seanvdb Posted January 2, 2006 Posted January 2, 2006 I was infected with a virus last night (avpe32.dll). AVG won't remove it. I've scanned with spysweeper (found it but wouldnt delete (as it's a trial version)), ewido, spybot, adaware, microsoft antispyware, and panda activescan. Ewido repeatedly pops up the Backdoor.Haxdoor.dw infection. I can't manually delete the file from c:\WINDOWS\system32, because it isn't showing up there. Im posting because someone else had a similar problem and you guys were able to help him. I've booted to safemode and used apropos.exe as well. I've posted an HJT log as well as the log file from aprospos.exe. --------------------- Log of AproposFix v1 ************ Running from directory: C:\Documents and Settings\Sean{y}\Desktop\aproposfix ************ Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! ------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:53:41 PM, on 1/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ICQ\ICQ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe -------------------- The O20 which is the file just keeps coming back!
doG Posted January 2, 2006 Posted January 2, 2006 See http://castlecops.com/p678952-Need_help_avpe64_sys_avpe32_dll.html
seanvdb Posted January 2, 2006 Author Posted January 2, 2006 Also, here is a rootkitrevealer log. I noticed in the other thread that a user named Dak mentioned that the new haxdoor viruses have keyword loggers. Thunderbird tried to send an email with a bunch of passwords of mine to some random email address (but failed). It didn't send my online banking one, but it'd be nice to get rid of this soon! I was going to post the revealer, but it: Gets stuck on HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7 Been like that for 10 minutes.
seanvdb Posted January 2, 2006 Author Posted January 2, 2006 I've deleted all the associated files, run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are: HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace) HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces) HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces) Can I delete them? Also, at 5:24pm, i got two 'mail returned to sender' emails with a bunch of my passwords that were going to some IP address. This is the AVG E-mail Scanner program. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. ------------------------------------------------------------------- Cannot open smtp connection to '192.168.1.100' Connect: No connection could be made because the target machine actively refused it. (10061) ------------------------------------------------------------------- Your e-mail message is being returned to you in the next part of this message. Try to send the message again. Should you need assistance, please contact your administrator or your Internet service provider. If there are only registry files left, how can I still be sending emails out with my passwords?
seanvdb Posted January 2, 2006 Author Posted January 2, 2006 Rootkit revealer also tries to start a windows service when I open it: A Windows service is a program that can run automatically if enabled. This change generally occurs when software is installed. You can allow this change if it is recognized and expected. Name: Sysinternals Rootkitrevealer Publisher: Sysinternals - http://www.sysinternals.com Path: C:\DOCUME~1\Sean{y}\LOCALS~1\Temp\KNHBWQXPINSZOERGTS.exe Is that ok?
Dak Posted January 3, 2006 Posted January 3, 2006 Where are you guys getting all these haxdoors from? Rootkit revealer is supposed to start a service like that. Download and Save F-Secure Blacklight to your desktop. Double-click blbeta.exe then accept the agreement. click > scan then > next, After the scan has completed, dont click on 'next', because legit items can also be present there... Blacklight should have made a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers) Post the contents of the log in your next reply along with a fresh HijackThis log please.
doG Posted January 3, 2006 Posted January 3, 2006 I've deleted all the associated files' date=' run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are: HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace) HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces) HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces) Can I delete them[/quote'] Yep...
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 I'm pretty sure the haxdoor came in with a crack I was using... though I didnt notice it had downloaded two executables, and only bothered to check one of them for viruses before I ran it (I'm an idiot). Here's the information you wanted. I finally got a version of spy sweeper that does more than just scan (for 14 days anyway), so I removed those instances in the registry. I don't know if anything is still here... hopefully someone here can answer!! ---------------------------- 01/02/06 23:15:53 [info]: BlackLight Engine 1.0.30 initialized 01/02/06 23:15:53 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/02/06 23:15:53 [Note]: 7019 4 01/02/06 23:15:53 [Note]: 7005 0 01/02/06 23:15:55 [Note]: 7006 0 01/02/06 23:15:56 [Note]: 7011 1428 01/02/06 23:15:56 [Note]: FSRAW library version 1.7.1014 01/02/06 23:16:03 [Note]: 7007 0 ------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 11:17:15 PM, on 1/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\ICQ\ICQ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe -------------------------- That O20 is back though, except with a different file name... ahhhh!
