Jump to content

Recommended Posts

Posted

I was infected with a virus last night (avpe32.dll). AVG won't remove it.

 

I've scanned with spysweeper (found it but wouldnt delete (as it's a trial version)), ewido, spybot, adaware, microsoft antispyware, and panda activescan. Ewido repeatedly pops up the Backdoor.Haxdoor.dw infection. I can't manually delete the file from c:\WINDOWS\system32, because it isn't showing up there.

 

Im posting because someone else had a similar problem and you guys were able to help him. I've booted to safemode and used apropos.exe as well. I've posted an HJT log as well as the log file from aprospos.exe.

 

 

---------------------

 

Log of AproposFix v1

 

************

 

Running from directory:

C:\Documents and Settings\Sean{y}\Desktop\aproposfix

 

************

 

Registry entries found:

 

 

************

 

No service found!

 

Removing hidden folder:

No folder found!

 

Deleting files:

 

 

Backing up files:

Done!

 

Removing registry entries:

 

REGEDIT4

 

 

Done!

 

Finished!

 

 

-------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:53:41 PM, on 1/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

 

 

--------------------

 

The O20 which is the file just keeps coming back!

Posted

Also, here is a rootkitrevealer log. I noticed in the other thread that a user named Dak mentioned that the new haxdoor viruses have keyword loggers. Thunderbird tried to send an email with a bunch of passwords of mine to some random email address (but failed). It didn't send my online banking one, but it'd be nice to get rid of this soon!

 

I was going to post the revealer, but it:

 

Gets stuck on HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7

 

Been like that for 10 minutes.

Posted

I've deleted all the associated files, run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are:

 

HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace)

HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces)

HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces)

 

Can I delete them?

 

Also, at 5:24pm, i got two 'mail returned to sender' emails with a bunch of my passwords that were going to some IP address.

 

This is the AVG E-mail Scanner program.

 

I'm sorry to have to inform you that the message returned

below could not be delivered to one or more destinations.

 

-------------------------------------------------------------------

Cannot open smtp connection to '192.168.1.100'

Connect: No connection could be made because the target machine actively refused it. (10061)

 

-------------------------------------------------------------------

 

Your e-mail message is being returned to you in the next part of this

message. Try to send the message again.

 

Should you need assistance, please contact your administrator or your

Internet service provider.

 

If there are only registry files left, how can I still be sending emails out with my passwords?

Posted

Rootkit revealer also tries to start a windows service when I open it:

 

A Windows service is a program that can run automatically if enabled. This change generally occurs when software is installed. You can allow this change if it is recognized and expected.

 

Name: Sysinternals Rootkitrevealer

Publisher: Sysinternals - http://www.sysinternals.com

Path: C:\DOCUME~1\Sean{y}\LOCALS~1\Temp\KNHBWQXPINSZOERGTS.exe

 

Is that ok?

Posted

Where are you guys getting all these haxdoors from?

 

Rootkit revealer is supposed to start a service like that.

 

Download and Save

F-Secure Blacklight to your desktop.

 

Double-click blbeta.exe then accept the agreement.

 

click > scan then > next,

 

After the scan has completed, dont click on 'next', because legit items can also be present there...

 

Blacklight should have made a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

 

Post the contents of the log in your next reply along with a fresh HijackThis log please.

Posted
I've deleted all the associated files' date=' run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are:

 

HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace)

HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace)

HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces)

HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces)

 

Can I delete them[/quote']

Yep...

Posted

I'm pretty sure the haxdoor came in with a crack I was using... though I didnt notice it had downloaded two executables, and only bothered to check one of them for viruses before I ran it (I'm an idiot).

 

Here's the information you wanted. I finally got a version of spy sweeper that does more than just scan (for 14 days anyway), so I removed those instances in the registry. I don't know if anything is still here... hopefully someone here can answer!!

 

----------------------------

 

01/02/06 23:15:53 [info]: BlackLight Engine 1.0.30 initialized

01/02/06 23:15:53 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/02/06 23:15:53 [Note]: 7019 4

01/02/06 23:15:53 [Note]: 7005 0

01/02/06 23:15:55 [Note]: 7006 0

01/02/06 23:15:56 [Note]: 7011 1428

01/02/06 23:15:56 [Note]: FSRAW library version 1.7.1014

01/02/06 23:16:03 [Note]: 7007 0

 

------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 11:17:15 PM, on 1/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

--------------------------

 

That O20 is back though, except with a different file name... ahhhh!

