWS\System32\svchost.exe
PID: 856 ( 460) C:\WINDOWS\System32\svchost.exe
PID: 968 (1400) C:\WINDOWS\System32\ZoneLabs\vsmon.exe
PID: 1044 ( 460) C:\WINDOWS\system32\spoolsv.exe
PID: 1124 ( 416) C:\WINDOWS\SYSTEM32\Ati2evxx.exe
PID: 1192 (1156) C:\WINDOWS\Explorer.EXE
PID: 1344 (1192) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PID: 1384 (1192) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
PID: 1400 (1192) C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
PID: 1412 (1192) C:\WINDOWS\SYSTEM32\USRmlnkA.exe
PID: 1432 (1192) C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
PID: 1444 (1412) C:\WINDOWS\SYSTEM32\USRshutA.exe
PID: 1460 (1192) C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
PID: 1472 (1412) C:\WINDOWS\SYSTEM32\USRmlnkA.exe
PID: 1492 (1192) C:\Program Files\Eset\nod32kui.exe
PID: 1532 (1192) THGuard.exe
PID: 1540 (1192) C:\WINDOWS\System32\CTHELPER.EXE
PID: 1548 (1192) C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
PID: 1560 (1192) C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PID: 1576 (1192) C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
PID: 1588 (1192) C:\Documents and Settings\Mike Burns\Application Data\aeca.exe
PID: 1776 (1192) C:\Program Files\SpamPal\spampal.exe
PID: 1888 ( 460) C:\WINDOWS\System32\CTSvcCDA.EXE
PID: 1940 ( 460) C:\Program Files\Eset\nod32krn.exe
PID: 2008 ( 460) C:\WINDOWS\System32\MsPMSPSv.exe
PID: 3432 (1192) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot-S&D browser pages report, 2/8/2004 10:12:15 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://yahoo.sbc.com/dsl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://yahoo.sbc.com/dsl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://yahoo.sbc.com/dsl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Spybot-S&D winsock LSP report, 2/8/2004 10:12:15 AM

NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83})
Protocol ( 1) NOD32 protected [MSAFD Tcpip [TCP/IP]] ({8C397D36-8698-41E1-930A-1F2CA61B890E})
Protocol ( 2) NOD32 protected [MSAFD Tcpip [UDP/IP]] ({4B43688E-2A08-4941-96EF-B24E19ABD4CE})
Protocol ( 3) NOD32 protected [MSAFD Tcpip [RAW/IP]] ({E058E349-941C-4A01-B52A-4E1D68E8319C})
Protocol ( 4) NOD32 protected [RSVP UDP Service Provider] ({872EA8D1-31AC-4C26-A25A-CBBA92B81DA0})
Protocol ( 5) NOD32 protected [RSVP TCP Service Provider] ({64BFC2B7-E8D1-4F53-AB28-C0A9E8EC5089})
Protocol ( 6) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 7) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 8) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 9) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol (10) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0C49C7C9-9D4A-4E62-A3DD-F0D11128C575}] SEQPACKET 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (12) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0C49C7C9-9D4A-4E62-A3DD-F0D11128C575}] DATAGRAM 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98BB06F-C94D-4375-9C54-DC345B186BA4}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98BB06F-C94D-4375-9C54-DC345B186BA4}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{59A396C1-9791-4ABE-A36A-D293008281D1}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (16) MSAFD NetBIOS [\Device\NetBT_Tcpip_{59A396C1-9791-4ABE-A36A-D293008281D1}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (17) MSAFD NetBIOS [\Device\NetBT_Tcpip_{39193C8B-A2A5-442E-9E6D-19E14F1FE41C}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (18) MSAFD NetBIOS [\Device\NetBT_Tcpip_{39193C8B-A2A5-442E-9E6D-19E14F1FE41C}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (19) MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2D4AAAB-4724-4CA1-801B-8E33DFD96C0E}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (20) MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2D4AAAB-4724-4CA1-801B-8E33DFD96C0E}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (21) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}] SEQPACKET 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (22) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}] DATAGRAM 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (23) NOD32 ({28A4D8DA-E908-4C6F-A926-A66CC7AD3224})


_________________________________________________________________________________________________



THIS IS INFO FROM TROJANHUNTER:

File scan
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP365\A0303772.exe (Add to ignore list)
No trojan files found
_________________________________________________________________________________________________________________

This is the location of the offending files according to NOD32

Stealth.Poly.Crypt.Tsr.Driver is the alledged virus.
Time Module Object Name Virus Action User Info
2/8/2004 10:28:18 AM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\jN5Rd.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
2/8/2004 10:27:19 AM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\fcjOC3.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
2/7/2004 20:24:39 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\v5P.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
2/7/2004 20:24:36 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\Q64FV.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus error while deleting - error occured while quarantining the object - AMERICAN-Q0JEHN\Mike Burns
2/7/2004 12:20:44 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\zA1g6.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
2/7/2004 12:20:38 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\q79GlTU.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus error while deleting AMERICAN-Q0JEHN\Mike Burns
2/2/2004 20:57:22 PM AMON file C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP642\A0367029.exe Win32/TrojanDropper.Dater.A trojan renamed to C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP642\A0367029.Vexe NT AUTHORITY\SYSTEM





As earlier, I am having no symptoms. It was suggested that the Stealth virus is a false heuristic positive. I'll leave that to the resident experts.

EDIT: As for the Opserv.A worm, am I correct saying that is does not effect machines running WinXP?

Cheers,

MK

All the files NOD found are in your TEMP and System Restore
There is no reason why you can't delete your TEMP files.
Appears those files were created by some install. Do those files look like something you installed? You can always submit those files to NOD or any other software venders to make sure and wait for their responce.
You can also send them to controler@usermail.com and I will check them for you.

con

One thing that might come in handy:
The full path to that Temp folder
C:\DOCUMENTS AND SETTINGS\[owner]\LOCAL SETTINGS\Temp

The Local Settings folder is hidden by default.
Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

Regards,

Pieter

{QUOTE-> quoting: controler link=board=31;threadid=21343;start=0#msg128846 date=1076262568]All the files NOD found are in your TEMP and System Restore
There is no reason why you can't delete your TEMP files.
Appears those files were created by some install. Do those files look like something you installed? You can always submit those files to NOD or any other software venders to make sure and wait for their responce.
You can also send them to controler@usermail.com and I will check them for you.

con <-QUOTE}

Hi con,

These files will not be deleted, renamed of cleaned. I was able to get two of the three to the bin. The third would not be moved since it is "in use" I rebooted and one more appeared. I rebooted yet again and there was a third. While in the process of taking the screenshot attached to this post, my machine locked up, I did a warm reboot and there was a FOURTH file. These files are not assciated with the OpaServ.A worm they are the three, excuse me four bottom files pictured in the screenshot of the window and are the ones NOD32 id's as the above mentioned Stealth.Poly.Crypt.Tsr.Driver virus. (the four have identical properties) properties. I am at a loss.


- Fixed quote tags and image width to help thread display - LWM

These are the online scans I have bookmarked:

BitDefender scan (http://www.bitdefender.com/scan/Msie/index.php)
McAfee.com - FreeScan (http://www.mcafee.com/myapps/mfs/default.asp)
Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
PC Pitstop scan (http://www.pcpitstop.com/antivirus/AV.asp)
RAV AntiVirus - Scan Online (http://www.ravantivirus.com/scan/)
Symantec Online Scan (http://security2.norton.com/ssc/lunavbrk.asp?scantype=2&langid=us&venid=sym&plfid=20&pkj=SUTRSJRFSKLUKUMXCCJ)
Trend Micro HouseCall (http://housecall.antivirus.com/)

and I recommend the Panda ActiveScan first, Trend HouseCall second .. as the two best online scans, in that order. HouseCall is faster but Panda is more thorough, imho. ;-)

Randy,

I'll give two or three of these (online scans) a go this evening. I'm beginning to think I'm dealing with a false heuristic notification but I would still like to know the origin of these files.

MK

Those ZLTxxxxx.TMP files belong to Zone Alarm. The one that is locked is the one inuse at the moment when Zone Alarm is running. Every time ZA is restarted it creates a new one, which is why every reboot there is one with a different name there.

However, these files are deleted by ZA when it is shutdown cleanly. If you are getting left over ZLT files in your \Temp\ folder it is because ZA is not getting a chance to shutdown cleanly when you shutdown your system.

The only time I get left over ZLT files here is if my PC crashes, then obviously ZA was unable to close and delete the specific file it was using at that time.

You'll need to look at your shutdown... It would appear that it is happening to fast and ZA is not getting a chance to exit on its own and is just killed when the PC is shutdown.

Low,

I do get alot of crashes/lockups. More by a factor of 20 than I ever got running Win98. I have looked high and low for a reason to no avail.

Thanks,

Mk