|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-23-2007, 12:58 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
Win32:Trojan Other Spawning other Viruses?
Avast Antivirus picked up Win32:Trojan-gen {Other} in two different places on my machine last week. I thought the scan removed it, but then I got another virus warning this week. Then I ran Kaspersky online and got:
Packed.Win32.Tibs.ez WiseSFX: infected - 1 WiseSFXDropper: infected - 1 Packed.Win32.Tibs.ez In the scan log. When planning this post, I tried to follow the directions for the 5 steps, and when Pandascan's online files were downloading, the Avast scanner found a virus in the files. So I decided not to use Pandascan. Thanks for any help you can provide. Deckard's System Scanner v20071014.68 Run by Danielle on 2007-12-23 13:44:43 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 84% (more than 75%). Total Physical Memory: 504 MiB (512 MiB recommended). -- HijackThis (run as Danielle.exe) -------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:44:55 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Rainlendar2\Rainlendar2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Danielle\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Danielle.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 6591 bytes -- Files created between 2007-11-23 and 2007-12-23 ----------------------------- 2007-12-23 13:39:52 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-12-23 13:39:49 0 d-------- C:\WINDOWS\LastGood 2007-12-20 14:13:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-20 14:13:14 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-20 13:40:58 0 d-------- C:\Program Files\Trend Micro -- Find3M Report --------------------------------------------------------------- 2007-12-19 16:02:05 0 d-------- C:\Program Files\Acro Software 2007-12-11 00:02:22 0 d-------- C:\Documents and Settings\Danielle\Application Data\Ruckus Network 2007-11-27 20:48:46 0 d-------- C:\Documents and Settings\Danielle\Application Data\Ahead 2007-11-22 18:46:59 0 d-------- C:\Program Files\mIRC 2007-11-04 23:01:53 0 d-------- C:\Program Files\Lexmark Toolbar 2007-11-04 21:48:19 0 d-------- C:\Program Files\lx_cats 2007-11-04 21:46:54 0 d-------- C:\Program Files\Coupons 2007-11-04 21:46:53 31 --ah----- C:\WINDOWS\uccspecc.sys 2007-10-21 19:16:41 5163 --a------ C:\WINDOWS\mozver.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [12/09/2004 12:58 PM] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 12:05 AM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 01:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 01:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 01:50 PM] "ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/10/2004 10:15 PM] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [11/26/2006 10:28 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM] C:\Documents and Settings\Danielle\Start Menu\Programs\Startup\ Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [7/12/2007 9:48:46 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [7/25/2005 12:05:44 AM] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Danielle^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\Danielle\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] c:\dell\bldbubg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1123906770\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "RasAuto"=3 (0x3) "iPod Service"=3 (0x3) "helpsvc"=2 (0x2) "Fax"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Bonjour Service"=2 (0x2) -- End of Deckard's System Scanner: finished at 2007-12-23 13:45:32 ------------ |
|
     |
|
12-26-2007, 02:42 PM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,758
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32:Trojan Other Spawning other Viruses?
Regarding Avast, and the Panda online scan...
It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. Did you save a log from the Kaspersky online scan, or make a note of where it was finding the items it identified? Location is as important.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Please do not ask for help via Private Message. |
|
|
|
|
12-30-2007, 12:06 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
Re: Win32:Trojan Other Spawning other Viruses?
KASPERSKY ONLINE SCANNER REPORT
Friday, December 21, 2007 2:33:33 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 20/12/2007 Kaspersky Anti-Virus database records: 490757 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 73552 Number of viruses found 2 Number of infected objects 5 Number of suspicious objects 0 Duration of the scan process 01:05:49 Infected Object Name Virus Name Last Action C:\Deckard\System Scanner\backup\DOCUME~1\Danielle\LOCALS~1\Temp\hsperfdata_Danielle\2612 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped C:\Documents and Settings\Danielle\.rainlendar2\rainlendar2.log Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\cert8.db Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\formhistory.dat Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\history.dat Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\key3.db Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\parent.lock Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\search.sqlite Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Danielle\Application Data\Sun\Java\Deployment\log\plugin142_03.trace Object is locked skipped C:\Documents and Settings\Danielle\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7wt7c5g8.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\History\History.IE5\MSHist012007122020071221\index.dat Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Danielle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Danielle\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Danielle\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\AIM\aim95.exe/WISE0122.BIN Infected: Packed.Win32.Tibs.ez skipped C:\Program Files\AIM\aim95.exe WiseSFX: infected - 1 skipped C:\Program Files\AIM\aim95.exe WiseSFXDropper: infected - 1 skipped C:\Program Files\AIM\Sysfiles\viewpoint.exe Infected: Packed.Win32.Tibs.ez skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\D2JJNZ71.ldb Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_704.dat Object is locked skipped C:\WINDOWS\Temp\ZLT039dd.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT039e0.TMP Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
12-30-2007, 12:33 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,758
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32:Trojan Other Spawning other Viruses?
