Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]Malware bomb

Started by Xian2186 , May 13 2005 06:17 PM

  • Please log in to reply

#1
Xian2186
Posted 13 May 2005 - 06:17 PM

Xian2186

    New Member

  • Member
  • Pip
  • 2 posts
It seems I recently made the mistake of not reading the fine print in the installer of a program I downloaded as it turned out to be a mass malware installer. So far, I've identified Nail.exe, ABetterInternet, Aurora, and VX2 (though Ad-Aware doesn't seem to show the "ABetterInternet", only SB:S&D. Included below is my Ad-Aware log file, and any help would really be appreciated :tazz:


Ad-Aware SE Build 1.05
Logfile Created on:Friday, May 13, 2005 8:07:50 PM
Using definitions file:SE1R45 13.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):8 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):19 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R45 13.05.2005
Internal build : 53
File location : C:\PROGRA~1\PROTEC~1\Lavasoft\AD-AWA~1\defs.ref
File size : 473168 Bytes
Total size : 1430575 Bytes
Signature data size : 1399518 Bytes
Reference data size : 30545 Bytes
Signatures total : 39932
Fingerprints total : 881
Fingerprints size : 30173 Bytes
Target categories : 15
Target families : 672


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:83 %
Total physical memory:2096624 kb
Available physical memory:1723036 kb
Total page file size:4034808 kb
Available on page file:3804856 kb
Total virtual memory:2097024 kb
Available virtual memory:2035324 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


5-13-2005 8:07:50 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Adam J. Berman\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-861567501-1788223648-839522115-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-861567501-1788223648-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-861567501-1788223648-839522115-1003\software\smartftp\connection data
Description : list of recently accessed servers using smartftp


MRU List Object Recognized!
Location: : S-1-5-21-861567501-1788223648-839522115-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 476
ThreadCreationTime : 5-14-2005 12:07:32 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 532
ThreadCreationTime : 5-14-2005 12:07:36 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 556
ThreadCreationTime : 5-14-2005 12:07:38 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 600
ThreadCreationTime : 5-14-2005 12:07:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 612
ThreadCreationTime : 5-14-2005 12:07:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 772
ThreadCreationTime : 5-14-2005 12:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 828
ThreadCreationTime : 5-14-2005 12:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 892
ThreadCreationTime : 5-14-2005 12:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 940
ThreadCreationTime : 5-14-2005 12:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 996
ThreadCreationTime : 5-14-2005 12:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [wbload.exe]
ModuleName : C:\Program Files\Themes\WindowBlinds\wbload.exe
Command Line : smartload
ProcessID : 1200
ThreadCreationTime : 5-14-2005 12:07:40 AM
BasePriority : Normal
FileVersion : 4.4
ProductVersion : 4.4
ProductName : WindowBlinds - http://www.windowblinds.net
CompanyName : Stardock Systems, Inc
FileDescription : WindowBlinds
InternalName : WindowBlinds
LegalCopyright : Copyright © 1997-2004 Neil Banfield, © 1998-2004 Stardock.Net, Inc
OriginalFilename : WindowBlinds
Comments : This is the WindowBlinds launcher app. Please do not delete this file. If you want to uninstall WindowBlinds, then use the uninstaller!

#:12 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1280
ThreadCreationTime : 5-14-2005 12:07:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [userinit.exe]
ModuleName : C:\WINDOWS\system32\userinit.exe
Command Line : C:\WINDOWS\system32\userinit.exe
ProcessID : 1480
ThreadCreationTime : 5-14-2005 12:07:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Userinit Logon Application
InternalName : userinit
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : USERINIT.EXE

#:14 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.exe
Command Line : Explorer.exe C:\WINDOWS\Nail.exe
ProcessID : 1500
ThreadCreationTime : 5-14-2005 12:07:43 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [razertra.exe]
ModuleName : C:\Program Files\Razer\razertra.exe
Command Line : "C:\Program Files\Razer\razertra.exe"
ProcessID : 1628
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 4.0.0.3
ProductVersion : 4.0.0.3
ProductName : Razer Customizer Tray Application
CompanyName : Razer Inc.
FileDescription : Razer Customizer Tray Application
InternalName : razertra
LegalCopyright : Copyright © 2004 Razer Inc.
OriginalFilename : razertra.exe

#:16 [hpwuschd2.exe]
ModuleName : C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Command Line : "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
ProcessID : 1656
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 2, 0, 39, 0
ProductVersion : 2, 0, 39, 0
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard Company
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright © 2003
OriginalFilename : hpwuSchd2.exe