Posted

That O20 belongs to spysweeper; also, the blackice log indicates that the haxdoor rootkit is no longer present.

 

to make sure/fix the damage that haxdoor may have done:

 

Could you post up a rootkit revealer log if it will work now (scan, and then go to file > save to generate a log file).

 

Also, download l2mfix

 

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

 

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then use option 5 to solve this error condition.

 

And go to http://virusscan.jotti.org/ and upload the file C:\Program Files\Internet Explorer\iexplore and copy/paste the results into this thread

Posted

rootkit still locks up here: HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7

Im going to leave it running overnight and see what comes of it.

 

Here are the results from the l2mfix:

 

L2MFIX find log 122705

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

 

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

 

**********************************************************************************

HKEY ROOT CLASSIDS:

**********************************************************************************

Files Found are not all bad files:

 

C:\WINDOWS\SYSTEM32\

spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K

hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K

gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K

browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K

axaltocm.dll Fri Oct 28 2005 11:49:40p ..... 133,120 130.00 K

sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K

wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K

gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K

gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K

mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K

basecsp.dll Fri Oct 28 2005 4:40:16p ..... 96,792 94.52 K

bcsprsrc.dll Fri Oct 28 2005 11:49:40p ..... 25,600 25.00 K

ifxcardm.dll Fri Oct 28 2005 11:49:40p ..... 151,552 148.00 K

esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M

wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K

urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K

shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K

shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M

pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K

mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K

msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K

mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M

inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K

iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K

dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K

danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M

cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K

extmgr.dll Thu Oct 20 2005 10:39:28p ..... 55,808 54.50 K

msgplu~1.dll Wed Oct 12 2005 8:48:22a A.... 45,640 44.57 K

wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K

 

30 items found: 30 files, 0 directories.

Total of file sizes: 13,049,800 bytes 12.44 M

Locate .tmp files:

 

No matches found.

**********************************************************************************

Directory Listing of system files:

Volume in drive C has no label.

Volume Serial Number is 1F60-12D5

 

Directory of C:\WINDOWS\System32

 

02/20/2004 12:27 PM <DIR> Microsoft

02/20/2004 11:08 AM <DIR> dllcache

0 File(s) 0 bytes

2 Dir(s) 48,757,702,656 bytes free

 

------------------------

 

And the results from jotti.org. There were two sections. I think the 2nd section does not pertain to me, but I pasted it just in case.

 

Service load:

0% 100%

File: iexplore.exe

Status:

OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 e7484514c0464642be7b4dc2689354c8

Packers detected:

-

Scanner results

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

UNA

Found nothing

VBA32

Found nothing

 

 

PART TWO:

 

Last file scanned at least one scanner reported something about: CRAGGLE_SEARCH[10].rar, detected by:

 

Scanner Malware name

AntiVir Adware-Spyware/Craagle.18 adware

ArcaVir X

Avast X

AVG Antivirus Generic.GMX

BitDefender X

ClamAV X

Dr.Web X

F-Prot Antivirus X

Fortinet X

Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Craagle.18

NOD32 X

Norman Virus Control X

UNA Adware.Craagle.18

VBA32 AdWare.Win32.Craagle.18

 

 

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives

We are not affiliated with any third parties that conduct tests using this service.

 

Thanks so much, you guys are super helpful!

Posted

Cool, winlogon/notify and iexplore.exe seem to be intact.

 

Dont bother with the rootkit revealer log if its playing up.

 

To finish up cleaning

 

delete any of the following files, if present --

 

C:\Windows\System32\avpu32.dll

C:\Windows\System32\avpu64.sys

C:\Windows\System32\klgcptini.dat

C:\Windows\System32\qz.dll

C:\Windows\System32\qz.sys

C:\Windows\System32\stt82.ini

 

 

 

 

also:

 

 

 

1)Update and scan with AVG

 

2) Flushing system restore

 

To remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

 

a. Turn off System Restore.