Do you use AIM? It looks to be installed.
Do me a favor....
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-02-2008, 11:24 AM
|
#7 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,758
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32:Trojan Other Spawning other Viruses?
Yes, but that's not the file I'm concerned with.
C:\Program Files\AIM\aim95.exe WiseSFXDropper: infected Try this: Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of files into the Suspicious File Packer window: C:\Program Files\AIM\aim95.exeAllow SFP to pack the files by clicking Continue. This will generate a CAB archive on your desktop named requested-files[Date/Time].cab. Please submit it to this site http://www.bleepingcomputer.com/subm...php?channel=28 and include a link to this topic in the message. You can then delete the requested-files.cab file from your desktop, once you have uploaded it to the above recipient.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-03-2008, 12:53 PM
|
#9 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,758
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32:Trojan Other Spawning other Viruses?
Seems very odd that kaspersky would ID this file, but it's not present. It was not grabbed by the SFP.
C:\Program Files\AIM\aim95.exe If you run a windows search for the file, is it there?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-04-2008, 06:24 PM
|
#11 (permalink) | |||
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,758
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32:Trojan Other Spawning other Viruses?
Quote:
Quote:
Download ComboFix from one of the following links, and save it to your desktop. Link 1 Link 2 Link 3 Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|||
|
|
|
|
01-06-2008, 12:08 PM
|
#12 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
Re: Win32:Trojan Other Spawning other Viruses?
here's the log: ComboFix 08-01-06.5 - Danielle 2008-01-06 12:57:02.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -6:00] Running from: C:\Documents and Settings\Danielle\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Danielle\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))) . 2008-01-06 12:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-26 15:39 . 2007-12-26 15:39 <DIR> d-------- C:\Program Files\fr-FR 2007-12-26 15:39 . 2007-12-26 15:39 <DIR> d-------- C:\Program Files\es-ES 2007-12-26 15:36 . 2007-12-26 15:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-12-26 15:36 . 2007-12-26 15:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf 2007-12-26 15:34 . 2007-12-26 15:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-12-26 15:34 . 2007-12-26 15:34 <DIR> d-------- C:\Program Files\Network Sharing 2007-12-26 15:34 . 2007-12-26 15:34 <DIR> d-------- C:\Program Files\en-US 2007-12-26 15:34 . 2007-12-26 15:34 <DIR> d-------- C:\Program Files\Drivers 2007-12-26 15:30 . 2006-10-04 08:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb 2007-12-26 15:30 . 2006-10-04 08:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2007-12-26 15:30 . 2006-10-04 08:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb 2007-12-26 15:27 . 2007-12-26 15:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-12-26 15:27 . 2007-12-26 16:23 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-12-23 16:05 . 2007-12-23 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-23 16:05 . 2007-12-23 16:05 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-23 13:40 . 2007-12-23 13:40 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-23 13:40 . 2007-12-23 13:40 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-23 13:39 . 2007-12-23 13:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-23 13:39 . 2007-12-23 13:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-20 14:32 . 2007-12-20 14:32 <DIR> d-------- C:\Deckard 2007-12-20 14:13 . 