Thread: Another Vundo victim
View Single Post
Old 10-18-2005, 04:26 AM   #9 (permalink)
B.S.Blues
I helped the forums.
 
Join Date: Oct 2005
Posts: 18
OS: XP


adaware and norton logs
Here's what I found on Ad-Aware and Norton logs this morning (the Ad-Aware scan is incomplete, I stopped it as soon as it had detected the two registry keys).
Norton's logs go on forever; since most entries are alike, I just cut and pasted this morning's activity to give you an idea of what it's doing.

Ad-Aware SE Build 1.06r1
Logfile Created on:October 18, 2005 5:49:29 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R70 12.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):5 total references
Virtumonde(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R70 12.10.2005
Internal build : 82
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 532922 Bytes
Total size : 1597866 Bytes
Signature data size : 1564479 Bytes
Reference data size : 32875 Bytes
Signatures total : 44398
CSI Fingerprints total : 1051
CSI data size : 37487 Bytes
Target categories : 15
Target families : 759


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:55 %
Total physical memory:522032 kb
Available physical memory:283768 kb
Total page file size:1276672 kb
Available on page file:1051364 kb
Total virtual memory:2097024 kb
Available virtual memory:2041332 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


18-10-2005 5:49:29 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Richard Beales\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 568
ThreadCreationTime : 18-10-2005 9:46:02 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 632
ThreadCreationTime : 18-10-2005 9:46:05 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 656
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 700
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 712
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 872
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 928
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1020
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1120
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1268
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1336
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 1368
ThreadCreationTime : 18-10-2005 9:46:10 AM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1824
ThreadCreationTime : 18-10-2005 9:46:11 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1948
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1976
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1984
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:17 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 18-10-2005 9:46:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:18 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 284
ThreadCreationTime : 18-10-2005 9:46:22 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:19 [npfmntor.exe]
FilePath : C:\Program Files\Norton AntiVirus\IWP\
ProcessID : 428
ThreadCreationTime : 18-10-2005 9:46:25 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 588
ThreadCreationTime : 18-10-2005 9:46:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 616
ThreadCreationTime : 18-10-2005 9:46:26 AM
BasePriority : Normal
FileVersion : 1, 8, 54, 534
ProductVersion : 1, 8, 54, 534
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:22 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 900
ThreadCreationTime : 18-10-2005 9:46:27 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:23 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1456
ThreadCreationTime : 18-10-2005 9:46:32 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:24 [pronomgr.exe]
FilePath : C:\Program Files\Intel\NCS\PROSet\
ProcessID : 1640
ThreadCreationTime : 18-10-2005 9:46:37 AM
BasePriority : Normal
FileVersion : 6.1.42.0
ProductVersion : 6.1.42.0
ProductName : Intel(R) Network Configuration Services
CompanyName : Intel(R) Corporation
FileDescription : PRONotifyMgr Module
InternalName : PRONotifyMgr
LegalCopyright : Copyright(C) 2001-2002 Intel Corporation
OriginalFilename : PRONoMgr.exe

#:25 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1652
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:26 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1664
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:27 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1672
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 5.1.00
ProductVersion : 5.1.00
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:28 [lxbkbmgr.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 1688
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Manager
InternalName : lxbkbmgr.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmgr.exe

#:29 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ProcessID : 1704
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 7.00.0716.0
ProductVersion : 7.00.0716.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Update Detection
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe

#:30 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1720
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:31 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_04\bin\
ProcessID : 1732
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal


#:32 [lxbkbmon.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 1736
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Monitor
InternalName : lxbkbmon.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmon.exe

#:33 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1752
ThreadCreationTime : 18-10-2005 9:46:39 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:34 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1780
ThreadCreationTime : 18-10-2005 9:46:41 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 404
ThreadCreationTime : 18-10-2005 9:46:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:36 [mdgnotify.exe]
FilePath : C:\WINDOWS\MDG\
ProcessID : 1324
ThreadCreationTime : 18-10-2005 9:47:04 AM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : shellnotify
CompanyName : MDG Computers Inc
InternalName : MDGnotify
OriginalFilename : MDGnotify.exe

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2256
ThreadCreationTime : 18-10-2005 9:47:31 AM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:38 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2664
ThreadCreationTime : 18-10-2005 9:48:12 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:39 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3132
ThreadCreationTime : 18-10-2005 9:49:16 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlevents.atlevents

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlevents.atlevents.1

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 7


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>
5:49:55 AM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:00:26.141
Objects scanned:54541
Objects identified:2
Objects ignored:0
New critical objects:2

Excerpted from Norton's activity log:
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT

Excerpted from Norton's Alerts log:
SymProtect Event Details:
Time: 18/10/2005 5:49:39 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:39 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:37 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:37 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\navapsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\navapsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
B.S.Blues is offline