Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

sulimo.dat infection (Trojan.Smitfraud Variant/AIS)[CLOSED]

Started by gilliganmn , Feb 14 2008 10:01 PM

  • This topic is locked This topic is locked

#1
gilliganmn
Posted 14 February 2008 - 10:01 PM

gilliganmn

    Member

  • Member
  • PipPip
  • 15 posts
Hey guys,

I've picked up a virus that avast and superantispyware can't remove. It's
Trojan.Smitfraud Variant/AIS and is in the sulimo.dat file. Here's my superantispyware log. Following that is my hijackthis log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 12:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3402
Trace Rules Database Version: 1394

Scan type : Quick Scan
Total Scan Time : 03:08:30

Memory items scanned : 579
Memory threats detected : 0
Registry items scanned : 1134
Registry threats detected : 0
File items scanned : 97280
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Dad\Cookies\dad@revsci[2].txt
C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
C:\Documents and Settings\Dad\Cookies\[email protected][1].txt

Trojan.Smitfraud Variant/AIS
C:\WINDOWS\SYSTEM32\SULIMO.DAT


The hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:31 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\AIM95\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.97.0\GoogleUpdate.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\I7W64EOS\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google Desktop - {A472C4DE-F280-4842-B6BC-9B4E0002871E} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopDeskbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\System32\pcdlib32.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.97.0\GoogleUpdate.exe"
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185736413671
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8728 bytes

Any help you guys can give me would be much appreciated. Thanks in advance!

Jay
  • 0

Advertisements

#2
RatHat
Posted 14 February 2008 - 10:31 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:
  • Re-Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

When asked to "Save As" save Combofix.exe as Combo-Fix.exe
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your reply, plaese post the following:
  • The HijackThis uninstall list
  • The contents of rapport.txt
  • The contents of Combofix.txt
  • A fresh HijackThis log, taken after completing the above

Regards,
RatHat
  • 0

#3
gilliganmn
Posted 16 February 2008 - 10:09 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

I did everything exactly as you said and it appears that the virus(es) are gone, thanks so much. I've attached the logs you asked for so as not to clutter up this post.

Let me know what to do next boss.

Thanks,
Jay

Attached Files


  • 0

#4
RatHat
Posted 17 February 2008 - 04:01 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Jay,

I would much prefer if you could post the contents of any logs as it makes it much easier to read.

Your version of Java is out of date. Please update to the latest version here (Java Runtime Environment (JRE) 6 Update 4). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, you are looking in much better shape now, but lets make sure:

Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.

Regards,
RatHat
  • 0

#5
gilliganmn
Posted 17 February 2008 - 05:31 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Unfortunately the results of the Kaspersky scan weren't clean. I missed what you said about Java before running Kaspersky but I did as a general cleanup remove all old Java versions except 1.4. Anyway the result of the scan follows:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 4:26:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 570059
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan Statistics:
Total number of scanned objects: 225541
Number of viruses found: 13
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 05:02:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\HTML\help\[X]l0v3ly.x Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dad\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Dad\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dad\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dad\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dad\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\uploads.db Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\Perflib_Perfdata_dd4.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hex.exe/island.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\hex.exe/v1rg1n.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\hex.exe/[i]v1rg1n.x Infected: Net-Worm.Win32.Randon skipped
C:\hex.exe/[X]l0v3ly.x Infected: Backdoor.IRC.Zapchast skipped
C:\hex.exe Instyler: infected - 4 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-15_214131.64.zip/Rwc83.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\QooBox\Quarantine\catchme2008-02-15_214131.64.zip ZIP: infected - 1 skipped
C:\smitfraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1910\A0098872.dll Infected: Trojan.Win32.Agent.eub skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1910\A0098902.dll Infected: Trojan.Win32.Agent.eub skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1911\A0098986.exe Infected: Trojan-Downloader.Win32.Wixud.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1912\A0099307.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1912\A0099316.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1912\A0099323.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1912\A0099327.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1912\A0099336.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1913\A0099425.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1913\A0099434.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1913\A0099608.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1913\A0099619.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1914\A0099733.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1914\A0099753.sys Infected: Email-Worm.Win32.Agent.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1915\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\expacc.exe Infected: Trojan-Downloader.Win32.Diehard.ef skipped
C:\WINDOWS\Internet Logs\DBR4K321.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\pss\autorun.exeCommon Startup Infected: not-virus:Hoax.Win32.Renos.qx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6759CFFE-6BA9-4EC6-B4EB-511811FD9D1E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\Ejn40.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogCrypt.dll Infected: Trojan.Win32.Agent.eub skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WLCtrl32.dll Infected: Email-Worm.Win32.Agent.e skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e8.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT04e80.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05f6f.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xz.bat Infected: Trojan.BAT.KillProc.a skipped
E:\WINDOWS\TEMP\ccu\comet.cab/cseng.dll Infected: not-a-virus:AdWare.Win32.Comet.w skipped
E:\WINDOWS\TEMP\ccu\comet.cab CAB: infected - 1 skipped
E:\TEMP\pk263wsp.exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
E:\TEMP\pk263wsp.exe ZIP: infected - 1 skipped

Scan process completed.