2007-12-20 14:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-20 14:13 . 2007-12-20 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-20 13:40 . 2007-12-20 13:40 <DIR> d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 18:56 --------- d-----w C:\Program Files\AIM 2008-01-03 06:03 7,081,515 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2007-12-26 21:35 0 ----a-w C:\Program Files\WMHelper.log 2007-12-26 21:05 --------- d-----w C:\Program Files\mIRC 2007-12-19 22:02 --------- d-----w C:\Program Files\Acro Software 2007-12-11 06:02 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Ruckus Network 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-11-28 02:48 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Ahead 2007-11-16 03:53 535,024 ----a-w C:\Program Files\ZuneDBApi.dll 2007-11-16 03:53 463,856 ----a-w C:\Program Files\ZuneShell.dll 2007-11-16 03:53 1,778,672 ----a-w C:\Program Files\UIX.dll 2007-11-16 03:52 892,832 ----a-w C:\Program Files\ZuneCore.dll 2007-11-16 03:52 845,216 ----a-w C:\Program Files\ZuneMde.dll 2007-11-16 03:52 779,680 ----a-w C:\Program Files\ZuneSetup.exe 2007-11-16 03:52 638,880 ----a-w C:\Program Files\ZuneQP.dll 2007-11-16 03:52 597,408 ----a-w C:\Program Files\ZuneMarketplaceResources.dll 2007-11-16 03:52 560,032 ----a-w C:\Program Files\UIXrender.dll 2007-11-16 03:52 425,376 ----a-w C:\Program Files\ZuneService.dll 2007-11-16 03:52 411,552 ----a-w C:\Program Files\ZuneSP.dll 2007-11-16 03:52 357,280 ----a-w C:\Program Files\ZuneSE.dll 2007-11-16 03:52 314,784 ----a-w C:\Program Files\ZUNEMP4SDECD.dll 2007-11-16 03:52 308,128 ----a-w C:\Program Files\ZuneSrcWrp.dll 2007-11-16 03:52 299,936 ----a-w C:\Program Files\ZuneEvr.dll 2007-11-16 03:52 291,744 ----a-w C:\Program Files\ZuneSH.dll 2007-11-16 03:52 265,632 ----a-w C:\Program Files\ZuneNssci.dll 2007-11-16 03:52 248,736 ----a-w C:\Program Files\ZuneResources.dll 2007-11-16 03:52 2,609,568 ----a-w C:\Program Files\ZuneNativeLib.dll 2007-11-16 03:52 2,124,192 ----a-w C:\Program Files\ZuneNss.exe 2007-11-16 03:52 10,149,792 ----a-w C:\Program Files\ZuneShellResources.dll 2007-11-16 03:52 1,696,672 ----a-w C:\Program Files\ZuneEncEng.dll 2007-11-16 03:52 1,059,744 ----a-w C:\Program Files\ZuneH264Dec.dll 2007-11-16 03:51 87,456 ----a-w C:\Program Files\ZuneEffects.dll 2007-11-16 03:51 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll 2007-11-16 03:51 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll 2007-11-16 03:51 60,320 ----a-w C:\Program Files\ZuneDXVA2.dll 2007-11-16 03:51 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe 2007-11-16 03:51 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll 2007-11-16 03:51 44,960 ----a-w C:\Program Files\ZuneShellExt.dll 2007-11-16 03:51 41,376 ----a-w C:\Program Files\ZuneEnc.exe 2007-11-16 03:51 40,352 ----a-w C:\Program Files\ZuneCfg.dll 2007-11-16 03:51 34,208 ----a-w C:\Program Files\UIXsup.dll 2007-11-16 03:51 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe 2007-11-16 03:51 23,968 ----a-w C:\Program Files\ZuneConfig.exe 2007-11-16 03:51 22,432 ----a-w C:\Program Files\ZunePS.dll 2007-11-16 03:51 20,896 ----a-w C:\Program Files\ZuneShare.exe 2007-11-16 03:51 177,568 ----a-w C:\Program Files\Zune.exe 2007-11-16 03:51 172,960 ----a-w C:\Program Files\ZuneDB.dll 2007-11-16 03:51 166,304 ----a-w C:\Program Files\ZuneLauncher.exe 2007-11-16 03:51 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll 2007-11-16 03:51 119,712 ----a-w C:\Program Files\ZuneAACDec.dll 2007-11-16 03:51 113,568 ----a-w C:\Program Files\ZunePresenter.dll 2007-11-16 03:45 231,936 ----a-w C:\Program Files\l3codecp.acm 2007-11-16 03:38 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-30 17:49 382,240 ----a-w C:\Program Files\WMHelper.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 23:40 222,720 --- |
