Thread: Midtown Madness! Virus
View Single Post
Old 07-18-2005, 06:38 AM   #7 (permalink)
ACTS
Registered User
 
Join Date: Aug 2004
Posts: 12
OS: XP Pro


Followed your instructions exactly.

Below is the Ewido file:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 03:05:54 PM, 18/07/2005
+ Report-Checksum: 156B885B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-1993962763-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-1993962763-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000607D-D204-42C7-8E46-216055BF9918} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-1993962763-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{002EB272-2590-4693-B166-FBD5D9B6FEA6} -> Spyware.MultiMPP : Cleaned with backup
HKU\S-1-5-21-1993962763-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1993962763-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086CEFD5-A88D-4981-8915-D51F04360ED1} -> Spyware.TrafficHog : Cleaned with backup
C:\Documents and Settings\mmahmoud.ACTS\Cookies\mmahmoud@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\mmahmoud.ACTS\Cookies\mmahmoud@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\Download\NIS 2005\Norton.Internet.Security.2005.Pro.Incl.Keygen-SSG.rar/kgnis.exe -> TrojanDropper.Delf.fd : Error during cleaning
D:\Download\NIS 2005\Setup\KEY GENERATOR.EXE -> TrojanDropper.Delf.fd : Cleaned with backup
D:\Download\NIS 2005\Cracks\Symantec Norton 2005 Key Generators ( antivirus, ghost, internet security, partitionmagic, systemworks ).rar/Symantec Norton 2005 Key Generators ( antivirus, ghost, internet security, partitionmagic, systemworks )\Symantec Norton Internet Security 2005 Key Generator\KEY GENERATOR.EXE -> TrojanDropper.Delf.fd : Error during cleaning
D:\Download\NIS 2005\Cracks\Symantec Norton 2005 Key Generators ( antivirus, ghost, internet security, partitionmagic, systemworks )\Symantec Norton Internet Security 2005 Key Generator\KEY GENERATOR.EXE -> TrojanDropper.Delf.fd : Cleaned with backup
D:\Download\NSW 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS.rar/NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\Norton Internet Security 2005\KEY-GENERATOR NIS 2005\NIS 2005 - Keygen SSG.exe -> TrojanDropper.Delf.fd : Error during cleaning
D:\Download\NSW 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS.rar/NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\NORTON KEY-GENERATORS\KeyGens Norton 2005\NIS 2005 - Keygen SSG.exe -> TrojanDropper.Delf.fd : Error during cleaning
D:\Hana Backup\Program Files\Altnet\Download Manager\asm.exe -> Spyware.Altnet : Cleaned with backup
D:\Hana Backup\Program Files\Altnet\Download Manager\altnetuninstall.exe -> Spyware.Altnet : Cleaned with backup
D:\Hana Backup\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch : Cleaned with backup
D:\Hana Backup\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL -> Spyware.MyWebSearch : Cleaned with backup
D:\Hana Backup\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE -> Spyware.MyWebSearch : Cleaned with backup
D:\Hana Backup\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL -> Spyware.MyWebSearch : Cleaned with backup
D:\Download DXB\Visio\KeyGen\VISIO 2002 KEY GENERATOR.exe -> Trojan.Agent.a : Cleaned with backup


::Report End

And StartDreck Log:

StartDreck (build 2.1.7 public stable) - 2005-07-18 @ 15:21:29 (GMT +03:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as mmahmoud at MAMOUN

舞egistry
舞un Keys
翟urrent User
舞un
*CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
舞unOnce
聞efault User
舞un
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
舞unOnce
*Printing Migration=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*Opware12="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
*dla=C:\WINDOWS\system32\dla\tfswctrl.exe
*UpdateManager="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.usr" /startintray
*DiskeeperSystray="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*AutoCADScriptFile="C:\WINDOWS\notepad.exe" "%1"
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
*Msie2gr.bho2gr.1/{31FF080D-12A3-439A-A2EF-4BA95A3148E8}
`InprocServer32=C:\Program Files\GetRight\xx2gr.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*DriveLetterAccess/{5CA3D70E-1895-11CF-8E15-001234567890}
`InprocServer32=C:\WINDOWS\system32\dla\tfswshx.dll
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
肇iles
翠utostart Folders
翟urrent User
*C:\Documents and Settings\mmahmoud.ACTS\Start Menu\Programs\Startup\desktop.ini
聞efault User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
腿ocal Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\winstart.bat
*C:\WINDOWS\system32\drivers\etc\hosts
艋ystem/Drivers
舞unning Processes
+0=<idle>
+4=<system>
+412=\SystemRoot\System32\smss.exe
+568=\??\C:\WINDOWS\system32\csrss.exe
+592=\??\C:\WINDOWS\system32\winlogon.exe
+636=C:\WINDOWS\system32\services.exe
+648=C:\WINDOWS\system32\lsass.exe
+816=C:\WINDOWS\system32\svchost.exe
+884=C:\WINDOWS\system32\svchost.exe
+948=C:\WINDOWS\System32\svchost.exe
+1020=C:\WINDOWS\System32\svchost.exe
+1096=C:\WINDOWS\System32\svchost.exe
+1684=C:\WINDOWS\Explorer.EXE
+1864=C:\WINDOWS\system32\spoolsv.exe
+164=C:\WINDOWS\system32\drivers\CDAC11BA.EXE
+192=C:\Program Files\Executive Software\Diskeeper\DkService.exe
+212=C:\Program Files\ewido\security suite\ewidoctrl.exe
+232=C:\Program Files\ewido\security suite\ewidoguard.exe
+444=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
+1220=C:\WINDOWS\System32\svchost.exe
+1264=C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
+1676=C:\WINDOWS\system32\wdfmgr.exe
+1696=C:\WINDOWS\system32\MsPMSPSv.exe
+1596=C:\WINDOWS\System32\hkcmd.exe
+1396=C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
+968=C:\WINDOWS\System32\alg.exe
+1976=C:\WINDOWS\system32\dla\tfswctrl.exe
+2100=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+2184=C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
+2480=C:\WINDOWS\system32\ctfmon.exe
+2624=C:\WINDOWS\System32\svchost.exe
+3016=C:\WINDOWS\system32\wuauclt.exe
+3772=C:\PROGRA~1\MICROS~1\OFFICE\EXCEL.EXE
+3816=C:\Downloads\AdWare All\Start\StartDreck.exe
臧T Services
*Alerter Alerter - disabled
*Application Layer Gateway Service ALG running on demand
*Application Management AppMgmt running on demand
*ASP.NET State Service aspnet_state - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*C-DillaCdaC11BA C-DillaCdaC11BA running auto
*Symantec Event Manager ccEvtMgr - auto
*Symantec Network Proxy ccProxy - auto
*Symantec Password Validation ccPwdSvc - on demand
*Symantec Settings Manager ccSetMgr - auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - disabled
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DCOM Server Process Launcher DcomLaunch running auto
*DHCP Client Dhcp running auto
*Diskeeper Diskeeper running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*ewido security suite control ewido security suite running auto
*ewido security suite guard ewido security suite running auto
*Fast User Switching Compatibility FastUserSwitchingCom - on demand
*Fax Fax - auto
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HTTP SSL HTTPFilter running on demand
*IMAPI CD-Burning COM Service ImapiService - on demand
*Infrared Monitor Irmon running auto
*ISSVC ISSVC - auto
*Server LanmanServer running auto
*Workstation LanmanWorkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Norton AntiVirus Auto-Protect Service navapsvc running auto
*Network DDE NetDDE - disabled
*Network DDE DSDM NetDDEdsdm - disabled
*Net Logon Netlogon running auto
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Office Source Engine ose - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*SAVScan SAVScan - on demand
*ScriptBlocking Service SBService - auto
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Windows Firewall/Internet Connection Sharing (I SharedAccess running auto
`CS)
*Shell Hardware Detection ShellHWDetection running auto
*Symantec Network Drivers Service SNDSrvc - auto
*Symantec SPBBCSvc SPBBCSvc - auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running auto
*Webroot Spy Sweeper Engine svcWRSSSDK running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*Symantec Core LC Symantec Core LC - auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - disabled
*Distributed Link Tracking Client TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*WMDM PMSP Service WMDM PMSP Service running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Security Center wscsvc - auto
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
*Network Provisioning Service xmlprov - on demand
翠pplication specific
Attached Files
File Type: zip win&tmp.zip (334 Bytes, 2 views)
ACTS is offline