Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

WORM/Drefir.J.3 & IrcBot.120 infections

Started by keenan , Sep 25 2006 06:30 PM

Please log in to reply

#1
keenan

Posted 25 September 2006 - 06:30 PM

Member

Member
32 posts

Hello folks -
Hope you can help.
I'm experiencing a lot of timeouts when linking to known available sites and I believe it's caused by accumulated infections of malware of one sort or another. You people have helped me before (ie Spy Sheriff, etc) and I know the drill. I've run all the recommended programs before generating the HijackThis log. And it took hours to do too.

Here are some results I got:
- while "taking action..." on WORM.Drefir.j ewido anti-spyware 4.0 got an exception:
"Something bad happened in the application. Error diagnostic file saved to 'C:\program files\ewido anti-spyware 4.0\ewido.err"

- while running Trojan Hunter 4.0 I got a msg from Avira Antivir:
"C:\Winnt\system32\Lavan\ddt.exe contains the signature of the dropper DR\Perl.BBXSP.B.1"

- while running Trojan Hunter 4.0 I got a msg from Avira Antivir:
"C:\Winnt\system32\Lavan\edit.BAT contains the signature of the batch virus BAT/Zapchast.AU.1"

- while running Trojan Hunter 4.0 I got about 30 msg from Avira Antivir all saying:
"C:\Documents and Settings\Administrator\Local Settings\temp\ xxxxxxx.exe contains the signature of the worm WORM/Drefir.J.3"
where xxxxxxx was about 30 different names, some of which were 'K4qnRqv', 'VS3eu07', 'IxCujw4', 'Lm6M1Fi', 'c0IK36L'

- Trojan Hunter found IrcBat.120 trojan and it quarantined the file: C:\Winnt\system32\Lavan\devcheck.exe

Also, exido terminated abnormally when it was trying to 'Apply all actions' so I was unable to get a Report to save for you.

Also, during execution of Trend Housecall my Firefox browser terminated abnormally.

My HijackThis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:47:43 PM, on 9/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape7%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\k6b8g8ux.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\UninstallXP.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /r /pkg "Office 2000 Server Extensions" /q
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATIRmtWndr] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O17 - HKLM\System\CS2\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O17 - HKLM\System\CS3\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\O2KserverExtensions\Office\OWSTIMER.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Hope you can help me.

Nick
XXXXXXXXXXXX Email Add. edited from post

Edited by Trevuren, 25 September 2006 - 06:39 PM.

#2
Metallica

Posted 03 October 2006 - 02:06 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Fix the following items using HijackThis:
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\UninstallXP.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Then before you reboot, first start Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Folow the instruction here: http://www.thespykil...x.php?topic=5.0 to upload a copy of:
C:\WINNT\system32\UninstallXP.exe
I really don't trust that one. Or do you know where that came from?

Then reboot and run a full system scan with Avira. It obviously is the only program that recognizes the infection.

Post what it finds and where please.

Regards,

#3
keenan

Posted 03 October 2006 - 09:32 AM

Member

Topic Starter
Member
32 posts

Hi Metallica...

I've never used Hijack This to 'fix' anything, so I'm not sure what to do.
I had a closer look at HJ and see it has many procedures, but I'm afraid
I don't know which one(s) to use. Sorry about that. Please get back to
me with a little more instruction.
Thanks for taking my case!
Nick Keenan

#4
Metallica

Posted 03 October 2006 - 12:09 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Run HijackThis. Use the Scan only option.
Put a checkmark before the items I listed.

Then after checking you have all those and only those, click the Fix checked button.
After HijackThis parsed the list, you may have to confirm some of the changes.
(I don't expect so in your case)

After that is done you can proceed with the rest.

#5
keenan

Posted 03 October 2006 - 08:16 PM

Member

Topic Starter
Member
32 posts

Thanks Metallica..

I used HJT to 'fix' the items you listed, then followed the rest of your instructions.
1. Java didn't update automatically, so I updated it manually, and confirmed it is up to date.
2. Tried to upload c:\winnt\system32\UninstallXP.exe but it wasn't there anymore! Somewhere along the line it vanished.
3. Rebooted and ran full scan with Avira and it detected about 160 instances of WORM/Drefir.J.3, and ALL of them were in files with .rar extension curiously enough. Avira said it locked the detected files and would delete them on reboot and Avira encouraged me to waste no time rebooting so it could do so. Before rebooting I looked around myself but couldn't access them (locked by Avira I guess). Interesting that it would not let me keep them if I so chose. I rebooted but haven't run a full Avira scan nor Hijack This.
4. I was going to post Avira's last log for you, but I can't find it!?
5. I will post a Hijack This.
6. Anything else I should do? Is my machine clean now?