Dak Posted January 3, 2006 Posted January 3, 2006 That O20 belongs to spysweeper; also, the blackice log indicates that the haxdoor rootkit is no longer present. to make sure/fix the damage that haxdoor may have done: Could you post up a rootkit revealer log if it will work now (scan, and then go to file > save to generate a log file). Also, download l2mfix Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then use option 5 to solve this error condition. And go to http://virusscan.jotti.org/ and upload the file C:\Program Files\Internet Explorer\iexplore and copy/paste the results into this thread
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 rootkit still locks up here: HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7 Im going to leave it running overnight and see what comes of it. Here are the results from the l2mfix: L2MFIX find log 122705 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension" "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension" "{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References" "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K axaltocm.dll Fri Oct 28 2005 11:49:40p ..... 133,120 130.00 K sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K basecsp.dll Fri Oct 28 2005 4:40:16p ..... 96,792 94.52 K bcsprsrc.dll Fri Oct 28 2005 11:49:40p ..... 25,600 25.00 K ifxcardm.dll Fri Oct 28 2005 11:49:40p ..... 151,552 148.00 K esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K extmgr.dll Thu Oct 20 2005 10:39:28p ..... 55,808 54.50 K msgplu~1.dll Wed Oct 12 2005 8:48:22a A.... 45,640 44.57 K wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K 30 items found: 30 files, 0 directories. Total of file sizes: 13,049,800 bytes 12.44 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 1F60-12D5 Directory of C:\WINDOWS\System32 02/20/2004 12:27 PM <DIR> Microsoft 02/20/2004 11:08 AM <DIR> dllcache 0 File(s) 0 bytes 2 Dir(s) 48,757,702,656 bytes free ------------------------ And the results from jotti.org. There were two sections. I think the 2nd section does not pertain to me, but I pasted it just in case. Service load: 0% 100% File: iexplore.exe Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 e7484514c0464642be7b4dc2689354c8 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing PART TWO: Last file scanned at least one scanner reported something about: CRAGGLE_SEARCH[10].rar, detected by: Scanner Malware name AntiVir Adware-Spyware/Craagle.18 adware ArcaVir X Avast X AVG Antivirus Generic.GMX BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X Fortinet X Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Craagle.18 NOD32 X Norman Virus Control X UNA Adware.Craagle.18 VBA32 AdWare.Win32.Craagle.18 You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Thanks so much, you guys are super helpful!
Dak Posted January 3, 2006 Posted January 3, 2006 Cool, winlogon/notify and iexplore.exe seem to be intact. Dont bother with the rootkit revealer log if its playing up. To finish up cleaning delete any of the following files, if present -- C:\Windows\System32\avpu32.dll C:\Windows\System32\avpu64.sys C:\Windows\System32\klgcptini.dat C:\Windows\System32\qz.dll C:\Windows\System32\qz.sys C:\Windows\System32\stt82.ini also: 1)Update and scan with AVG 2) Flushing system restore To remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected) a. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. b. Reboot. c. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. ----------- 3) Cleaning temp files ...incase some maliciouse files are hiding there. Download and install CCleaner. Double click the CCleaner icon, and make sure only the following are checked under the "windows" tab: temporary internet files empty recycle bin temporary files old prefetch data Then click the 'applications' tab, and uncheck everything apart from temporary files under FireFox. Now, click on "analyse" and then "run cleaner" ----------- 4) Get rid of tools You may as well delete l2mfix, blacklight and rootkitrevealer, unless you want to keep them for any reason. ----------- 5) Get a firewall Download and install either ZoneAlarm or Sunbelt-Kerio. ---------- 6) Change all of your online passwords, due to haxdoors keylogger. Also, if you have used your creditcard online lately, I'd cancel it and get a new one. ---------- 7) Let the moral of the story be this: Avoid cracks, cos they have a tendancy to infect your computer.
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 I left rootkitreveal all night, it turned up nothing (and finished properly!). About the credit card 'lately', do you mean within the time that I was infected? I can see the passwords that attemped to be sent to some IP address... none of them are important. By the way, thanks for all your help! Also, when I ran F-secure again, I got this: 01/03/06 00:47:48 [info]: BlackLight Engine 1.0.30 initialized 01/03/06 00:47:48 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/03/06 00:47:48 [Note]: 7019 4 01/03/06 00:47:48 [Note]: 7005 0 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Note]: 7006 0 01/03/06 00:47:51 [Note]: 7011 1468 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Note]: 7018 2280 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:52 [Note]: FSRAW library version 1.7.1014 01/03/06 00:49:46 [Note]: 7007 0 Then I ran it again this morning, and got this: 01/03/06 07:45:07 [info]: BlackLight Engine 1.0.30 initialized 01/03/06 07:45:07 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/03/06 07:45:07 [Note]: 7019 4 01/03/06 07:45:07 [Note]: 7005 0 01/03/06 07:45:08 [Note]: 7006 0 01/03/06 07:45:08 [Note]: 7011 1460 01/03/06 07:45:08 [Note]: FSRAW library version 1.7.1014 01/03/06 07:45:24 [Note]: 7007 0 Why the difference?? ------------ And one more. Are you familiar with spy sweeper? My log came up clean, but the session log has some wierd 'cannot open file' lines.. some of which look important. ******** 12:27 AM: | Start of Session, Tuesday, January 03, 2006 | 12:27 AM: Spy Sweeper started 12:27 AM: Sweep initiated using definitions version 594 12:27 AM: Starting Memory Sweep 12:29 AM: Memory Sweep Complete, Elapsed Time: 00:02:03 12:29 AM: Starting Registry Sweep 12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:05 12:29 AM: Starting Cookie Sweep 12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:29 AM: Starting File Sweep 12:29 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\datastore.edb". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\edb.log". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\tmp.edb". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa04611cd-51b9-4e0e-b5ad-d6850e5ca7c1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d1617da-7500-4190-aa49-1056e8ced64f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c96578-cde1-4e37-9a3e-67243c115089.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6f826d8-65d6-46a4-b8aa-a61dbfb4ef18.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs525be769-7bfd-4ecb-ab75-4304424ab1c5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85cfbe53-a9fe-409e-a244-d785f1045768.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e09d479-aec1-42b2-b3c5-28cb5b24159d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscba2abfd-9f26-4432-b583-514617dc3132.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e255f07-391a-4fdb-930c-5a502f5d2145.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecdf5c5-0383-4b95-beea-8656e8491cf1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bb97229-0bfc-4fc4-a804-b0480137fa0c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2053657-99a5-41fa-bd8e-43ba5decd8de.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cab9924-08f9-4d06-bfb6-04e75bd69d97.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e3c49a3-f1ea-4ae0-830e-95eaf5ccbb38.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd52da5d2-e6b2-496c-b1dc-441e6a4533af.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2717140-6547-4f87-8187-e2705138c8ab.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5995cf24-070f-4dbe-91f8-7963e39162f0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0efdadc-dbb0-4b9f-979d-20b01269aed0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f36c81c-24ec-4e8c-9b90-adef1450ce6f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse84a3fea-a8ea-4443-897f-9e74b141bc40.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb74e340f-2fbd-4d39-8664-01444efda0b9.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd69f9a45-4436-4099-ad9e-aa3e788d6a8a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs22f45b9a-594e-4ade-9b1d-0aef09d78d5c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs520db8d2-69cf-424f-8487-651536829d9d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9fb53135-3726-425e-9d4b-e2ea6a3c0cf9.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18e22a39-68e9-4e69-9d44-67e2de4b7b29.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f4ac60-7c81-4255-8ff3-a0ea8fbb3470.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0874bbc4-3e99-4da1-b649-337bf146ed8e.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5a7359f3-cf20-4496-8afc-15df8917c610.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a9def0a-038f-4c5b-aff6-a17d8e604761.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5413472f-6dee-4abf-8605-87911d18cdd7.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb83788e-1afb-4fb1-a616-733761c91a13.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56a55bfa-27c2-4924-972d-306efe931e53.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc7598b86-d95d-41d9-adc1-ab7faf9fde06.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse25ae2a4-c393-4491-8120-b0e2c62b8019.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ef6db1-d0ef-4bbf-b850-a1fcd6fa132c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs349e39d5-26a0-44c3-b543-25e759764ef2.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d6fe8da-6389-4360-9e44-69f6d05e6c2a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34cee29b-c709-43d2-ba37-8692232e13d6.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf35fbdc7-3cec-4904-9589-00748cded26a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9595c62d-d43d-4682-9915-03dfaaeea1c0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23c577ee-a781-4fb9-a101-bbb2f03f81fa.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs931a7c27-b062-4538-9590-6231623133ce.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf0b2117-670d-4bb3-9696-8d48ccc9b9ad.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0a92b9f-abdb-4490-ad21-33d3e42af2c3.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42fd231e-7432-4a03-81f7-4cbc06db512b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb78850ff-6663-4894-b7e6-2814deb9fe22.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs464a5efc-c519-422b-8784-e599dd9aae39.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c43cb-b641-4ed3-9405-7c06af8be29d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37195f61-630e-40e1-bacc-0d2488c0a332.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e57ed0b-bbd2-4ab8-b56e-f5e93d041246.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb7a8dc8-470c-4dbc-b3dd-d025e68de323.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb6fa97-232d-4c5f-8c04-9e6008622ecd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95d0d3c4-69c8-44e4-9bbe-8acc68c573d1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27be3179-321c-4b87-8340-d7792e42479b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc97ae475-15bc-479a-b907-445fa1bd2050.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56e515cf-2705-421d-96f5-efc8eed245d4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs268fa4ed-3c2f-4f35-bfc8-485d20d6120e.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a36bf97-15fb-45d5-9502-c97e6105c831.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e00c349-099f-45ff-83da-2ff238899e2f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ce61656-5030-4064-b9e3-32ab1ea0b950.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e61758a-5676-409e-84a1-155bfe5612cf.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc575891-3dd4-4d7a-87ff-0054ff4d2f94.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc7b6b57-4e80-439e-a632-63638eb14b3b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1fbc2e1c-423e-4d26-a195-4b6238995c5c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405c527a-2e64-4a8a-93be-3e530f408ddc.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ab45659-3562-4608-8865-020847b3f89a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bda4722-762b-4160-b9b0-603d7e5c5bbd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs864c9de5-64d2-440d-9887-f2fbb5aa5b08.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc539b49-f7a0-46ad-9818-ce7f6c155866.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs52246228-35e4-4d0d-8433-d7a2df03a433.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb46bcce5-e075-44ef-abaf-0fcb218ff370.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f499987-0a4f-488a-86b5-59e6598f825a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs085ee804-25f8-41a9-abc0-4ad5a351a534.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8675eda-db55-423b-851d-907bf6f46cc4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6919210d-8b36-4b1c-a24c-48e5f463f053.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8131d4-90a0-4c5b-bdc7-1779ce9ceb03.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a4fee37-b814-4aaa-90e2-9e0996cf8897.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7076c26-e6c3-4604-a9f9-b54c7e32c8e4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfefabc05-dcf2-46c7-9817-d3a29a22b683.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs778d93e4-773f-4e4e-ad80-0624da758879.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f90e108-c4f2-446d-b3d9-034cd6227909.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c5161e4-fabf-4287-8286-61c4176736ff.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d3535ff-c6ab-4676-8e41-f344c9b8bf02.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsea2ee99e-02ba-4016-a5c6-13717d68e8f5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3ee2e3a5-358d-4f04-938c-45eb1ceabf1f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5e0ba62-81bd-4bbf-8453-fa0c434cfdd2.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3a19561-e3a3-4af8-812f-4bf9bbe60622.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0ae2cf1-e37a-41de-876d-6db7776e1071.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd1a6913-c5ab-49cf-8da0-70945fb5540b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs38218858-55ca-4682-9c25-12d50d1173dc.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d2c61ce-7393-442e-b419-d08ec85e7be7.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dbe2914-c73a-4d63-81e0-bbbdc5c02cd5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f941ed9-f9bd-4af9-9877-ba6fc47d825a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58c02038-2d73-4b60-ad8e-a336872eef85.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01482778-8b7a-443f-a703-89d3bdaf5cca.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73c7fb77-39a2-4bd3-93c7-68ac507fae4f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5467a04f-7af2-436c-b054-b61c9534695b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5985e3f0-00a9-488b-a701-1c730eabd89c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37056552-7429-4ce5-85cb-f0e4a45a8510.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75a95e14-e548-4310-b881-6f4ba3c47f75.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa00c8857-cf20-472b-8878-b2cdd3d39239.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa380a375-5446-48eb-a51e-d4a2a177e5dd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc968be48-da0f-4673-a43a-e1ea7d61cbf3.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp". The process cannot access the file because it is being used by another process 12:46 AM: File Sweep Complete, Elapsed Time: 00:17:32 12:46 AM: Full Sweep has completed. Elapsed time 00:19:42 12:46 AM: Traces Found: 0 Mostly the system32/config errors scare me. What if I ran it in safe mode?? I checked the files with unlocker; the system32/config files seem to be used by each other (SAM with SAM.log, SYSTEM with SYSTEM.log, etc.). Is that normal?
Dak Posted January 3, 2006 Posted January 3, 2006 RE: creditcards, yes if you've used your creditcard online since getting infected you should definately cancel it. Part of haxdoors function is to look out for and steal creditcard info. RE: blacklight, looks like it glitched the first time and run properly the second. other than that, your guess is as good as mine. RE: spysweeper, its fine. The only file that looks like it could be dodgy is c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp, but its more-than-likely ok. if your concerned, run CCleaner again to clean out your temp files, and then run ms-antispyware and AVG to make sure your PC is clean. By the way, thanks for all your help! No problem
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 Hey Dak, A few more things (I want to be absolutely sure). I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it? Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures. I re-ran blacklight and it ran 'properly'. I ran ScanSpyware, and it picked up haxdoor-BC (log is below). I've deleted everything in the log, and running it twice more turns up nothing. ------- Application Information ======================= Application Version: ScanSpyware v3.8 build 3.8.0.4 Original Database: pests12-09-05.db Updated Database: ssdb010206.db Current Date: Tuesday, January 03, 2006 10:21:23 AM __________________________________________________ Directories recognized: ======================= __________________________________________________ Files recognized: ================= [HAXDOOR-BC] C:\WINDOWS\system32\ps.a3d [spytech shadow] C:\WINDOWS\unvise32.exe [Visual Zip Password Recovery Processor] C:\WINDOWS\UnGins.exe [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Services\_common\country_icons.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Services\_gspyder\stg_legend.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\pw32.dll [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Profiles\countries.ini [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\gsg_radar.avi [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_checkbox.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_chicklets.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons_sm.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\service_menu_bg.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\service_tab+.tga [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\stg_border_main.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\halflife\cstrike\mod_cs.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\halflife\tfc\mod_tfc.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\excessive\mod_excessive.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\osp\mod_osp.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\q3f\mod_q3f.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\rocketarena3\mod_ra3.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\wfa\mod_wfa.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\ut\Swat\mod_swat.psd __________________________________________________ Registry keys recognized: ========================= [GAIN] HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\ctls [GAIN] HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\crls __________________________________________________ Registry values recognized: =========================== __________________________________________________ Cookies recognized: =================== [VX2] c:\documents and settings\sean{y}\cookies\sean{y}@serviceswitching[1].txt [Tracking Cookies] c:\documents and settings\sean{y}\cookies\sean{y}@img.wmp10.elsitiodc[1].txt __________________________________________________ ---------- Ewido is running again, and it picked up some cookies and backdoor.haxdoor.dw (do these things multiply?!) EDIT: It found this yesterday... today only picked up cookies. I overreacted! (thank god) spybouncer picked up 3 things (I cleaned them all out - locate.com in system32, bpmnt.dll in windows, and some file called ncase.zip in docsandsettings/allusers/apps/spybot/recovery... i cleaned out the whole folder. I guess my question is; without completely formatting, is it possible to know when i'll be clean?
Dak Posted January 3, 2006 Posted January 3, 2006 Hey Dak' date=' I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it?[/quote'] Im not sure how haxdoor's CC-stealing function works, and i dont use Amazon, so im not sure wether it could have stolen your details just from you acessing the site... if in doubt, its better to cancel it i suppose. Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures. Zone-alarm. Windows firewall is one-way, which means if a trojan gets on your computer, theres nothing to stop it 'calling home' and downloading lots of crap onto your computer. Zonealarm is a two-way firewall, which gives you extra protection against trojans. If you install zonealarm, make sure to turn windows firewall off to avoid conflicts. (start > settings > control pannel > windows firewall) I wouldnt particulaly reccomend ScanSpyware or Spybouncer, as they are both on this list I guess my question is; without completely formatting, is it possible to know when i'll be clean? I guess you cant be 100% sure, espescially after getting a rootkit; however, Its quite common, after shifting an infection, to pick up residual bits of infections (left-over files, registry entries etc) that by themselves are harmless. The HijackThis log shows no active malware, and none of the infections in your last scanspyware/spywarebounser log can run in a way that wont show up in a HJT log, so I presume that they were inactive/left-over bits; espescially as none of the registry entries found match up to the files. To be sure, if you update and scan with all of the following programs: SpySweeper Microsoft Anti-spyware Ewido AVG As you have scanned with these already, they should already have found and removed everything that theyre going to find. If they find anything again, its a good indication that the files are being put back by some active malware. A good online anti-virus scanner is http://www.kaspersky.com/virusscanner so if you want to double-check, you could do that scan. It wont delete any files, but it will tell you if any are infected.
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 Hey Dak, Thanks again for the help. I moreso meant the difference between zone alarm and the other one you offered, but since I have some experience with Zone Alarm, I will stick with that one. I've also uninstalled those two spyware programs you mentioned... I had already done spybouncer, as spy sweeper turned up virtual bouncer, and I assumed they were linked. Trend Micro Anti-Spyware is picked up some registry keys, but no trojans or active problems, so thinks are looking up. I'm going to run Kaspersky, post an HJT log, and then install zone alarm and hopefully be finished with problems!
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 Okay, this makes me quite happy: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, January 03, 2006 14:49:42 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 3/01/2006 Kaspersky Anti-Virus database records: 158615 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 127933 Number of viruses found: 7 Number of infected objects: 47 Number of suspicious objects: 0 Duration of the scan process: 4101 sec Infected Object Name - Virus Name C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay <supprefnum644565637137@ebay.com>][Date Sun, 24 Jul 2005 22:55:35 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay Inc <identdep_op9@ebay.com>][Date Wed, 03 Aug 2005 23:24:06 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 + ... /price.cpl Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 +0200]/price.zip Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... ... /[From marybeth@payments.certapay.com][Date Sun, 17 Apr 2005 21:28:06 -0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... /[From don reddick <donreddick@cogeco.ca>][Date Wed, 27 Oct 2004 21:46:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:03 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Wed, 5 Oct 2005 23:30:20 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Thu, 6 Oct 2005 04:14:37 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com<service@paypal.com>][Date Fri, 14 Oct 2005 16:06:54 +0800 (CST)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 03 Nov 2005 12:48:32 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 17 Nov 2005 01:10:33 -0500]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Bank of the West® Online Banking" <eTimeBanker@bankofthewest.com>][Date Tue, 29 Nov 2005 05:59:11 -0300]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Tue, 29 Nov 2005 23:33:14 -0600]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text/[spam]Dear Infected: Trojan-Spy.HTML.Paylap.gj C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text Infected: Trojan-Spy.HTML.Paylap.gj C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Sun, 04 Dec 2005 04:18:54 -0200]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "update@paypal.com" <service@email.paypal.com>][Date Mon, 05 Dec 2005 19:20:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "paypal" <paypal@service.com>][Date Fri, 09 Dec 2005 09:20:26 +0300]/html Infected: Trojan-Spy.HTML.Paylap.gl C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "service@email.paypal.com" <service@paypal.com>][Date Sat, 10 Dec 2005 23:24:27 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From S ... /[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 12:52:02 +0000 (UTC)]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From Stylish replica watches from famous brands][Date Sat, 17 Dec 2005 10:15:40 -0500 (EST)]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From " ... /[From "Kiara" <alex1ag@ezweb.ne.jp>][Date Sat, 17 Dec 2005 15:08:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "iw6dq" <hxfnqycfcyr@hotmail.com>][Date Sat, 17 Dec 2005 08:03:31 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "Kevin Tovar" <lea.washington74g@gmail.com>][Date Sat, 17 Dec 2005 04:21:47 -0800]/text Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "trfscu" <dyucoholtbe@hotmail.com>][Date Sat, 17 Dec 2005 06:21:19 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec ... /[From "hiea70es" <zexadfsjgst@hotmail.com>][Date Sat, 17 Dec 2005 04:58:46 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 ... /[From "Jacki" <hiergo@ebina-cash.com>][Date Sat, 17 Dec 2005 09:03:15 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 18:54:21 -0800]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk Infected: Trojan-Spy.HTML.Paylap.gv Scan process completed. Mostly because I don't open attachments, and most of it is marked as junk. The problem? The Junk.sbd folders are completely empty. Couldn't I just delete everything via thunderbird instead? Also, here's my last HJT log before I install zonealarm. ------------- Logfile of HijackThis v1.99.1 Scan saved at 2:53:41 PM, on 1/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ICQ\ICQ.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe ----
seanvdb Posted January 3, 2006 Author Posted January 3, 2006 I ran Kapersky again after deleting my junk folders, and it did nothing. It found some new stuff in some exe files, but I've deleted those. One that threw me off was this one: C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 I've had this version of IRC since I bought this computer... I can't see how it's a virus now and not 2 years ago (or during the 1st scan).
Dak Posted January 4, 2006 Posted January 4, 2006 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 Its concidered 'risk ware', in that it can be an infection vector -- I wouldnt worry about it tho. Are any scans still finding things?
evolution Posted January 4, 2006 Posted January 4, 2006 hello does any body know how to create an enzyme that kills virus.
seanvdb Posted January 5, 2006 Author Posted January 5, 2006 Hey Dak, Everything is coming up clean. One thing though. Zone Alarm keeps blocking "Generic Host Process (Win32 Services)" from accepting connections from the internet at IP addresses: 24.200.241.37 : DNS 24.200.243.189 : DNS 24.201.245.77 : DNS What does this mean (i.e. is it bad? I tried connecting to them and couldnt do so via my browser.)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now