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

b. Reboot.

 

c. Turn ON System Restore.

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

-----------

 

3) Cleaning temp files

 

...incase some maliciouse files are hiding there.

 

Download and install CCleaner.

 

Double click the CCleaner icon, and make sure only the following are checked under the "windows" tab:

 

temporary internet files

 

empty recycle bin

 

temporary files

 

old prefetch data

 

Then click the 'applications' tab, and uncheck everything apart from temporary files under FireFox.

 

 

Now, click on "analyse" and then "run cleaner"

 

-----------

 

4) Get rid of tools

 

You may as well delete l2mfix, blacklight and rootkitrevealer, unless you want to keep them for any reason.

 

 

-----------

 

5) Get a firewall

 

Download and install either ZoneAlarm or Sunbelt-Kerio.

 

----------

 

6) Change all of your online passwords,

 

due to haxdoors keylogger. Also, if you have used your creditcard online lately, I'd cancel it and get a new one.

 

----------

 

7) Let the moral of the story be this: Avoid cracks, cos they have a tendancy to infect your computer.

Posted

I left rootkitreveal all night, it turned up nothing (and finished properly!).

 

About the credit card 'lately', do you mean within the time that I was infected? I can see the passwords that attemped to be sent to some IP address... none of them are important.

 

By the way, thanks for all your help!

 

Also, when I ran F-secure again, I got this:

 

01/03/06 00:47:48 [info]: BlackLight Engine 1.0.30 initialized

01/03/06 00:47:48 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/03/06 00:47:48 [Note]: 7019 4

01/03/06 00:47:48 [Note]: 7005 0

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Note]: 7006 0

01/03/06 00:47:51 [Note]: 7011 1468

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Note]: 7018 2280

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:52 [Note]: FSRAW library version 1.7.1014

01/03/06 00:49:46 [Note]: 7007 0

 

Then I ran it again this morning, and got this:

 

01/03/06 07:45:07 [info]: BlackLight Engine 1.0.30 initialized

01/03/06 07:45:07 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/03/06 07:45:07 [Note]: 7019 4

01/03/06 07:45:07 [Note]: 7005 0

01/03/06 07:45:08 [Note]: 7006 0

01/03/06 07:45:08 [Note]: 7011 1460

01/03/06 07:45:08 [Note]: FSRAW library version 1.7.1014

01/03/06 07:45:24 [Note]: 7007 0

 

 

Why the difference??

 

 

------------

 

And one more. Are you familiar with spy sweeper? My log came up clean, but the session log has some wierd 'cannot open file' lines.. some of which look important.

 