#:17 [hpcmpmgr.exe]
ModuleName : C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
Command Line : "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
ProcessID : 1664
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 2.1.1.0
ProductVersion : 2.1.5
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2004
OriginalFilename : HpCmpMgr.exe

#:18 [vrmonnt.exe]
ModuleName : C:\Program Files\Protection\ViRobotXP\vrmonnt.exe
Command Line : "C:\Program Files\Protection\ViRobotXP\vrmonnt.exe" Main
ProcessID : 1680
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 2004, 9, 6, 1
ProductVersion : 2004, 9, 6, 1
ProductName : vrmonnt application
CompanyName : HAURI
FileDescription : vrmonnt application
InternalName : vrsvcexe
LegalCopyright : Copyright © 1998, 2002
OriginalFilename : vrmonnt application
Comments : Sunny Kim

#:19 [vrres.exe]
ModuleName : C:\Program Files\Protection\ViRobotXP\Vrres.exe
Command Line : "C:\Program Files\Protection\ViRobotXP\Vrres.exe"
ProcessID : 1688
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 2002, 10, 5, 1
ProductVersion : 2002, 10, 5, 1
ProductName : VrRes Application.
CompanyName : ©HAURI
InternalName : VrRes
LegalCopyright : Copyright © 1998 - 2000
OriginalFilename : VrRes.EXE

#:20 [firewall.exe]
ModuleName : C:\Program Files\Protection\The Shield Firewall\FireWall.exe
Command Line : "C:\PROGRAM FILES\PROTECTION\THE SHIELD FIREWALL\FIREWALL.EXE"
ProcessID : 1712
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 2, 1, 0, 0
ProductVersion : 3, 1, 0, 0
ProductName : Shield Firewall
CompanyName : NextAisle
FileDescription : Firewall
InternalName : Firewall
LegalCopyright : CopyRigth © 2003
OriginalFilename : Firewall
Comments : CopyRight

#:21 [regmech.exe]
ModuleName : C:\Program Files\Protection\Registry Mechanic\RegMech.exe
Command Line : "C:\Program Files\Protection\Registry Mechanic\RegMech.exe" /QS
ProcessID : 1728
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 4.00.0101
ProductVersion : 4.00.0101
ProductName : Registry Mechanic
CompanyName : PCTools
FileDescription : Registry Mechanic 4.0
InternalName : RegMech
LegalCopyright : Copyright © 2004. Distributed by PC Tools Pty Ltd
OriginalFilename : RegMech.exe

#:22 [ctsysvol.exe]
ModuleName : C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
Command Line : "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
ProcessID : 1756
ThreadCreationTime : 5-14-2005 12:07:44 AM
BasePriority : Normal
FileVersion : 1.1.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTSysVol.exe

#:23 [ctdvddet.exe]
ModuleName : C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
Command Line : "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
ProcessID : 1764
ThreadCreationTime : 5-14-2005 12:07:45 AM
BasePriority : Normal
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:24 [cthelper.exe]
ModuleName : C:\WINDOWS\system32\CTHELPER.EXE
Command Line : "C:\WINDOWS\system32\CTHELPER.EXE"
ProcessID : 1772
ThreadCreationTime : 5-14-2005 12:07:45 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE

#:25 [sbdrvdet.exe]
ModuleName : C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
Command Line : "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
ProcessID : 1808
ThreadCreationTime : 5-14-2005 12:07:45 AM
BasePriority : Normal
FileVersion : 1.0.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Sound Blaster Drive Detector
CompanyName : Creative Technology Ltd
FileDescription : SBDrvDet.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : SBDrvDet.exe

#:26 [ad-aware.exe]
ModuleName : C:\Program Files\Protection\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
Command Line : "C:\Program Files\Protection\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
ProcessID : 1880
ThreadCreationTime : 5-14-2005 12:07:46 AM
BasePriority : Normal
FileVersion : 6.2.0.207
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:27 [aim.exe]
ModuleName : C:\PROGRA~1\AIM\aim.exe
Command Line : "C:\PROGRA~1\AIM\aim.exe" -cnetwait.odl
ProcessID : 1952
ThreadCreationTime : 5-14-2005 12:07:46 AM
BasePriority : Normal
FileVersion : 5.9.3702
ProductVersion : 5.9.3702
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2004 America Online, Inc.
OriginalFilename : AIM.EXE

#:28 [cursorxp.exe]
ModuleName : C:\Program Files\Themes\CursorXP\CursorXP.exe
Command Line : "C:\Program Files\Themes\CursorXP\CursorXP.exe"
ProcessID : 1960
ThreadCreationTime : 5-14-2005 12:07:46 AM
BasePriority : High