Many thanks,
Nick Keenan

Logfile of HijackThis v1.99.1
Scan saved at 10:15:53 PM, on 10/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape7%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\k6b8g8ux.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /r /pkg "Office 2000 Server Extensions" /q
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ATIRmtWndr] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O17 - HKLM\System\CS2\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O17 - HKLM\System\CS3\Services\Tcpip\..\{217C6BFF-060B-4D77-9D14-C61D46A4835C}: NameServer = 209.87.239.20,204.187.144.34
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\O2KserverExtensions\Office\OWSTIMER.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#6
keenan

Posted 03 October 2006 - 09:55 PM

Member

Topic Starter
Member
32 posts

Metallica,

I found the missing AVIRA log after all. As you can see every detection
occurred in a RAR file. Some of the RAR files were created by myself,
and the others were downloaded P2P (eMule).
Here's the AVIRA log:

AntiVir PersonalEdition Classic
Report file date: Tuesday, October 03, 2006 17:55

Scanning for 518624 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows 2000
Windows version: (Service Pack 4) [5.0.2195]
Username: Administrator
Computer name: NICK

Version information:
AVSCAN.EXE : 7.0.0.47 200744 8/21/2006 16:06:56
AVSCAN.DLL : 7.0.0.45 41000 9/7/2006 16:56:33
LUKE.DLL : 7.0.0.47 118824 9/7/2006 16:32:33
LUKERES.DLL : 7.0.0.47 9256 9/7/2006 16:56:33
ANTIVIR0.VDF : 6.35.0.1 7371264 5/31/2006 16:35:27
ANTIVIR1.VDF : 6.36.0.9 1424384 9/6/2006 13:12:24
ANTIVIR2.VDF : 6.36.0.88 360448 10/2/2006 03:29:45
ANTIVIR3.VDF : 6.36.0.89 4608 10/2/2006 03:29:45
AVEWIN32.DLL : 7.2.0.22 1860096 10/1/2006 03:30:01
AVPREF.DLL : 7.0.0.2 23592 7/24/2006 18:36:04
AVREP.DLL : 6.36.0.5 806952 9/25/2006 15:30:08
AVRPBASE.DLL : 7.0.0.0 2162728 3/30/2006 14:43:31
AVPACK32.DLL : 7.2.0.0 368680 7/21/2006 12:00:28
AVREG.DLL : 6.31.0.90 27688 7/28/2005 16:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 13:56:49
NETNW.DLL : 7.0.0.0 9768 7/24/2006 18:35:55
RCIMAGE.DLL : 7.0.0.74 1642536 8/1/2006 17:22:57
RCTEXT.DLL : 7.0.1.4 77864 9/27/2006 23:40:42

Configuration settings for the scan:
Jobname.......................: Local Drives
Configuration file............: C:\Program Files\AntiVir PersonalEdition Classic\alldrives.avp
Boot sectors..................: C,D,E,A,R,V
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: Tuesday, October 03, 2006 17:55

The scan of running processes will be started
19 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( 21 files ).

Starting the file scan:

C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d39af347703c610cf019b783a5798170_25a3b082-6028-47ee-a3a6-55feb7026348
[WARNING] The file could not be opened!
C:\Program Files\eMule\Incoming\Adobe Creative Suite Premium\Adobe Creative Suite Premium FULL CS (photoshop cs, indesign cs, illustrator cs, golive cs, acrobat 6.0 pro) FIXED April2004.rar
[0] Archive type: RAR SFX (self extracting)
--> FWX7Xd5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> h3B8Ei8.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o5vE0U1.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> g6u21ss.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> m4OH5tT.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gUBjlPd.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o1YRY11.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> n167NP5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16001
[WARNING] Failed!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\master.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\mastlog.ldf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\model.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\modellog.ldf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\tempdb.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\templog.ldf
[WARNING] The file could not be opened!
C:\WINNT\SoftwareDistribution\EventCache\{1DBB0A6C-C272-4533-9E05-130FAE1FD2D5}.bin
[WARNING] The file could not be opened!
C:\WINNT\system32\Perflib_Perfdata_31c.dat
[WARNING] The file could not be opened!
C:\WINNT\system32\Perflib_Perfdata_5bc.dat
[WARNING] The file could not be opened!
C:\WINNT\system32\config\default
[WARNING] The file could not be opened!
C:\WINNT\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\system
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SYSTEM.ALT
[WARNING] The file could not be opened!
C:\~BurnBucket\Cooking\KitchenOutput.rar
[0] Archive type: RAR
--> TJH061Y.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> kTwqPOK.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> ieGv7qB.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> FsPCUXr.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> w8WW07F.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> pN12173.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> hUhy304.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> j07e71G.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was deleted!
D:\Incoming\Movies\SingingDetectiveAccessories\Singing Detective Songs.rar
[0] Archive type: RAR
--> wU37BJU.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Y3Vm2Ro.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> PMGM6Fg.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Ug8mÿG5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> iim0lJS.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gup1meX.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> nfJ1680.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> tGUpu5j.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> dMF6sOP.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4590ef74.qua'!
D:\Incoming\Movies\SingingDetectiveAccessories\The singing detective (1986 TV series).subs.EN.srt.rar
[0] Archive type: RAR
--> W3uw23c.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> PxDiyjj.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> s6DckYf.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> L86Jp6i.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> t35j7Ny.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> VS3eu07.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> IxCujw4.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> c0IK36L.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Lm6M1Fi.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4587efa1.qua'!
D:\Incoming\MP3 Albums\Julie London Sings Cole Porter(192kbs).rar
[0] Archive type: RAR
--> q6OPu51.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> B5XyjHe.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> m10vW4R.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> jt4h4UN.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> g7KPk7J.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> c2yqBiÿ.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> QiRdD8k.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> l141tdq.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> X7jvsÿK.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> r6Mo0If.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> x6ywCE1.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> xOCd81W.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> S15QMQl.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Qlhe6Tg.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> xGvoPnn.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> wSyqQ7C.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> q7P7XRI.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gD4n4p8.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> fuDYne2.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '458eefd9.qua'!
D:\Incoming\WINDOWS\Acrobat\1\Adobe Acrobat 7.0 Prof Fr+ De+Eng + KG.rar
[0] Archive type: RAR
--> yH531Dm.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> TEB73BI.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> EQqfyCo.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> rTWHQf5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gfx0o0S.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> r1PxpcI.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> GYe75ei.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Ij7WHG6.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> sHq2e40.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4591f06d.qua'!
D:\Incoming\WINDOWS\Acrobat\4\adobe_acrobat_7.0_professional_incl_keygen-paradox.rar
[0] Archive type: RAR
--> fkb5QQ.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> k4qnRqV.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> to4s0qL.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Isn4x3l.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o0V3UXO.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> iOwNx14.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> j1H50l5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> x5R7Pvl.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Jf6cmRu.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4591f0fb.qua'!
D:\Incoming\WINDOWS\DEVELOPER2000rar\Microsoft Office 2000 Premium Developer Edition.rar
[0] Archive type: RAR
--> Tkk12uD.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> vquy4dO.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> uf3H1tp.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> UHcIDdp.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> cugX3Up.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gNI4k7U.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o643USO.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> pgIFt2t.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> CUE0FVk.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4585f2e4.qua'!
D:\Incoming\WINDOWS\DEVELOPER2000unzipped\DEVELOPER2000unzipped.rar
[0] Archive type: RAR
--> N3OfHGE.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> yQeqQ8d.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> NO01hWG.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> jm88B1T.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> lOG2dYG.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> X3syf60.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> IJ8m1wY.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> n1o5Vn2.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> lOof74S.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16001
[WARNING] Failed!
D:\Nick\BlackMarket\DVDstuff\- Dvd Decrypter - Anydvd - Clonedvd - Copytodvd - Dvd2One - Dvd Shrink.rar
[0] Archive type: RAR
--> ygbquie.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Bd7y4Up.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> go5D7PR.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o0e1VCF.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> q5MpVTo.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> RNW31TV.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> qHg80Ng.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> o1l188W.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> elrETX0.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4566f890.qua'!
D:\Nick\BlackMarket\DVDstuff\AnyDVD 5.3.2.1 CloneDVD 2.8.5.1 CloneCD 5.2.6.1 CloneDVD v 2.7.5.1 DVD Decrypter 3 DVD Shrink 3 Virtual Clone Drive v 5.0.1.3 CRACKS!! ( Tout FR).rar.rar
[0] Archive type: RAR
--> i8nRy78.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> w4WvWDN.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> nj0Vkpu.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> r84vn1L.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> tiINfBu.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> t210Hev.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> d84WJDl.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> tiINfBu.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> pQfcdF1.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '459bf8ee.qua'!
D:\Nick\DVDDecrypter\DVD Utilities-Decrypter,Codecs,Cloner and Ripper.rar
[0] Archive type: RAR
--> uIWKXjx.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Wjw1e5v.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> xxLocJ4.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> jWruO0d.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> jWc7fjP.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> mv84L0x.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> oRB4lN5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> yxgLp88.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> m1KvVv5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4566f8f3.qua'!
D:\Nick\Images\Cooking\KitchenOutput.rar
[0] Archive type: RAR
--> TJH061Y.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> kTwqPOK.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> ieGv7qB.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> FsPCUXr.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> w8WW07F.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> pN12173.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> hUhy304.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> j07e71G.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4596f919.qua'!
D:\NICKDEV\IEEEOTT\Branislav\NameTags\470NameTags.rar
[0] Archive type: RAR
--> fVvYtED.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> N41pYqg.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> nEReTTD.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> x6Wq04e.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> mxR84Xn.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> VKeIkBM.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> C56s7k0.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4552f974.qua'!
D:\NICKDEV\IEEEOTT\Branislav\PipeToTab\PipeToTab.rar
[0] Archive type: RAR
--> rrL7Wms.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gO5Ng10.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> vc3nCTj.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> d85y8fO.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> It88g6c.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> eI61K7e.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> nflveV2.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '4592f9ac.qua'!
D:\NickOnD\_Nick.rar
[0] Archive type: RAR
--> lbnlD0Q.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> PfGVi1b.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> k2i7tnV.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> wKnxwMo.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Gu87d8Q.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> wi060Qc.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> eUc1ud5.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '458bf9c0.qua'!
D:\NickOnD\_Nick_LikeEudora\_BKUPthisFOL_Nick.rar
[0] Archive type: RAR
--> d4h6E8j.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> p2fx7Ob.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> gLknj16.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> jtOjD57.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> sn4y74O.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> d5w6VJp.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> qTUq03o.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '456df9cf.qua'!
E:\EudoraArchives\QualcommOrig\Eudora\_Nick\_BKUPthisFOL_Nick.rar
[0] Archive type: RAR
--> eBDsÿ7V.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> v3qULSp.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> m5Bg3VY.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> qbSUM28.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> yqFH43ÿ.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> bde0xvS.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> L1BEN4.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> tJci0uV.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> GMO114h.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[INFO] The file was moved to '456dfa28.qua'!
E:\Holding\MUSIC\Sheet\JAZZ - 15 REAL & FAKE BOOKS PDF [With MASTER INDEX].rar
[0] Archive type: RAR
--> NebcYO8.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> K8X3w5b.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> lmøbS4W.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> pq27I2D.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> Qw5fVWi.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> nRuw01T.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> h38EwsI.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> ty4YSqQ.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
--> c1uts6i.exe
[DETECTION] Contains signature of the worm WORM/Drefir.J.3
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16001
[WARNING] Failed!
The path A:\ could not be found!
The device is not ready.

The path V:\ could not be found!
The device is not ready.

End of the scan: Tuesday, October 03, 2006 20:06
Used time: 2:11:05 min

The scan has been done completely.

10437 Scanning directories
675948 Files were scanned
170 viruses and/or unwanted programs were found
1 files were deleted
0 files were repaired
15 files were moved to quarantine
0 files were renamed
3515 Archives were scanned
28 Warnings
65 Notes

Nick Keenan

#7
Metallica

Posted 04 October 2006 - 12:46 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Hi keenan,

I was unable to find any information about WORM/Drefir.J.3 but it is entirely possible that it replaces every file with the rar extension it finds with a copt of itself.

I'd feel better if you ran another scan to see if more files are found.

Also click Start > Run > cmd > OK
This will open a Command prompt.
Type this command;
assoc .rar <= note the space behind assoc

There will be an answer below the command similar to .rar=WINRAR
Let me know what your computer answers.

#8
keenan

Posted 04 October 2006 - 10:24 AM

Member

Topic Starter
Member
32 posts

Pieter...

The assoc .rar command produces: .rar=WinRAR so
nothing suspect there. I should tell you that I download a
lot of P2P stuff via eMule, some of it as .rar archive files. And
I recall downloading the TV series called The Mechanical Universe,
a great PBS series on Physics. It came in 3 .rar files of 13 episodes
each, and when I inspected the archive I saw the 13 .avi files plus
several .exe files of the same length with names like K4qnRqv, VS3eu07, IxCujw4, etc.
At the time I thought they might be auxilliary programs associated
with the series so I left them there - but didn't run them, of course.
Now then, just just days ago, when I spotted them again in the Mech Univ
archive I recognized them as instances of the Worm and deleted them
from all 3 archives. But how they got into .rar archives I myself created
I don't know. Here's what I'll do: I'll create another .rar archive myself
and point AVIRA at it and let you know what happens.

I ran another AVIRA overnight and got warnings only, no detections.
I've included the log below.

If you've got a minute, can you explain or point me to an
explanation of how a computer can be infected by:
1) an email without an attachment;
2) an email with Word.doc attachment having no macros;
3) any other non .exe, non .com, etc attachment.
I just don't understand how a foreign piece of executable code
can get itself dispatched by my operating system.

In any case, I sincerely appreciate your willing help
- you're providing a valuable, meaningful, human service
as are all your colleagues at GTG. Big, big thanks for that!

Nick

AntiVir PersonalEdition Classic
Report file date: Wednesday, October 04, 2006 03:29

Scanning for 518907 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows 2000
Windows version: (Service Pack 4) [5.0.2195]
Username: Administrator
Computer name: NICK

Version information:
AVSCAN.EXE : 7.0.0.47 200744 8/21/2006 16:06:56
AVSCAN.DLL : 7.0.0.45 41000 9/7/2006 16:56:33
LUKE.DLL : 7.0.0.47 118824 9/7/2006 16:32:33
LUKERES.DLL : 7.0.0.47 9256 9/7/2006 16:56:33
ANTIVIR0.VDF : 6.35.0.1 7371264 5/31/2006 16:35:27
ANTIVIR1.VDF : 6.36.0.89 1745920 10/2/2006 03:30:15
ANTIVIR2.VDF : 6.36.0.90 2048 10/2/2006 03:30:15
ANTIVIR3.VDF : 6.36.0.92 9216 10/3/2006 03:30:15
AVEWIN32.DLL : 7.2.0.22 1860096 10/1/2006 03:30:01
AVPREF.DLL : 7.0.0.2 23592 7/24/2006 18:36:04
AVREP.DLL : 6.36.0.5 806952 9/25/2006 15:30:08
AVRPBASE.DLL : 7.0.0.0 2162728 3/30/2006 14:43:31
AVPACK32.DLL : 7.2.0.0 368680 7/21/2006 12:00:28
AVREG.DLL : 6.31.0.90 27688 7/28/2005 16:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 13:56:49
NETNW.DLL : 7.0.0.0 9768 7/24/2006 18:35:55
RCIMAGE.DLL : 7.0.0.74 1642536 8/1/2006 17:22:57
RCTEXT.DLL : 7.0.1.4 77864 9/27/2006 23:40:42

Configuration settings for the scan:
Jobname.......................: Local Drives
Configuration file............: C:\Program Files\AntiVir PersonalEdition Classic\alldrives.avp
Boot sectors..................: C,D,E,A,R,V
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: Wednesday, October 04, 2006 03:30

The scan of running processes will be started
19 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( 21 files ).

Starting the file scan:

C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d39af347703c610cf019b783a5798170_25a3b082-6028-47ee-a3a6-55feb7026348
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\master.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\mastlog.ldf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\model.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\modellog.ldf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\tempdb.mdf
[WARNING] The file could not be opened!
C:\Program Files\Microsoft SQL Server\MSSQL$INSTANCEMIXED\Data\templog.ldf
[WARNING] The file could not be opened!
C:\WINNT\SoftwareDistribution\EventCache\{981A94C3-FF38-48A1-8F2B-FFB7BA824325}.bin
[WARNING] The file could not be opened!
C:\WINNT\system32\Perflib_Perfdata_2bc.dat
[WARNING] The file could not be opened!
C:\WINNT\system32\Perflib_Perfdata_520.dat
[WARNING] The file could not be opened!
C:\WINNT\system32\config\default
[WARNING] The file could not be opened!
C:\WINNT\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\system
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SYSTEM.ALT
[WARNING] The file could not be opened!
The path A:\ could not be found!
The device is not ready.

End of the scan: Wednesday, October 04, 2006 04:38
Used time: 1:08:54 min

The scan has been done completely.

10110 Scanning directories
404051 Files were scanned
0 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1896 Archives were scanned
25 Warnings
5 Notes

#9
Metallica

Posted 04 October 2006 - 12:05 PM

Spyware Veteran

GeekU Moderator
33,101 posts

A bit outdated because .jpg should no longer be on the list of safe extensions, but you'll get the drift:
http://www.novatone....mag/mailsec.htm

If you have HTML enabled in your email-client you are running the same risks looking at your email as you are browsing the web. HTML pages are in fact tiny programs that are run on your computer.
There are some restrictions to what they can do, but that fact remains.

So there are options for those spreading malware and they keep finding new options (exploits, security flaws or plain dumb oversights).

Myself I use TheBat with preview and HTML disabled and all mail is scanned by AVG and my provider.
Still, on average 1 in every 200 mails contains a virus that could infect my computer if I was curious enough to open it. (About 120 in every 200 emails get deleted by me without spending one look at them)
And if I wouldn't have an interest in viruses and phishing that would probably be more.

Let me know what Avira has to say about your experiment.

Regards,

#10
keenan

Posted 04 October 2006 - 02:02 PM

Member

Topic Starter
Member
32 posts

Thanks for the link Pieter - very informative (and Canadian too, eh?)
I take it JPG is associated with pgm(s) that could execute malware code?

The experiment produced no surprises - WinRAR compressed and
uncompressed a set of JPGs the way it was supposed to.

As another experiment, I *may* try to download one of the Mech Univ
archives using eMule, which is where I picked up the malware originally.
I'm curious, and if I do try it, I'll report my findings to you - with pleasure.

I'm using Thunderbird for email but I couldn't find a way to explicitly
disable HTML mode (it always asks me if I want to send in HTML or not
and I always just use plain text).

Well, I guess I've got a pretty clean machine now, with appreciative thanks to you
and GTG in general - keep up the good fight!

All the best,
Nick

#11
Metallica

Posted 05 October 2006 - 12:26 AM

Spyware Veteran

GeekU Moderator
33,101 posts

According to: http://kb.mozillazin...l_(Thunderbird)

Click "Tools -> Options -> Privacy -> General".
Check the first box, "Block loading..." and uncheck the other two, "Allow remote images..." and "Enable JavaScript...".
Still in the "Options" dialog, click "Display -> Formatting" and then uncheck "Display emoticons as graphics". Traditionally, plain text uses "Fixed width font", but it's not necessary.
To block fonts: click "Fonts" tab and then the "Fonts..." button. Uncheck "Allow messages to use other fonts". Advanced users might want to disable "Character encodings".
Click "OK" to close the "Options" dialog.
Click "View" then "Message Body As" then "Plain Text". Thunderbird should now display a dot next to "Plain Text".
Click "View" then "Display Attachments Inline". That option should now be unchecked (disabled).

Let me know if you find out anything about the infection.

Regards,

#12
keenan

Posted 09 October 2006 - 10:19 AM

Member

Topic Starter
Member
32 posts

Thanks Pieter for the Thunderbird tips -
I applied them all and I no longer get
asked whether to send in plain, or HTML,
or both.

I run a full AVIRA scan overnight every night
so I'll catch any nastiness promptly.

The p2p download of Mech Univ rar is chugging
along. Will keep you posted.

/nick

#13
Metallica

Posted 09 October 2006 - 12:00 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Glad I was able to at least help a bit. :whistling:

#14
keenan

Posted 19 November 2006 - 01:33 AM

Member

Topic Starter
Member
32 posts

Hello Metallica /Pieter!!

It's been several weeks since last we wrote, and as I promised
I would keep you posted on my experiment to download via P2P
a rar archive of Mechnical Universe to see if it contained any trace
of Worm/Drefir executables.
Well, the archive arrived and it was perfectly clean - no strange
looking exe files. I didn't have much hope anyway, but it's always
worth a try - sometimes you get a hit!
Otherwise, my PC under Win2K is behaving reasonably well, and
no trouble so far. I run a full Avira scan every 24 hours and it has
detected nothing except some warnings.

I think I will make a list of all the running processes (as reported
by Task Manager) and then try to find out exactly what each one is, who
owns it, what it is supposed to do. There are the obvious ones, but
there are lots of others I haven't a clue about... and I'm tired of not
knowing what's going on in real time on my machine. When I worked
on mainframes I knew everything that was going on, right down to
the metal - seriously!

Anyway, nice talking to you. Hope the world is treat you right!

/nick