********

12:27 AM: | Start of Session, Tuesday, January 03, 2006 |

12:27 AM: Spy Sweeper started

12:27 AM: Sweep initiated using definitions version 594

12:27 AM: Starting Memory Sweep

12:29 AM: Memory Sweep Complete, Elapsed Time: 00:02:03

12:29 AM: Starting Registry Sweep

12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:05

12:29 AM: Starting Cookie Sweep

12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00

12:29 AM: Starting File Sweep

12:29 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\datastore.edb". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\edb.log". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\tmp.edb". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa04611cd-51b9-4e0e-b5ad-d6850e5ca7c1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d1617da-7500-4190-aa49-1056e8ced64f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c96578-cde1-4e37-9a3e-67243c115089.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6f826d8-65d6-46a4-b8aa-a61dbfb4ef18.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs525be769-7bfd-4ecb-ab75-4304424ab1c5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85cfbe53-a9fe-409e-a244-d785f1045768.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e09d479-aec1-42b2-b3c5-28cb5b24159d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscba2abfd-9f26-4432-b583-514617dc3132.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e255f07-391a-4fdb-930c-5a502f5d2145.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecdf5c5-0383-4b95-beea-8656e8491cf1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bb97229-0bfc-4fc4-a804-b0480137fa0c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2053657-99a5-41fa-bd8e-43ba5decd8de.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cab9924-08f9-4d06-bfb6-04e75bd69d97.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e3c49a3-f1ea-4ae0-830e-95eaf5ccbb38.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd52da5d2-e6b2-496c-b1dc-441e6a4533af.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2717140-6547-4f87-8187-e2705138c8ab.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5995cf24-070f-4dbe-91f8-7963e39162f0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0efdadc-dbb0-4b9f-979d-20b01269aed0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f36c81c-24ec-4e8c-9b90-adef1450ce6f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse84a3fea-a8ea-4443-897f-9e74b141bc40.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb74e340f-2fbd-4d39-8664-01444efda0b9.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd69f9a45-4436-4099-ad9e-aa3e788d6a8a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs22f45b9a-594e-4ade-9b1d-0aef09d78d5c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs520db8d2-69cf-424f-8487-651536829d9d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9fb53135-3726-425e-9d4b-e2ea6a3c0cf9.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18e22a39-68e9-4e69-9d44-67e2de4b7b29.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f4ac60-7c81-4255-8ff3-a0ea8fbb3470.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0874bbc4-3e99-4da1-b649-337bf146ed8e.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5a7359f3-cf20-4496-8afc-15df8917c610.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a9def0a-038f-4c5b-aff6-a17d8e604761.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5413472f-6dee-4abf-8605-87911d18cdd7.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb83788e-1afb-4fb1-a616-733761c91a13.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56a55bfa-27c2-4924-972d-306efe931e53.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc7598b86-d95d-41d9-adc1-ab7faf9fde06.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse25ae2a4-c393-4491-8120-b0e2c62b8019.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ef6db1-d0ef-4bbf-b850-a1fcd6fa132c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs349e39d5-26a0-44c3-b543-25e759764ef2.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d6fe8da-6389-4360-9e44-69f6d05e6c2a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34cee29b-c709-43d2-ba37-8692232e13d6.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf35fbdc7-3cec-4904-9589-00748cded26a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9595c62d-d43d-4682-9915-03dfaaeea1c0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23c577ee-a781-4fb9-a101-bbb2f03f81fa.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs931a7c27-b062-4538-9590-6231623133ce.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf0b2117-670d-4bb3-9696-8d48ccc9b9ad.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0a92b9f-abdb-4490-ad21-33d3e42af2c3.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42fd231e-7432-4a03-81f7-4cbc06db512b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb78850ff-6663-4894-b7e6-2814deb9fe22.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs464a5efc-c519-422b-8784-e599dd9aae39.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c43cb-b641-4ed3-9405-7c06af8be29d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37195f61-630e-40e1-bacc-0d2488c0a332.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e57ed0b-bbd2-4ab8-b56e-f5e93d041246.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb7a8dc8-470c-4dbc-b3dd-d025e68de323.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb6fa97-232d-4c5f-8c04-9e6008622ecd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95d0d3c4-69c8-44e4-9bbe-8acc68c573d1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27be3179-321c-4b87-8340-d7792e42479b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc97ae475-15bc-479a-b907-445fa1bd2050.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56e515cf-2705-421d-96f5-efc8eed245d4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs268fa4ed-3c2f-4f35-bfc8-485d20d6120e.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a36bf97-15fb-45d5-9502-c97e6105c831.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e00c349-099f-45ff-83da-2ff238899e2f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ce61656-5030-4064-b9e3-32ab1ea0b950.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e61758a-5676-409e-84a1-155bfe5612cf.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc575891-3dd4-4d7a-87ff-0054ff4d2f94.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc7b6b57-4e80-439e-a632-63638eb14b3b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1fbc2e1c-423e-4d26-a195-4b6238995c5c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405c527a-2e64-4a8a-93be-3e530f408ddc.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ab45659-3562-4608-8865-020847b3f89a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bda4722-762b-4160-b9b0-603d7e5c5bbd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs864c9de5-64d2-440d-9887-f2fbb5aa5b08.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc539b49-f7a0-46ad-9818-ce7f6c155866.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs52246228-35e4-4d0d-8433-d7a2df03a433.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb46bcce5-e075-44ef-abaf-0fcb218ff370.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f499987-0a4f-488a-86b5-59e6598f825a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs085ee804-25f8-41a9-abc0-4ad5a351a534.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8675eda-db55-423b-851d-907bf6f46cc4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6919210d-8b36-4b1c-a24c-48e5f463f053.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8131d4-90a0-4c5b-bdc7-1779ce9ceb03.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a4fee37-b814-4aaa-90e2-9e0996cf8897.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7076c26-e6c3-4604-a9f9-b54c7e32c8e4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfefabc05-dcf2-46c7-9817-d3a29a22b683.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs778d93e4-773f-4e4e-ad80-0624da758879.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f90e108-c4f2-446d-b3d9-034cd6227909.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c5161e4-fabf-4287-8286-61c4176736ff.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d3535ff-c6ab-4676-8e41-f344c9b8bf02.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsea2ee99e-02ba-4016-a5c6-13717d68e8f5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3ee2e3a5-358d-4f04-938c-45eb1ceabf1f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5e0ba62-81bd-4bbf-8453-fa0c434cfdd2.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3a19561-e3a3-4af8-812f-4bf9bbe60622.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0ae2cf1-e37a-41de-876d-6db7776e1071.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd1a6913-c5ab-49cf-8da0-70945fb5540b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs38218858-55ca-4682-9c25-12d50d1173dc.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d2c61ce-7393-442e-b419-d08ec85e7be7.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dbe2914-c73a-4d63-81e0-bbbdc5c02cd5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f941ed9-f9bd-4af9-9877-ba6fc47d825a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58c02038-2d73-4b60-ad8e-a336872eef85.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01482778-8b7a-443f-a703-89d3bdaf5cca.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73c7fb77-39a2-4bd3-93c7-68ac507fae4f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5467a04f-7af2-436c-b054-b61c9534695b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5985e3f0-00a9-488b-a701-1c730eabd89c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37056552-7429-4ce5-85cb-f0e4a45a8510.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75a95e14-e548-4310-b881-6f4ba3c47f75.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa00c8857-cf20-472b-8878-b2cdd3d39239.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa380a375-5446-48eb-a51e-d4a2a177e5dd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc968be48-da0f-4673-a43a-e1ea7d61cbf3.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp". The process cannot access the file because it is being used by another process

12:46 AM: File Sweep Complete, Elapsed Time: 00:17:32

12:46 AM: Full Sweep has completed. Elapsed time 00:19:42

12:46 AM: Traces Found: 0

 

Mostly the system32/config errors scare me. What if I ran it in safe mode?? I checked the files with unlocker; the system32/config files seem to be used by each other (SAM with SAM.log, SYSTEM with SYSTEM.log, etc.). Is that normal?

Posted

RE: creditcards, yes if you've used your creditcard online since getting infected you should definately cancel it. Part of haxdoors function is to look out for and steal creditcard info.

 

RE: blacklight, looks like it glitched the first time and run properly the second. other than that, your guess is as good as mine.

 

RE: spysweeper, its fine. The only file that looks like it could be dodgy is c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp, but its more-than-likely ok. if your concerned, run CCleaner again to clean out your temp files, and then run ms-antispyware and AVG to make sure your PC is clean.

 

 

By the way, thanks for all your help!

 

No problem :)

Posted

Hey Dak,

 

A few more things (I want to be absolutely sure).

 

I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it?

 

Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures.

 

I re-ran blacklight and it ran 'properly'.

 

I ran ScanSpyware, and it picked up haxdoor-BC (log is below). I've deleted everything in the log, and running it twice more turns up nothing.

 

-------

Application Information

 

=======================

 

 

 

Application Version: ScanSpyware v3.8 build 3.8.0.4

 

Original Database: pests12-09-05.db

 

Updated Database: ssdb010206.db

 

Current Date: Tuesday, January 03, 2006 10:21:23 AM

 

__________________________________________________

 

 

 

Directories recognized:

 

=======================

 

 

 

__________________________________________________

 

 

 

Files recognized:

 

=================

 

 

 

[HAXDOOR-BC]

 

C:\WINDOWS\system32\ps.a3d

 

 

 

[spytech shadow]

 

C:\WINDOWS\unvise32.exe

 

 

 

[Visual Zip Password Recovery Processor]

 

C:\WINDOWS\UnGins.exe

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Services\_common\country_icons.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Services\_gspyder\stg_legend.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\pw32.dll

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Profiles\countries.ini

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\gsg_radar.avi

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_checkbox.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_chicklets.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons_sm.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\service_menu_bg.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\service_tab+.tga

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Skins\(default2)\stg_border_main.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\halflife\cstrike\mod_cs.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\halflife\tfc\mod_tfc.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\quake3\excessive\mod_excessive.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\quake3\osp\mod_osp.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\quake3\q3f\mod_q3f.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\quake3\rocketarena3\mod_ra3.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\quake3\wfa\mod_wfa.psd

 

 

 

[GameSpy Arcade]

 

C:\Program Files\GameSpy Arcade\Custom\ut\Swat\mod_swat.psd

 

 

 

__________________________________________________

 

 

 

Registry keys recognized:

 

=========================

 

 

 

[GAIN]

 

HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\ctls

 

 

 

[GAIN]

 

HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\crls

 

 

 

__________________________________________________

 

 

 

Registry values recognized:

 

===========================

 

 

 

__________________________________________________

 

 

 

Cookies recognized:

 

===================

 

 

 

[VX2]

 

c:\documents and settings\sean{y}\cookies\sean{y}@serviceswitching[1].txt

 

 

 

[Tracking Cookies]

 

c:\documents and settings\sean{y}\cookies\sean{y}@img.wmp10.elsitiodc[1].txt

 

 

 

__________________________________________________

 

 

 

----------

 

Ewido is running again, and it picked up some cookies and backdoor.haxdoor.dw (do these things multiply?!) EDIT: It found this yesterday... today only picked up cookies. I overreacted! (thank god)

 

spybouncer picked up 3 things (I cleaned them all out - locate.com in system32, bpmnt.dll in windows, and some file called ncase.zip in docsandsettings/allusers/apps/spybot/recovery... i cleaned out the whole folder.

 

I guess my question is; without completely formatting, is it possible to know when i'll be clean?

Posted
Hey Dak' date='

 

I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it?[/quote']

 

Im not sure how haxdoor's CC-stealing function works, and i dont use Amazon, so im not sure wether it could have stolen your details just from you acessing the site... if in doubt, its better to cancel it i suppose.

 

Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures.

 

Zone-alarm. Windows firewall is one-way, which means if a trojan gets on your computer, theres nothing to stop it 'calling home' and downloading lots of crap onto your computer.

 

Zonealarm is a two-way firewall, which gives you extra protection against trojans.

 

If you install zonealarm, make sure to turn windows firewall off to avoid conflicts. (start > settings > control pannel > windows firewall)

 

 

I wouldnt particulaly reccomend ScanSpyware or Spybouncer, as they are both on this list

 

I guess my question is; without completely formatting, is it possible to know when i'll be clean?

 

I guess you cant be 100% sure, espescially after getting a rootkit; however, Its quite common, after shifting an infection, to pick up residual bits of infections (left-over files, registry entries etc) that by themselves are harmless.

 

The HijackThis log shows no active malware, and none of the infections in your last scanspyware/spywarebounser log can run in a way that wont show up in a HJT log, so I presume that they were inactive/left-over bits; espescially as none of the registry entries found match up to the files.

 

To be sure, if you update and scan with all of the following programs:

 

SpySweeper

 

Microsoft Anti-spyware

 

Ewido

 

AVG

 

As you have scanned with these already, they should already have found and removed everything that theyre going to find. If they find anything again, its a good indication that the files are being put back by some active malware.

 

A good online anti-virus scanner is

 

http://www.kaspersky.com/virusscanner

 

so if you want to double-check, you could do that scan. It wont delete any files, but it will tell you if any are infected.

Posted

Hey Dak,

 

Thanks again for the help.

 

I moreso meant the difference between zone alarm and the other one you offered, but since I have some experience with Zone Alarm, I will stick with that one.

 

I've also uninstalled those two spyware programs you mentioned... I had already done spybouncer, as spy sweeper turned up virtual bouncer, and I assumed they were linked.

 

Trend Micro Anti-Spyware is picked up some registry keys, but no trojans or active problems, so thinks are looking up.

 

I'm going to run Kaspersky, post an HJT log, and then install zone alarm and hopefully be finished with problems!

Posted

Okay, this makes me quite happy:

 

-------------------------------------------------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Tuesday, January 03, 2006 14:49:42

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 3/01/2006

Kaspersky Anti-Virus database records: 158615

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

 

Scan Statistics:

Total number of scanned objects: 127933

Number of viruses found: 7

Number of infected objects: 47

Number of suspicious objects: 0

Duration of the scan process: 4101 sec

 

Infected Object Name - Virus Name

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay <supprefnum644565637137@ebay.com>][Date Sun, 24 Jul 2005 22:55:35 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay Inc <identdep_op9@ebay.com>][Date Wed, 03 Aug 2005 23:24:06 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 + ... /price.cpl Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 +0200]/price.zip Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... ... /[From marybeth@payments.certapay.com][Date Sun, 17 Apr 2005 21:28:06 -0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... /[From don reddick <donreddick@cogeco.ca>][Date Wed, 27 Oct 2004 21:46:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:03 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Wed, 5 Oct 2005 23:30:20 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Thu, 6 Oct 2005 04:14:37 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com<service@paypal.com>][Date Fri, 14 Oct 2005 16:06:54 +0800 (CST)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 03 Nov 2005 12:48:32 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 17 Nov 2005 01:10:33 -0500]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Bank of the West® Online Banking" <eTimeBanker@bankofthewest.com>][Date Tue, 29 Nov 2005 05:59:11 -0300]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Tue, 29 Nov 2005 23:33:14 -0600]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text/[spam]Dear Infected: Trojan-Spy.HTML.Paylap.gj

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text Infected: Trojan-Spy.HTML.Paylap.gj

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Sun, 04 Dec 2005 04:18:54 -0200]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "update@paypal.com" <service@email.paypal.com>][Date Mon, 05 Dec 2005 19:20:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "paypal" <paypal@service.com>][Date Fri, 09 Dec 2005 09:20:26 +0300]/html Infected: Trojan-Spy.HTML.Paylap.gl

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "service@email.paypal.com" <service@paypal.com>][Date Sat, 10 Dec 2005 23:24:27 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From S ... /[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 12:52:02 +0000 (UTC)]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From Stylish replica watches from famous brands][Date Sat, 17 Dec 2005 10:15:40 -0500 (EST)]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From " ... /[From "Kiara" <alex1ag@ezweb.ne.jp>][Date Sat, 17 Dec 2005 15:08:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "iw6dq" <hxfnqycfcyr@hotmail.com>][Date Sat, 17 Dec 2005 08:03:31 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "Kevin Tovar" <lea.washington74g@gmail.com>][Date Sat, 17 Dec 2005 04:21:47 -0800]/text Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "trfscu" <dyucoholtbe@hotmail.com>][Date Sat, 17 Dec 2005 06:21:19 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec ... /[From "hiea70es" <zexadfsjgst@hotmail.com>][Date Sat, 17 Dec 2005 04:58:46 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 ... /[From "Jacki" <hiergo@ebina-cash.com>][Date Sat, 17 Dec 2005 09:03:15 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 18:54:21 -0800]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk Infected: Trojan-Spy.HTML.Paylap.gv

 

Scan process completed.

 

 

Mostly because I don't open attachments, and most of it is marked as junk. The problem? The Junk.sbd folders are completely empty. Couldn't I just delete everything via thunderbird instead?

 

Also, here's my last HJT log before I install zonealarm.

 

 

-------------

 

Logfile of HijackThis v1.99.1

Scan saved at 2:53:41 PM, on 1/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\hijackthis\HijackThis.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

----

Posted

I ran Kapersky again after deleting my junk folders, and it did nothing.

 

It found some new stuff in some exe files, but I've deleted those.

 

One that threw me off was this one:

 

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614

 

I've had this version of IRC since I bought this computer... I can't see how it's a virus now and not 2 years ago (or during the 1st scan).

Posted

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614

 

Its concidered 'risk ware', in that it can be an infection vector -- I wouldnt worry about it tho.

 

Are any scans still finding things?

Posted

Hey Dak,

 

Everything is coming up clean.

 

One thing though. Zone Alarm keeps blocking "Generic Host Process (Win32 Services)" from accepting connections from the internet at IP addresses:

 

24.200.241.37 : DNS

24.200.243.189 : DNS

24.201.245.77 : DNS

 

What does this mean (i.e. is it bad? I tried connecting to them and couldnt do so via my browser.)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.