#:29 [cteaxspl.exe]
ModuleName : C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE
Command Line : "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
ProcessID : 1988
ThreadCreationTime : 5-14-2005 12:07:47 AM
BasePriority : Normal
FileVersion : 1, 1, 0, 4
ProductVersion : 1, 1, 0, 4
ProductName : CTEaxSpl
CompanyName : Creative Technology Ltd.
FileDescription : Startup Splash
InternalName : CTEaxSpl
LegalCopyright : Copyright © Creative Technology Ltd. 2001
OriginalFilename : CTEaxSpl.EXE
Comments : Startup Splash

#:30 [hposm.exe]
ModuleName : C:\Program Files\HP\hpcoretech\soln\HPOSM.exe
Command Line : "C:\Program Files\HP\hpcoretech\soln\HPOSM.exe" -Embedding
ProcessID : 2028
ThreadCreationTime : 5-14-2005 12:07:47 AM
BasePriority : Normal
FileVersion : 2.1.5
ProductVersion :
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Solution Manager Module
InternalName : HP Solution Manager Module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2004
OriginalFilename : HPOSM.exe

#:31 [hptskmgr.exe]
ModuleName : C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
Command Line : "C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe" -Embedding
ProcessID : 224
ThreadCreationTime : 5-14-2005 12:07:47 AM
BasePriority : Normal
FileVersion : 2.1.5
ProductVersion : 2.1.5
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Task Management Component
InternalName : HP Task Management Component
LegalCopyright : Copyright © Hewlett-Packard. 2002-2004
OriginalFilename : HPTskMgr.exe

#:32 [ctsvccda.exe]
ModuleName : C:\WINDOWS\system32\CTsvcCDA.exe
Command Line : C:\WINDOWS\system32\CTsvcCDA.exe
ProcessID : 524
ThreadCreationTime : 5-14-2005 12:07:50 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:33 [ewidoctrl.exe]
ModuleName : C:\Program Files\Protection\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\Protection\ewido\security suite\ewidoctrl.exe"
ProcessID : 148
ThreadCreationTime : 5-14-2005 12:07:50 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:34 [ewidoguard.exe]
ModuleName : C:\Program Files\Protection\ewido\security suite\ewidoguard.exe
Command Line : n/a
ProcessID : 756
ThreadCreationTime : 5-14-2005 12:07:50 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-1788223648-839522115-1003\software\aurora
Value : AUI3n5ProgSLstest

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 19
Objects found so far: 27


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 27




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 28

8:12:46 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:55.532
Objects scanned:118152
Objects identified:20
Objects ignored:0
New critical objects:20
  • 0

Advertisements

#2
Mannen
Posted 15 May 2005 - 01:51 PM

Mannen

    Ad-Aware Expert

  • Member
  • PipPipPip
  • 110 posts
Greetings!


Adaware can't delete this infection yet so I will move you to the Hijackthis forum
Please read below how to proceed


Cheers
Mannen
  • 0

#3
Mannen
Posted 15 May 2005 - 01:51 PM

Mannen

    Ad-Aware Expert

  • Member
  • PipPipPip
  • 110 posts
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#4
Xian2186
Posted 15 May 2005 - 11:48 PM

Xian2186

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Well, I'm 90% sure I managed to fix the problem after using a combination of about 7 spyware removal programs and diving into regedit. I'll post my hijackthis log anyway, just to be on the safe side.

Logfile of HijackThis v1.99.1
Scan saved at 1:47:24 AM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Themes\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\razertra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Protection\ViRobotXP\vrmonnt.exe
C:\Program Files\Protection\ViRobotXP\Vrres.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Themes\CursorXP\CursorXP.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Protection\ewido\security suite\ewidoctrl.exe
C:\Program Files\Protection\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Protection\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Protection\The Shield Firewall\FireWall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Games\Deus Ex - Invisible War\Community texturepack\IBDpatcher\ibd_patcher.exe
C:\Documents and Settings\Adam J. Berman\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: EyeOnIE Class - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PROTEC~1\THESHI~1\IrlOnIE.dll
O2 - BHO: PopupBlocker Class - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PROTEC~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\Protection\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\Protection\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\Protection\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Protection\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Themes\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Protection\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Themes\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\RunOnce: [a_usdll] cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.dll"
O4 - HKLM\..\RunOnce: [b_usexe] cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.exe"
O4 - HKLM\..\RunOnce: [c_usdir] cmd /C "rmdir /Q C:\WINDOWS\system32\Macromed\Download"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\Themes\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ScanSpyware] "C:\Program Files\ScanSpyware v3.8.0.4\Scanner.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Themes\WINDOW~1\fastload.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Protection\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Protection\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\Protection\ViRobotXP\vrmonsvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP