Hey everyone, sorry for bothering you. Generally I can fix most problems by doing a search and typing in the problem I'm having. It seems like nothing is ever new =D
http://www.lavasoftsupport.com/index.php?s...timate+Defender
This link was very useful in trying to get rid of my problem with the rouge spyware app "Ultimate Defender", which has been spawning pop ups on my system. The instructions given to to Joe from CalamityJane (<3) were helpful, however, I didn't find the file "f820b3f4.exe" and therefore couldn't remove it. The SmithFraudFix was run in safemode and was completed successfully. After rebooting I still had pop ups @.@;;
I killed some suspicious processes (I've come to know what ought be in there generally well) and all seems to be well since. (I should've written down which processes I killed... but I didn't). I've restarted my machine, and don't see them.
After all this I just want to make sure everything is solid. I've run both LavaSoft Adaware latest version, latest definition (all clean!), as well as SpyBot S&D (all clean!). They were all clean before also, so I just want some expert to take a look at my log and make sure that everything is right.
And now for the main event:
==================
Logfile of HijackThis v1.99.1
Scan saved at 3:25:05 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Security\uptimer4.exe
C:\WINDOWS\system32\b49f8453.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
C:\WINDOWS\system32\DOBE~1\wuauboot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Howard\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mozilla.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [Uptimer4] C:\Program Files\Security\uptimer4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [b49f8453.exe] C:\WINDOWS\system32\b49f8453.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mawgh] C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [b49f8453.exe] C:\Documents and Settings\Howard\Local Settings\Application Data\b49f8453.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" -vt tzt
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Startup: Quick'n Easy FTP Server.lnk = ftpserver2\FTPServer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll
O20 - Winlogon Notify: winxmb32 - C:\WINDOWS\SYSTEM32\winxmb32.dll
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
============
You can disregard this if you don't need it, but I figure all the information I can provide may be of some help. Here are some things in the log that concerns me:
C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
(Dunno what this is)
C:\WINDOWS\system32\b49f8453.exe
(This looks suspiciously like the file that CalamityJane asked Joe to remove)
C:\WINDOWS\system32\DOBE~1\wuauboot.exe
(This was one one of the processes I killed when I "fixed" the pop up problem)
O4 - HKCU\..\Run: [Mawgh] C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
{See item #1 Seems to be the Registry entry for it?)
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hi Alerion, and welcome!
I'm going over your logs and info now. Good job on providing some good feedback and findings
That random named file is different for each victim and it takes some special steps to remove, but I'm sure we can fix you up.
I'll be back with steps for you to follow as soon as I analyze all of this info and can write it up.
I'm going over your logs and info now. Good job on providing some good feedback and findings
That random named file is different for each victim and it takes some special steps to remove, but I'm sure we can fix you up.
I'll be back with steps for you to follow as soon as I analyze all of this info and can write it up.
This is very interesting.
Open HijackThis and instead of scan, please choose *Open Misc Tools Section*
Then choose *Open Uninstall Manager*
A list will be made of installed programs.
Choose *Save List*.
Copy the results back here please.
..................
Next:
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click on combofix.exe & follow the prompts.
Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)
Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.
3. When finished, it shall produce a log for you. Post that log in your next reply
Open HijackThis and instead of scan, please choose *Open Misc Tools Section*
Then choose *Open Uninstall Manager*
A list will be made of installed programs.
Choose *Save List*.
Copy the results back here please.
..................
Next:
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click on combofix.exe & follow the prompts.
Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)
Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.
3. When finished, it shall produce a log for you. Post that log in your next reply
CalmityJane! Woo!
Results from the fix, seems it didn't find anything:
===============================
Start Time= Wed 06/28/2006 16:33:25.26
Running from: C:\Documents and Settings\Howard\Desktop\Downloads
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-06-28 12:14:14 2 ( A.... ) "C:\WINDOWS\system32\wcpsvtr.exe"
2006-06-28 12:14:12 ( .D... ) "C:\Documents and Settings\Howard\Application Data\?ystem32"
2006-06-27 04:36:42 ( .D... ) "C:\Program Files\madCollection"
2006-06-26 13:34:26 ( .D... ) "C:\Documents and Settings\Howard\Application Data\vlc"
2006-06-26 13:33:34 ( .D... ) "C:\Program Files\VideoLAN"
2006-06-26 12:03:26 ( .D... ) "C:\Documents and Settings\Howard\Application Data\Azureus"
2006-06-26 12:03:20 ( .D... ) "C:\Documents and Settings\Howard\Application Data\Sun"
2006-06-26 12:02:26 ( .D... ) "C:\Program Files\Java"
2006-06-26 12:02:12 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-26 12:00:56 ( .D... ) "C:\Program Files\Azureus"
2006-06-25 02:06:00 93662 ( A.SH. ) "C:\Program Files\Common Files\Y1123OU.exe"
2006-06-25 02:05:58 81920 ( A.... ) "C:\WINDOWS\system32\services.dll"
2006-06-25 02:05:48 13312 ( A.... ) "C:\WINDOWS\system32\b49f8453.exe"
2006-06-25 02:05:40 18432 ( A.... ) "C:\WINDOWS\system32\winxmb32.dll"
2006-06-01 12:55:42 155648 ( ..SH. ) "C:\Program Files\Common Files\Y1123OA.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\w1ldh4xx0r.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\system32\explorer..exe"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-29 01:35:34 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Uptimer4"="C:\\Program Files\\Security\\uptimer4.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"b49f8453.exe"="C:\\WINDOWS\\system32\\b49f8453.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"startkey"="C:\\WINDOWS\\system32\\explorer..exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Mawgh"="C:\\DOCUME~1\\Howard\\MYDOCU~1\\RACLE~1\\TTRIB~1.EXE"
"b49f8453.exe"="C:\\Documents and Settings\\Howard\\Local Settings\\Application Data\\b49f8453.exe"
"Ncao"="\"C:\\WINDOWS\\system32\\DOBE~1\\wuauboot.exe\" -vt tzt"
"startkey"="C:\\WINDOWS\\system32\\explorer..exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"b49f8453.exe"="C:\\Documents and Settings\\Howard\\Local Settings\\Application Data\\b49f8453.exe"
"Mawgh"="C:\\DOCUME~1\\Howard\\MYDOCU~1\\RACLE~1\\TTRIB~1.EXE"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e4,00,00,00,00,00,00,00,9c,03,00,00,30,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nTrayFw"
"hkey"="HKLM"
"command"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="G:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"b49f8453.exe"="C:\\WINDOWS\\system32\\b49f8453.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
Contents of the 'Scheduled Tasks' folder
Completion time: Wed 06/28/2006 16:33:58.35
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt
And here is the uninstall list from HijackThis.
============================
Ad-Aware SE Personal
Age of Empires III
AOL Instant Messenger
AOL Toolbar 2.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Azureus
DAEMON Tools
dBpowerAMP WMA V9 Codec
Doom 3
FEAR
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
FINAL FANTASY XI: Treasures of Aht Urhgan
GuildFTPd FTP Deamon
HijackThis 1.99.1
iPod for Windows 2005-03-23
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 7
madshi's madCollection
Messenger-Control plug-in for Ad-Aware SE
Microsoft .NET Framework 1.1
Mozilla Firefox (1.0.7)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NvMixer
Oblivion
Oblivion - Construction Set
OE/W Messengerctrl plug-in for Ad-Aware SE
Orca
PlayOnline Viewer and Tetra Master
QuickTime
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam
Update for Windows XP (KB898461)
Version 6.7.1
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
VX2 Cleaner plug-in for Ad-Aware SE
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
WinRAR archiver
Yazzle by OIN
It's funny, but you know I just realized I have an ATI card, not NVIDIA. Why do I have NVIDIA drivers... Iono >.<;;
Otherwise, the only thing on the list I don't know about are the things listed under Winamp (Except for WinRAR).
I really appreciate you going through the trouble to help me out! I'm glad to know I'm in such competent hands ^^;
Results from the fix, seems it didn't find anything:
===============================
Start Time= Wed 06/28/2006 16:33:25.26
Running from: C:\Documents and Settings\Howard\Desktop\Downloads
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-06-28 12:14:14 2 ( A.... ) "C:\WINDOWS\system32\wcpsvtr.exe"
2006-06-28 12:14:12 ( .D... ) "C:\Documents and Settings\Howard\Application Data\?ystem32"
2006-06-27 04:36:42 ( .D... ) "C:\Program Files\madCollection"
2006-06-26 13:34:26 ( .D... ) "C:\Documents and Settings\Howard\Application Data\vlc"
2006-06-26 13:33:34 ( .D... ) "C:\Program Files\VideoLAN"
2006-06-26 12:03:26 ( .D... ) "C:\Documents and Settings\Howard\Application Data\Azureus"
2006-06-26 12:03:20 ( .D... ) "C:\Documents and Settings\Howard\Application Data\Sun"
2006-06-26 12:02:26 ( .D... ) "C:\Program Files\Java"
2006-06-26 12:02:12 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-26 12:00:56 ( .D... ) "C:\Program Files\Azureus"
2006-06-25 02:06:00 93662 ( A.SH. ) "C:\Program Files\Common Files\Y1123OU.exe"
2006-06-25 02:05:58 81920 ( A.... ) "C:\WINDOWS\system32\services.dll"
2006-06-25 02:05:48 13312 ( A.... ) "C:\WINDOWS\system32\b49f8453.exe"
2006-06-25 02:05:40 18432 ( A.... ) "C:\WINDOWS\system32\winxmb32.dll"
2006-06-01 12:55:42 155648 ( ..SH. ) "C:\Program Files\Common Files\Y1123OA.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\w1ldh4xx0r.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\system32\explorer..exe"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-29 01:35:34 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Uptimer4"="C:\\Program Files\\Security\\uptimer4.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"b49f8453.exe"="C:\\WINDOWS\\system32\\b49f8453.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"startkey"="C:\\WINDOWS\\system32\\explorer..exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Mawgh"="C:\\DOCUME~1\\Howard\\MYDOCU~1\\RACLE~1\\TTRIB~1.EXE"
"b49f8453.exe"="C:\\Documents and Settings\\Howard\\Local Settings\\Application Data\\b49f8453.exe"
"Ncao"="\"C:\\WINDOWS\\system32\\DOBE~1\\wuauboot.exe\" -vt tzt"
"startkey"="C:\\WINDOWS\\system32\\explorer..exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"b49f8453.exe"="C:\\Documents and Settings\\Howard\\Local Settings\\Application Data\\b49f8453.exe"
"Mawgh"="C:\\DOCUME~1\\Howard\\MYDOCU~1\\RACLE~1\\TTRIB~1.EXE"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e4,00,00,00,00,00,00,00,9c,03,00,00,30,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nTrayFw"
"hkey"="HKLM"
"command"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="G:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"b49f8453.exe"="C:\\WINDOWS\\system32\\b49f8453.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
Contents of the 'Scheduled Tasks' folder
Completion time: Wed 06/28/2006 16:33:58.35
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt
And here is the uninstall list from HijackThis.
============================
Ad-Aware SE Personal
Age of Empires III
AOL Instant Messenger
AOL Toolbar 2.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Azureus
DAEMON Tools
dBpowerAMP WMA V9 Codec
Doom 3
FEAR
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
FINAL FANTASY XI: Treasures of Aht Urhgan
GuildFTPd FTP Deamon
HijackThis 1.99.1
iPod for Windows 2005-03-23
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 7
madshi's madCollection
Messenger-Control plug-in for Ad-Aware SE
Microsoft .NET Framework 1.1
Mozilla Firefox (1.0.7)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NvMixer
Oblivion
Oblivion - Construction Set
OE/W Messengerctrl plug-in for Ad-Aware SE
Orca
PlayOnline Viewer and Tetra Master
QuickTime
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam
Update for Windows XP (KB898461)
Version 6.7.1
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
VX2 Cleaner plug-in for Ad-Aware SE
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
WinRAR archiver
Yazzle by OIN
It's funny, but you know I just realized I have an ATI card, not NVIDIA. Why do I have NVIDIA drivers... Iono >.<;;
Otherwise, the only thing on the list I don't know about are the things listed under Winamp (Except for WinRAR).
I really appreciate you going through the trouble to help me out! I'm glad to know I'm in such competent hands ^^;
Hi, just now getting to your logs. It'll take me a little bit to get through them and write up some steps to take.
The Combofix isn't for this infection you have, but the 3M log it makes at the end helps me identify what it is I AM looking for Some of those files are legit so don't touch anything until I can write this up.
The Combofix isn't for this infection you have, but the 3M log it makes at the end helps me identify what it is I AM looking for
Some of those files are legit so don't touch anything until I can write this up.
Review all of these steps first to familiarize yourself with the process. Then make a copy to have handy because the later steps need to be performed in safe mode with browsers closed so you won't be looking at this window.
1. Look in your Control Panel in *Add/Remove Programs* for the following
Yazzle by OIN <--- Click on it to Highlight it and then press *remove*
download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
2. Please download the Killbox by Option^Explicit.
http://www.downloads.subratam.org/KillBox.zip
Unzip/Extract the contents to your desktop
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml
(We aren't going to use this yet, but will later in SAFE MODE)
3. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Once in Safe mode, open HijackThis. Do a *Scan Only*. Checkmark these items in the list and then press the *fix checked* button. (If some are not found, don't worry about, just go on to the next item listed)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [b49f8453.exe] C:\WINDOWS\system32\b49f8453.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [Mawgh] C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [b49f8453.exe] C:\Documents and Settings\Howard\Local Settings\Application Data\b49f8453.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" -vt tzt
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll
O20 - Winlogon Notify: winxmb32 - C:\WINDOWS\SYSTEM32\winxmb32.dll
Delete these folders:
C:\DOCUMENTS AND SETTINGS\Howard\MYDOCUMENTS\RACLE... (Folder name is longer but starts with those letters)
C:\WINDOWS\system32\DOBE (Folder name is longer but starts with those letters)
C:\Documents and Settings\Howard\Application Data\?ystem32 (the questionmark is a wildcard, it could be any letter..but probably an S if I had to guess to make it look like System32, however the valid System32 fold is not located in the Application Data directory)
Stay in safe mode to perform the following and be ready for a reboot at the end. (You'll be reboot back into normal mode)
1. Open Killbox by clicking on Killbox.exe
2. Select *Delete on Reboot* in the first column
3. Press the *All Files* button on the lower right IMPORTANT STEP!
4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C
C:\WINDOWS\system32\b49f8453.exe
C:\Documents and Settings\Howard\Local Settings\Application Data\b49f8453.exe
C:\WINDOWS\system32\explorer..exe
C:\WINDOWS\system32\services.dll
C:\WINDOWS\SYSTEM32\winxmb32.dll
C:\Program Files\Common Files\Y1123OU.exe
C:\Program Files\Common Files\Y1123OA.exe
C:\WINDOWS\w1ldh4xx0r.exe
5. In Killbox, select the "File" tab at the top
6. Choose "Paste from Clipboard" in the drop down menu
7. Press the red button with the white x in it.
8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?
(Choose yes, if ready to reboot or no, if you need to close some other open items first.)
9. You can close all programs and any open windows.
10. Reboot your computer back into normal mode.
Note: Backups will be stored in the following directory created on the Hard-drive (usually C):
C:\!KillBox
11. Navigate to the Killbox backup folder:
C:\!KillBox
a. Right–click the file or folder
b. Point to Send To
c. Then click Compressed (zipped) Folder
This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip
12. Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Alerion at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, then press the *Post* button to upload the files
Files to upload:
C:\!KillBox.zip
You DO NOT need to be a member to upload, anybody can upload the files.
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back here in THIS topic
1. Look in your Control Panel in *Add/Remove Programs* for the following
Yazzle by OIN <--- Click on it to Highlight it and then press *remove*
download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
2. Please download the Killbox by Option^Explicit.
http://www.downloads.subratam.org/KillBox.zip
Unzip/Extract the contents to your desktop
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml
(We aren't going to use this yet, but will later in SAFE MODE)
3. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Once in Safe mode, open HijackThis. Do a *Scan Only*. Checkmark these items in the list and then press the *fix checked* button. (If some are not found, don't worry about, just go on to the next item listed)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [b49f8453.exe] C:\WINDOWS\system32\b49f8453.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [Mawgh] C:\DOCUME~1\Howard\MYDOCU~1\RACLE~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [b49f8453.exe] C:\Documents and Settings\Howard\Local Settings\Application Data\b49f8453.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\system32\DOBE~1\wuauboot.exe" -vt tzt
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll
O20 - Winlogon Notify: winxmb32 - C:\WINDOWS\SYSTEM32\winxmb32.dll
Delete these folders:
C:\DOCUMENTS AND SETTINGS\Howard\MYDOCUMENTS\RACLE... (Folder name is longer but starts with those letters)
C:\WINDOWS\system32\DOBE (Folder name is longer but starts with those letters)
C:\Documents and Settings\Howard\Application Data\?ystem32 (the questionmark is a wildcard, it could be any letter..but probably an S if I had to guess to make it look like System32, however the valid System32 fold is not located in the Application Data directory)
Stay in safe mode to perform the following and be ready for a reboot at the end. (You'll be reboot back into normal mode)
1. Open Killbox by clicking on Killbox.exe
2. Select *Delete on Reboot* in the first column
3. Press the *All Files* button on the lower right IMPORTANT STEP!
4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C
C:\WINDOWS\system32\b49f8453.exe
C:\Documents and Settings\Howard\Local Settings\Application Data\b49f8453.exe
C:\WINDOWS\system32\explorer..exe
C:\WINDOWS\system32\services.dll
C:\WINDOWS\SYSTEM32\winxmb32.dll
C:\Program Files\Common Files\Y1123OU.exe
C:\Program Files\Common Files\Y1123OA.exe
C:\WINDOWS\w1ldh4xx0r.exe
5. In Killbox, select the "File" tab at the top
6. Choose "Paste from Clipboard" in the drop down menu
7. Press the red button with the white x in it.
8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?
(Choose yes, if ready to reboot or no, if you need to close some other open items first.)
9. You can close all programs and any open windows.
10. Reboot your computer back into normal mode.
Note: Backups will be stored in the following directory created on the Hard-drive (usually C):
C:\!KillBox
11. Navigate to the Killbox backup folder:
C:\!KillBox
a. Right–click the file or folder
b. Point to Send To
c. Then click Compressed (zipped) Folder
This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip
12. Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Alerion at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, then press the *Post* button to upload the files
Files to upload:
C:\!KillBox.zip
You DO NOT need to be a member to upload, anybody can upload the files.
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back here in THIS topic
You're incredible @.@;;
I guess I didn't fix everything =D
I'm on it now, thanks again, I'll report back when I complete your instructions.
I guess I didn't fix everything =D
I'm on it now, thanks again, I'll report back when I complete your instructions.
All done! Here is the post you asked for:
http://www.thespykiller.co.uk/forum/index.php?topic=1987.0
PS. Do you have a program or something that generates these instructions, or do you manually type them out for each person @.@;; seems like a lot of typing, and it appears pretty standardized as well. Just curious.
http://www.thespykiller.co.uk/forum/index.php?topic=1987.0
PS. Do you have a program or something that generates these instructions, or do you manually type them out for each person @.@;; seems like a lot of typing, and it appears pretty standardized as well. Just curious.
Thanks, Alerion,
I got the files and most were as expected, variants of PurityScan and Smitfraud, however, two of those files (identical copies of each other) were running a backdoor trojan on your computer since May 20. Your PC has been compromised by a remote attacker and Im still gathering info on this particular one. So far, I have this much to give you about it. I've submitted the files for further analysis and will report back with any further info I may receive.
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
There were the two files, both identical MD5, first appeared on the PC:
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\w1ldh4xx0r.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\system32\explorer..exe"
Complete scanning result of "explorer..exe", received in VirusTotal at 06.29.2006, 13:37:35 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.19 06.29.2006 BDS/Bifrose.RR
Authentium 4.93.8 06.29.2006 no virus found
Avast 4.7.844.0 06.28.2006 no virus found
AVG 386 06.28.2006 BackDoor.Generic2.ZDS
BitDefender 7.2 06.29.2006 no virus found
CAT-QuickHeal 8.00 06.28.2006 no virus found
ClamAV devel-20060426 06.29.2006 no virus found
DrWeb 4.33 06.29.2006 no virus found
eTrust-InoculateIT 23.72.52 06.29.2006 no virus found
eTrust-Vet 12.6.2282 06.29.2006 no virus found
Ewido 3.5 06.29.2006 Backdoor.Bifrose.rr
Fortinet 2.77.0.0 06.29.2006 W32/Bifrose.RR!tr.bdr
F-Prot 3.16f 06.29.2006 no virus found
Ikarus 0.2.65.0 06.29.2006 no virus found
Kaspersky 4.0.2.24 06.29.2006 Backdoor.Win32.Bifrose.rr
McAfee 4795 06.28.2006 no virus found
Microsoft 1.1481 06.29.2006 no virus found
NOD32v2 1.1632 06.29.2006 Win32/Bifrose.RR
Norman 5.90.21 06.29.2006 W32/Bifrose.BWZ
Panda 9.0.0.4 06.29.2006 Bck/Bifrose.MR
Sophos 4.07.0 06.29.2006 no virus found
Symantec 8.0 06.29.2006 no virus found
TheHacker 5.9.8.166 06.28.2006 Backdoor/Bifrose.rr
UNA 1.83 06.28.2006 Backdoor.Bifrose
VBA32 3.11.0 06.28.2006 Backdoor.Win32.Bifrose.rr
VirusBuster 4.3.7:9 06.28.2006 no virus found
Aditional Information
File size: 1096988 bytes
MD5: 5975b068ccd70550ad85620592c16397
SHA1: 37d8a835f6c7ab1989ae12eb99cfaae8614b5b89
........................
Complete scanning result of "w1ldh4xx0r.exe", received in VirusTotal at 06.29.2006, 13:41:27 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.19 06.29.2006 BDS/Bifrose.RR
Authentium 4.93.8 06.29.2006 no virus found
Avast 4.7.844.0 06.28.2006 no virus found
AVG 386 06.28.2006 BackDoor.Generic2.ZDS
BitDefender 7.2 06.29.2006 no virus found
CAT-QuickHeal 8.00 06.28.2006 no virus found
ClamAV devel-20060426 06.29.2006 no virus found
DrWeb 4.33 06.29.2006 no virus found
eTrust-InoculateIT 23.72.52 06.29.2006 no virus found
eTrust-Vet 12.6.2282 06.29.2006 no virus found
Ewido 3.5 06.29.2006 Backdoor.Bifrose.rr
Fortinet 2.77.0.0 06.29.2006 W32/Bifrose.RR!tr.bdr
F-Prot 3.16f 06.29.2006 no virus found
Ikarus 0.2.65.0 06.29.2006 no virus found
Kaspersky 4.0.2.24 06.29.2006 Backdoor.Win32.Bifrose.rr
McAfee 4795 06.28.2006 no virus found
Microsoft 1.1481 06.29.2006 no virus found
NOD32v2 1.1632 06.29.2006 Win32/Bifrose.RR
Norman 5.90.21 06.29.2006 W32/Bifrose.BWZ
Panda 9.0.0.4 06.29.2006 Bck/Bifrose.MR
Sophos 4.07.0 06.29.2006 no virus found
Symantec 8.0 06.29.2006 no virus found
TheHacker 5.9.8.166 06.28.2006 Backdoor/Bifrose.rr
UNA 1.83 06.28.2006 Backdoor.Bifrose
VBA32 3.11.0 06.28.2006 Backdoor.Win32.Bifrose.rr
VirusBuster 4.3.7:9 06.28.2006 no virus found
Aditional Information
File size: 1096988 bytes
MD5: 5975b068ccd70550ad85620592c16397
SHA1: 37d8a835f6c7ab1989ae12eb99cfaae8614b5b89
..........................................................
This is a generic writeup of this family of trojans to give you an idea of about what it does, but I expect to get more on the particular variant you had and will post back when I do:
Backdoor.Bifrose
http://www.sarc.com/avcenter/venc/data/backdoor.bifrose.html
Here is an example of a more recent variant, although not this particular one on your computer:
http://www.symantec.com/avcenter/venc/data....bifrose.e.html
What you need to be aware of is that this trojan connects to a remote attacker to steal confidential information, possibly log keystrokes, download and execute files, among other things.
If this were my PC, I would consider a reformat/reinstall since there is no way to tell what has done to your computer while compromised for such a long period of time. Some articles you need to read and be aware of:
1. What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
2. When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
3. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.
Are you runnning an FTP server off this computer?
O4 - Startup: Quick'n Easy FTP Server.lnk = ftpserver2\FTPServer.exe
I got the files and most were as expected, variants of PurityScan and Smitfraud, however, two of those files (identical copies of each other) were running a backdoor trojan on your computer since May 20. Your PC has been compromised by a remote attacker and Im still gathering info on this particular one. So far, I have this much to give you about it. I've submitted the files for further analysis and will report back with any further info I may receive.
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
There were the two files, both identical MD5, first appeared on the PC:
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\w1ldh4xx0r.exe"
2006-05-20 00:32:36 1096988 ( A.... ) "C:\WINDOWS\system32\explorer..exe"
Complete scanning result of "explorer..exe", received in VirusTotal at 06.29.2006, 13:37:35 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.19 06.29.2006 BDS/Bifrose.RR
Authentium 4.93.8 06.29.2006 no virus found
Avast 4.7.844.0 06.28.2006 no virus found
AVG 386 06.28.2006 BackDoor.Generic2.ZDS
BitDefender 7.2 06.29.2006 no virus found
CAT-QuickHeal 8.00 06.28.2006 no virus found
ClamAV devel-20060426 06.29.2006 no virus found
DrWeb 4.33 06.29.2006 no virus found
eTrust-InoculateIT 23.72.52 06.29.2006 no virus found
eTrust-Vet 12.6.2282 06.29.2006 no virus found
Ewido 3.5 06.29.2006 Backdoor.Bifrose.rr
Fortinet 2.77.0.0 06.29.2006 W32/Bifrose.RR!tr.bdr
F-Prot 3.16f 06.29.2006 no virus found
Ikarus 0.2.65.0 06.29.2006 no virus found
Kaspersky 4.0.2.24 06.29.2006 Backdoor.Win32.Bifrose.rr
McAfee 4795 06.28.2006 no virus found
Microsoft 1.1481 06.29.2006 no virus found
NOD32v2 1.1632 06.29.2006 Win32/Bifrose.RR
Norman 5.90.21 06.29.2006 W32/Bifrose.BWZ
Panda 9.0.0.4 06.29.2006 Bck/Bifrose.MR
Sophos 4.07.0 06.29.2006 no virus found
Symantec 8.0 06.29.2006 no virus found
TheHacker 5.9.8.166 06.28.2006 Backdoor/Bifrose.rr
UNA 1.83 06.28.2006 Backdoor.Bifrose
VBA32 3.11.0 06.28.2006 Backdoor.Win32.Bifrose.rr
VirusBuster 4.3.7:9 06.28.2006 no virus found
Aditional Information
File size: 1096988 bytes
MD5: 5975b068ccd70550ad85620592c16397
SHA1: 37d8a835f6c7ab1989ae12eb99cfaae8614b5b89
........................
Complete scanning result of "w1ldh4xx0r.exe", received in VirusTotal at 06.29.2006, 13:41:27 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.19 06.29.2006 BDS/Bifrose.RR
Authentium 4.93.8 06.29.2006 no virus found
Avast 4.7.844.0 06.28.2006 no virus found
AVG 386 06.28.2006 BackDoor.Generic2.ZDS
BitDefender 7.2 06.29.2006 no virus found
CAT-QuickHeal 8.00 06.28.2006 no virus found
ClamAV devel-20060426 06.29.2006 no virus found
DrWeb 4.33 06.29.2006 no virus found
eTrust-InoculateIT 23.72.52 06.29.2006 no virus found
eTrust-Vet 12.6.2282 06.29.2006 no virus found
Ewido 3.5 06.29.2006 Backdoor.Bifrose.rr
Fortinet 2.77.0.0 06.29.2006 W32/Bifrose.RR!tr.bdr
F-Prot 3.16f 06.29.2006 no virus found
Ikarus 0.2.65.0 06.29.2006 no virus found
Kaspersky 4.0.2.24 06.29.2006 Backdoor.Win32.Bifrose.rr
McAfee 4795 06.28.2006 no virus found
Microsoft 1.1481 06.29.2006 no virus found
NOD32v2 1.1632 06.29.2006 Win32/Bifrose.RR
Norman 5.90.21 06.29.2006 W32/Bifrose.BWZ
Panda 9.0.0.4 06.29.2006 Bck/Bifrose.MR
Sophos 4.07.0 06.29.2006 no virus found
Symantec 8.0 06.29.2006 no virus found
TheHacker 5.9.8.166 06.28.2006 Backdoor/Bifrose.rr
UNA 1.83 06.28.2006 Backdoor.Bifrose
VBA32 3.11.0 06.28.2006 Backdoor.Win32.Bifrose.rr
VirusBuster 4.3.7:9 06.28.2006 no virus found
Aditional Information
File size: 1096988 bytes
MD5: 5975b068ccd70550ad85620592c16397
SHA1: 37d8a835f6c7ab1989ae12eb99cfaae8614b5b89
..........................................................
This is a generic writeup of this family of trojans to give you an idea of about what it does, but I expect to get more on the particular variant you had and will post back when I do:
Backdoor.Bifrose
http://www.sarc.com/avcenter/venc/data/backdoor.bifrose.html
Here is an example of a more recent variant, although not this particular one on your computer:
http://www.symantec.com/avcenter/venc/data....bifrose.e.html
What you need to be aware of is that this trojan connects to a remote attacker to steal confidential information, possibly log keystrokes, download and execute files, among other things.
If this were my PC, I would consider a reformat/reinstall since there is no way to tell what has done to your computer while compromised for such a long period of time. Some articles you need to read and be aware of:
1. What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
2. When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
3. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.
Are you runnning an FTP server off this computer?
O4 - Startup: Quick'n Easy FTP Server.lnk = ftpserver2\FTPServer.exe
Oh boy 
Luckily this computer was running on a network that is connected to only computers running various free Linux and unix OSs. The laptop I'm posting on now is on a completely different wireless network, using a different connection. I have disconnected the machine.
I'm not terribly worried about what information has been collected from my machine, unless hackers enjoy logging the various hours of gaming I do on my only windows PC. I'm sure it proved for hours of entertainment
I have been running a small personal FTP and HTTP server, but it was localized, me being the only user. I was using it just to practice programming PHP, stuff like that. Data was always sent to the machine, I did my programming on it, and only viewed the creations on it. Luckily I never had cause to take any information off (except for my iPod).
Now, there are a few things I want to ask before I get to formatting:
a) Are game save files ok to backup and reinstall?
Should I also reformat other drives on the machine? I assume I do. And if so, is this information backup-able? Or should I just delete everything.
Nothing is irreplaceable, but it could prove to be a giant headache if I couldn't keep some files. I have 9 years of programming work archived on my external harddrive, which is currently attached to the machine. Losing that would be painful. Not to mention the decade or so of mp3s i've ripped off my CD collection. Rebuilding this (especially since I lost more CDs in the past year than I care to count) would be near impossible.
in any case, What needs to be done, needs to be done. once again, thanks for the heads up, I had no idea I had the pleasure of lodging such a malicious ######.
...
One can only guess whats on my laptop o.o;;
Luckily this computer was running on a network that is connected to only computers running various free Linux and unix OSs. The laptop I'm posting on now is on a completely different wireless network, using a different connection. I have disconnected the machine.
I'm not terribly worried about what information has been collected from my machine, unless hackers enjoy logging the various hours of gaming I do on my only windows PC. I'm sure it proved for hours of entertainment
I have been running a small personal FTP and HTTP server, but it was localized, me being the only user. I was using it just to practice programming PHP, stuff like that. Data was always sent to the machine, I did my programming on it, and only viewed the creations on it. Luckily I never had cause to take any information off (except for my iPod).
Now, there are a few things I want to ask before I get to formatting:
a) Are game save files ok to backup and reinstall?
Should I also reformat other drives on the machine? I assume I do. And if so, is this information backup-able? Or should I just delete everything.Nothing is irreplaceable, but it could prove to be a giant headache if I couldn't keep some files. I have 9 years of programming work archived on my external harddrive, which is currently attached to the machine. Losing that would be painful. Not to mention the decade or so of mp3s i've ripped off my CD collection. Rebuilding this (especially since I lost more CDs in the past year than I care to count) would be near impossible.
in any case, What needs to be done, needs to be done. once again, thanks for the heads up, I had no idea I had the pleasure of lodging such a malicious ######.
...
One can only guess whats on my laptop o.o;;
I'm glad to hear there isn't anything confidential or sensitive on there as that is always my worry in these cases Well, that plus Lord only knows what has been done to the computer and there is no way the changes are tracked that you could know.
I don't believe you can backup installed programs, you would need to reinstall those either from media or fresh download. Save any and all license data so you can reinstall easily later. Data can certainly be backed up and just be sure that you scan anything you plan to put back on the clean computer with with a good reliable AV (I would be picking one that detects this nasty in particular that are in the list I posted above). For instance, AntiVir detects it, Kaspersky, some others. The external hard drive archive you should be able to scan as well.
Kaspersky is probably the very best and they do have a 30 day free (fully functional) free trial of the KAV Antivirus 6.0 just released. I would try that one.
One thing I noticed about this trojan is some variants are programed to steal Game keys so that may have been what they were after.
I sent the sample to about 50 different security software vendors and some are responding back as they add detection. I haven't gotten one writeup on it yet, but I expect Sophos will as they usually do add the writeup in their database. When I get that from them I can tell you more about what this particular one does exactly.
Well, that plus Lord only knows what has been done to the computer and there is no way the changes are tracked that you could know.I don't believe you can backup installed programs, you would need to reinstall those either from media or fresh download. Save any and all license data so you can reinstall easily later. Data can certainly be backed up and just be sure that you scan anything you plan to put back on the clean computer with with a good reliable AV (I would be picking one that detects this nasty in particular that are in the list I posted above). For instance, AntiVir detects it, Kaspersky, some others. The external hard drive archive you should be able to scan as well.
Kaspersky is probably the very best and they do have a 30 day free (fully functional) free trial of the KAV Antivirus 6.0 just released. I would try that one.
One thing I noticed about this trojan is some variants are programed to steal Game keys so that may have been what they were after.
I sent the sample to about 50 different security software vendors and some are responding back as they add detection. I haven't gotten one writeup on it yet, but I expect Sophos will as they usually do add the writeup in their database. When I get that from them I can tell you more about what this particular one does exactly.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.