Thanks,
Jay
  • 0

#6
RatHat
Posted 18 February 2008 - 04:27 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\HTML\help\[X]l0v3ly.x
C:\hex.exe
C:\WINDOWS\expacc.exe
C:\WINDOWS\pss\autorun.exe
C:\WINDOWS\SYSTEM32\LogCrypt.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
C:\xz.bat


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please go HERE to run Panda's TotalScan
  • Select the radio button for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report in your next reply along with the contents of OTM.txt and a fresh HijackThis log.
Also, let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#7
gilliganmn
Posted 19 February 2008 - 05:41 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Unfortunately the PC is barely usable now, the CPU quickly gets pegged at 100%. The cleaning seems to have awoken some latent viruses. I'm including the results of the OTM.txt file, the Panda scan (took me a few tries to complete) and the latest HijackThis log file. There are about 20 iexplore.exe processes in my windows processes list but they are not visible IE browsers.

OTM.txt:

C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\HTML\help\[X]l0v3ly.x moved successfully.
C:\hex.exe moved successfully.
C:\WINDOWS\expacc.exe moved successfully.
File/Folder C:\WINDOWS\pss\autorun.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\LogCrypt.dll
C:\WINDOWS\SYSTEM32\LogCrypt.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\LogCrypt.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\WLCtrl32.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\WLCtrl32.dll moved successfully.
C:\xz.bat moved successfully.

OTMoveIt2 v1.0.20 log created on 02182008_173915


Panda scan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-19 13:30:48
PROTECTIONS: 1
MALWARE: 62
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
avast! antivirus 4.7.1098 [VPS 080218-0] 4.7.1098 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42b8-B3F7-832E75EDD959}
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{386A771C-E96A-421F-8BA7-32F1B706892F}
00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
00040415 adware/wintools Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E955-11D0-A707-000000521958}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00055986 adware/consumeralertsystem Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4208FB4D-4E53-4F5A-BF7A-3E047DDB5281}
00091942 adware/favoriteman Adware No 0 Yes No c:\windows\downloaded program files\atpartners.inf
00122828 Bck/IRC.Mirc.Based Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\CyberLink\PowerDVD\HTML\help\v1rg1n.dll
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Cookies\dad@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\smitfraudfix\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Dad\Desktop\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\temp\VirtumundoBeGone.exe[²₧Ç]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\Process.exe
00145439 Cookie/Santa Monica networks inc TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@smni[1].txt
00145439 Cookie/Santa Monica networks inc TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@smni[2].txt
00145439 Cookie/Santa Monica networks inc TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@smni[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.mediaplex.com/]
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@linkexchange[2].txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@linkexchange[1].txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@linkexchange[4].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.linksynergy.com/]
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.linksynergy.com/]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.anm.co.uk/]
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@preferences[3].txt
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\[email protected]
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@preferences[1].txt
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@preferences[2].txt
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@preferences[2].txt
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@preferences[5].txt
00148925 Cookie/Preferences TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@preferences[1].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@com[2].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@gostats[1].txt
00167774 Cookie/web-stat TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\[email protected][1].txt
00167774 Cookie/web-stat TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\[email protected][1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.perf.overture.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[www.burstbeacon.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Cookies\dad@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@realmedia[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@questionmarket[4].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@questionmarket[5].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@questionmarket[4].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@questionmarket[5].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.zedo.com/]
00172825 Joke/Stress Jokes No 0 Yes No E:\test\stressre.exe
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.bluestreak.com/]
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.phg.hitbox.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.adrevolver.com/]
00186189 Cookie/LinkExchange TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@linkexchange[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@go[4].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[8].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[7].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@go[3].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go(1).txt
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[5].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[3].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\anyuser@go[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[6].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No E:\WINDOWS\Cookies\jayallen@go[4].txt
00220869 Trj/ProcKill.K Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02182008_173915\xz.bat
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Cookies\dad@atwola[1].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ehg-dig.hitbox.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v674gy2g.default\cookies-1.txt[.ads.addynamix.com/]
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Dad\Desktop\SmitfraudFix\restart.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\smitfraudfix\SmitfraudFix\restart.exe
00816208 Adware/eZula Adware No 0 Yes No E:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav18\Groove.x32
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No C:\Documents and Settings\Dad\Local Settings\Application Data\Wildtangent\Cdacache\00\02\36.dat
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Dad\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Dad\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
02056589 Spyware/Conducent-Timesink Spyware No 1 Yes No E:\TEMP\pk263wsp.exe[TSADBOT.EXE]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\smitfraudfix\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Dad\Desktop\SmitfraudFix\Reboot.exe
02657327 Adware/WinAntiVirus2007 Adware No 0 Yes No C:\WINDOWS\pss\autorun.exeCommon Startup
02895262 W32/PatchLog.P Virus No 0 Yes No C:\WINDOWS\UPDREG.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\COMMON FILES\DELL\EUSW\SUPPORT.EXE
02895262 W32/PatchLog.P Virus No 0 Yes No C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\AIM95\AIM.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
02895262 W32/PatchLog.P Virus No 0 Yes No C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
02895534 Bck/Lanman.CA Virus/Trojan Yes 1 Yes No C:\WINDOWS\SYSTEM32\LANMANWRK.EXE
02895536 Rootkit/Lanman.CB HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\lanmandrv.sys
02900272 Trj/Agent.IAB Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02182008_173915\WINDOWS\SYSTEM32\LogCrypt.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:46 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKCU\..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\System32\pcdlib32.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185736413671
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: Viewpoint Manager Service - Viewpoint
  • 0

#8
RatHat
Posted 19 February 2008 - 10:59 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
It looks like you have a Trojan.Agent.aia rootkit infection, so lets see if we can remove it!

Now we are about to use an extremely powerful program, so PRINT OUT these instructions and follow them closely. If you are not sure of something, ask first.

Please download and unzip Icesword to its own folder.

If you get a lot of "red entries" in an IceSword log, don't worry, most of them will be legitimate.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :
  • Processes
  • Win32 Services
  • Startup
  • SSDT
  • Message Hooks


Regards,
RatHat
  • 0

#9
gilliganmn
Posted 19 February 2008 - 11:29 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

I was afraid it was a rootkit from the non-deterministic behavior.

I had no red processes, services, or startup. There were two red SSDT entries and I've listed them below under the SSDT red entries.

Process:

System Idle Process
System
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\icesword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\Dell\EUSW\support.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\smss.exe


Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Apple Mobile Device Display Name:Apple Mobile Device
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:iPod Service Display Name:iPod Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LexBceS Display Name:LexBce Server
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:NwSapAgent Display Name:SAP Agent
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:Viewpoint Manager Service Display Name:Viewpoint Manager Service
Service Name:vsmon Display Name:TrueVector Internet Monitor
Service Name:w32time Display Name:Windows Time
Service Name:WANMiniportService Display Name:WAN Miniport (ATW) Service
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WMDM PMSP Service Display Name:WMDM PMSP Service
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdReg
C:\WINDOWS\UpdReg.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DwlClient
C:\Program Files\Common Files\Dell\EUSW\Support.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EarthLink Installer
" /C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark X74-X75
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lanmanwrk.exe
C:\WINDOWS\System32\lanmanwrk.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AIM
C:\AIM95\aim.exe -cnetwait.odl

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Works Update Detection
C:\Program Files\Microsoft Works\WkDetect.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pcdlib32
C:\WINDOWS\System32\pcdlib32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
googletalk
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update
"C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
YouTube Uploader.lnk
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (Remark£º)


SSDT red entries:

\Systemroot\system32\vsdatant.sys
\??\c:\windows\system32\lanmandrv.sys

Message hooks with WH_KEYBOARD type:

c:\program files\internet explorer\iexplore.exe
c:\windows\explorer.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\alwils~1\avast4\ashdisp.exe
c:\program files\common files\Dell\EUSW\support.exe
c:\windows\system32\cfmon.exe
c:\document and settings\Dad\local settings\application data\google\update\1.0.103.3\googleupdate.exe
c:\program files\itunes\ituneshelper.exe
c:\program files\zone labs\zonealarm\zclient.exe

Thanks,
Jay
  • 0

#10
RatHat
Posted 20 February 2008 - 05:28 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now for the fix. Close all windows and disconnect from the Internet. Run IceSword.exe. Do not restart your PC until the very end to ensure the fix works


Step 1 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

C:\WINDOWS\System32\lanmanwrk.exe
C:\WINDOWS\System32\pcdlib32.exe
c:\windows\system32\lanmandrv.sys
C:\WINDOWS\SYSTEM32\DRIVERS\Ejn40.sys


Step 2 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold(if present) and delete them.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ejn40

Then navigate to the following registry keys and delete the values in bold

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lanmanwrk.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pcdlib32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


re-open HiJackThis and scan. Check the box next to the entry listed below.

O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" functions, taking note of any red entries from them and from the SSDT tab.

Regards,
RatHat
  • 0

Advertisements

#11
gilliganmn
Posted 20 February 2008 - 11:09 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Rathat,

I was able to delete everything except the following files and registry keys as they weren't there in Icesword:

C:\WINDOWS\System32\lanmanwrk.exe
C:\WINDOWS\System32\pcdlib32.exe
c:\windows\system32\lanmandrv.sys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pcdlib32

Unfortunately the PC is still infected as all the iexplore.exe processes are started at startup and the PC is pegged at near 100% CPU quickly after start. I have noticed if I stop avast on access protection the CPU usage is much lower, almost like that's what the virus wants done.

Here are the logs from Icesword:

Process:

System Idle Process
System
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Dell\EUSW\support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\AIM95\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\icesword\IceSword122en\IceSword.exe

Services:

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Apple Mobile Device Display Name:Apple Mobile Device
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:iPod Service Display Name:iPod Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LexBceS Display Name:LexBce Server
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:NwSapAgent Display Name:SAP Agent
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:Viewpoint Manager Service Display Name:Viewpoint Manager Service
Service Name:vsmon Display Name:TrueVector Internet Monitor
Service Name:w32time Display Name:Windows Time
Service Name:WANMiniportService Display Name:WAN Miniport (ATW) Service
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WMDM PMSP Service Display Name:WMDM PMSP Service
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

Startup:

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdReg
C:\WINDOWS\UpdReg.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DwlClient
C:\Program Files\Common Files\Dell\EUSW\Support.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EarthLink Installer
" /C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark X74-X75
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AIM
C:\AIM95\aim.exe -cnetwait.odl

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Works Update Detection
C:\Program Files\Microsoft Works\WkDetect.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pcdlib32
C:\WINDOWS\System32\pcdlib32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
googletalk
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update
"C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
YouTube Uploader.lnk

C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (Remark£º)

SSDT red entries:

\Systemroot\system32\vsdatant.sys


Thanks for your help,
Jay
  • 0

#12
RatHat
Posted 21 February 2008 - 03:01 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Lets go about this a different way, and then come back to Icesword if we need to:

Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.
  • Double-click sarsfx.exe to extract the files.
  • Click the Accept button at the EULA, then Install to the default directory
  • At the next prompt, click Yes to start the program
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click the "Start Scan" button.
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Regards,
RatHat
  • 0

#13
gilliganmn
Posted 22 February 2008 - 08:54 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

I ran Sophos antiRootkit but no green boxes were checked. Here are the results of the MBAM and the latest HiJackThis log. The computer is still infected, same symptoms.


Malwarebytes' Anti-Malware 1.05
Database version: 390

Scan type: Quick Scan
Objects scanned: 29451
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\WLCtrl32.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlctrl32 (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\WLCtrl32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\WLCtrl32.dl_ (Trojan.Downloader) -> No action taken.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:28 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKCU\..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\System32\pcdlib32.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185736413671
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8430 bytes


Thanks,
Jay
  • 0

#14
RatHat
Posted 23 February 2008 - 05:21 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
This is one dfficult bugger to get rid of!

Please delete the version of Combofix that you have, then download a new version from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

When asked to "Save As" save Combofix.exe as Combo-Fix.exe
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
    Check the Radio button under Rootkit Search for Yes
  • Under Additional Scans check the following:
    • Reg - Security Settings
    • Reg - Session Manager Settings
    • Reg - Shell Spawning
    • Reg - Software Policy Settings
    • Reg - Tcpip Persistant Routes
    • File - Additional Folder Scans
    • Evnt - EventViewer Errors/Warnings (last 7 days)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

If the log is too large to post, please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


Regards,
RatHat
  • 0

#15
gilliganmn
Posted 23 February 2008 - 10:02 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

I ran the latest Combofix but it didn't save a log file this time and my clock is still in 24 hour time. I don't think it completed correctly after it rebooted Windows. The virus symptoms are all still apparent.

I'm attaching the WinPFind35u scan.

Thanks,
Jay

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP