 Infected With Various Malware, help (XP) |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Jun 20 2008, 05:05 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 2 Joined: 20-June 08 Member No.: 217,494  |
Here is what Kaspersky found: Infected: Trojan program Trojan-Downloader.JS.Agent.bwl c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\gqe4m0z4\vv[1].js 2 KB Infected: Trojan program Trojan-PSW.Win32.OnLineGames.arjr c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\zazat3yd\111[1].exe 20 KB Infected: Trojan program Exploit.Win32.IMG-ANI.s c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\xxs7w1qz\tt[1].gif 926 bytes Infected: Trojan program Trojan-Downloader.Win32.FraudLoad.akv c:\documents and settings\nobody\local settings\temp\fhstsul8.exe 59 KB Infected: Trojan program Exploit.JS.RealPlr.go c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\dtewo4av\old[1].htm 3.8 KB Infected: Trojan program Trojan-PSW.Win32.OnLineGames.arjq c:\documents and settings\nobody\local settings\temp\orzow.dll 15.3 KB Infected: Trojan program Exploit.JS.CVE-2006-1359.ai c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\9efi9tgs\le[1].htm 6 KB ============ I am also suspicious of some nwiz and qttrack files showing up in my registry under the system 32 folder. I'm totally out of my element here, so here is the DSS log: ============ Deckard's System Scanner v20071014.68 Run by Nobody on 2008-06-19 16:43:33 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 92: 2008-06-19 22:43:43 UTC - RP368 - Deckard's System Scanner Restore Point 91: 2008-06-19 19:41:16 UTC - RP367 - Installed Kaspersky Anti-Virus 7.0. 90: 2008-06-19 08:24:39 UTC - RP366 - Software Distribution Service 3.0 89: 2008-06-18 08:38:21 UTC - RP365 - System Checkpoint 88: 2008-06-17 08:25:58 UTC - RP364 - Software Distribution Service 3.0 -- First Restore Point -- 1: 2008-03-22 08:39:46 UTC - RP277 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Nobody.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:46:00 PM, on 6/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Nobody\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Nobody.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184989830645 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 4097 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3> S3 AR5523 (NETGEAR WG111T USB2.0 Wireless Card Service) - c:\windows\system32\drivers\wg11tnd5.sys (file missing) S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: SM Bus Controller Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111458&REV_A2\3&13C0B0C5&0&09 Manufacturer: Name: SM Bus Controller PNP Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111458&REV_A2\3&13C0B0C5&0&09 Service: Class GUID: Description: RAID Controller Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00011283&REV_10\4&3B1D9AB8&0&6040 Manufacturer: Name: RAID Controller PNP Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00011283&REV_10\4&3B1D9AB8&0&6040 Service: Class GUID: Description: RAID Controller Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&6840 Manufacturer: Name: RAID Controller PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&6840 Service: -- Scheduled Tasks ------------------------------------------------------------- 2008-06-19 14:28:58 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2008-06-18 17:14:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-19 and 2008-06-19 ----------------------------- 2008-06-19 16:24:48 0 d-------- C:\Program Files\Trend Micro 2008-06-19 16:02:27 0 d-------- C:\Documents and Settings\Nobody\Application Data\Lavasoft 2008-06-19 13:42:05 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-19 13:42:05 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-19 13:41:26 10784 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-19 13:41:26 1535776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-19 13:41:26 0 d-------- C:\Program Files\Kaspersky Lab 2008-06-19 13:41:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-19 13:36:14 0 d-------- C:\kav 2008-06-10 13:56:44 0 d-------- C:\Documents and Settings\Nobody\Application Data\Apple Computer 2008-06-10 13:56:22 0 d-------- C:\Program Files\iPod 2008-06-10 13:56:12 0 d-------- C:\Program Files\iTunes 2008-06-10 13:55:59 0 d-------- C:\Program Files\Bonjour 2008-06-10 13:55:27 0 d-------- C:\Program Files\QuickTime 2008-06-10 13:55:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-06-10 13:54:51 0 d-------- C:\Program Files\Apple Software Update 2008-06-10 13:54:45 0 d------c- C:\WINDOWS\system32\DRVSTORE 2008-06-10 13:54:31 0 d-------- C:\Program Files\Common Files\Apple 2008-06-10 13:54:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-05-23 17:53:35 0 d-------- C:\WINDOWS\Polaroid_536 -- Find3M Report --------------------------------------------------------------- 2008-06-10 13:54:31 0 d-------- C:\Program Files\Common Files 2008-06-07 16:59:50 0 d-------- C:\Program Files\World of Warcraft 2008-05-23 17:53:35 0 d--h----- C:\Program Files\InstallShield Installation Information -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/09/2006 03:29 PM] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [03/09/2006 03:29 PM] "SoundMan"="SOUNDMAN.EXE" [11/17/2006 05:42 AM C:\WINDOWS\soundman.exe] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM] "nwiz"="nwiz.exe" [03/09/2006 03:29 PM C:\WINDOWS\system32\nwiz.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{001F1062-D7A2-456A-AE04-EB9ABF822FE4}"= C:\DOCUME~1\Nobody\LOCALS~1\Temp\orzow.dll [ ] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2008-06-19 16:47:46 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon™ XP 2400+ Percentage of Memory in Use: 69% Physical Memory (total/avail): 511.48 MiB / 158.55 MiB Pagefile Memory (total/avail): 866.18 MiB / 451.06 MiB Virtual Memory (total/avail): 2047.88 MiB / 1922.26 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 101.56 GiB total, 84.5 GiB free. D: is Fixed (NTFS) - 10.22 GiB total, 5.14 GiB free. E: is CDROM (No Media) F: is CDROM (No Media) \\.\PHYSICALDRIVE0 - ST3120814A - 111.79 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 101.56 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 10.22 GiB - D: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Nobody\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=FRODO ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Nobody LOGONSERVER=\\FRODO NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0801 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Nobody\LOCALS~1\Temp TMP=C:\DOCUME~1\Nobody\LOCALS~1\Temp USERDOMAIN=FRODO USERNAME=Nobody USERPROFILE=C:\Documents and Settings\Nobody windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Nobody (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002} Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3} HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" iTunes --> MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0} Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F} Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI Polaroid Digital Cam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9170E5EA-0739-4BBB-B27F-00BF316DC503}\setup.exe" -l0x9 QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175} Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe XML Paper Specification Shared Components Pack 1.0 --> -- Application Event Log ------------------------------------------------------- Event Record #/Type569 / Warning Event Submitted/Written: 06/19/2008 02:24:23 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type564 / Warning Event Submitted/Written: 06/19/2008 02:15:30 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type556 / Warning Event Submitted/Written: 06/19/2008 01:44:17 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type551 / Error Event Submitted/Written: 06/19/2008 01:40:43 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Event Record #/Type547 / Warning Event Submitted/Written: 06/19/2008 01:37:49 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type5158 / Warning Event Submitted/Written: 06/19/2008 04:46:29 PM Event ID/Source: 3004 / WinDefend Event Description: %FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow. For more information please see the following: %FRODO275 Scan ID: {D74A12AB-42A5-4A4A-B9C6-DECE7557D5C4} User: FRODO\Nobody Name: %FRODO271 ID: %FRODO272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %FRODO276 Alert Type: %FRODO278 Detection Type: 1.1.1593.02 Event Record #/Type5157 / Warning Event Submitted/Written: 06/19/2008 04:46:29 PM Event ID/Source: 3004 / WinDefend Event Description: %FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow. For more information please see the following: %FRODO275 Scan ID: {D88A4AF0-7BAF-4630-BF66-76803A9E5D67} User: FRODO\Nobody Name: %FRODO271 ID: %FRODO272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %FRODO276 Alert Type: %FRODO278 Detection Type: 1.1.1593.02 Event Record #/Type5156 / Warning Event Submitted/Written: 06/19/2008 04:46:29 PM Event ID/Source: 3004 / WinDefend Event Description: %FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow. For more information please see the following: %FRODO275 Scan ID: {4F4F59E8-99DC-4910-ADF4-D648570217BB} User: FRODO\Nobody Name: %FRODO271 ID: %FRODO272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %FRODO276 Alert Type: %FRODO278 Detection Type: 1.1.1593.02 Event Record #/Type5155 / Warning Event Submitted/Written: 06/19/2008 04:46:26 PM Event ID/Source: 3004 / WinDefend Event Description: %FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow. For more information please see the following: %FRODO275 Scan ID: {F6F3DBD8-AF48-499F-B393-2A55F3FEB626} User: FRODO\Nobody Name: %FRODO271 ID: %FRODO272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %FRODO276 Alert Type: %FRODO278 Detection Type: 1.1.1593.02 Event Record #/Type5154 / Warning Event Submitted/Written: 06/19/2008 04:46:26 PM Event ID/Source: 3004 / WinDefend Event Description: %FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow. For more information please see the following: %FRODO275 Scan ID: {CF042FB0-B96A-45C8-91AC-B36359619062} User: FRODO\Nobody Name: %FRODO271 ID: %FRODO272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %FRODO276 Alert Type: %FRODO278 Detection Type: 1.1.1593.02 -- End of Deckard's System Scanner: finished at 2008-06-19 16:47:46 ------------ I'm a first time visitor to the site, and I've tried to provide as much detail of my problem as I can. I know nothing about the trojans on my computer. I hope that I've presented this properly, and I'm happy to provide any more information. Thank you very much!<, Adam. |
 |
 
|
|
Jul 12 2008, 04:01 AM
Post
#2
|
|
 Senior Member Group: HJT Team Posts: 413 Joined: 18-July 07 From: GMT+7 Member No.: 144,338 |
Hi Adam,
I'm sorry it's taken so long for you to get a response, if you still need help please do as follows: It appears that your computer has been infected by a password-stealing trojan. If you use this computer for sensitive purposes, such as internet banking then you should immediately use a known clean machine to change all your passwords. Also consider notifying your bank(s) etc that your login credentials may have been compromised. Please make new reports with DSS, if you need to download the program again you can do so from here: http://www.techsupportforum.com/sectools/Deckard/dss.exe
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you. -------------------- Teacher at Malware Removal University | ASAP & UNITE Member
|
|
|
|
|
Jul 15 2008, 05:36 AM
Post
#3
|
|
|
Senior Member Group: HJT Team Posts: 413 Joined: 18-July 07 From: GMT+7 Member No.: 144,338 |
Do you still need help with your machine?
If the instructions are unclear or something isn't working, please let me know before proceeding. -------------------- Teacher at Malware Removal University | ASAP & UNITE Member
|
|
|
|
|
Jul 17 2008, 09:12 PM
Post
#4
|
|
|
Senior Member Group: HJT Team Posts: 413 Joined: 18-July 07 From: GMT+7 Member No.: 144,338 |
Due to lack of response, this thread will now be closed.
If you are the topic starter and would like this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic. -------------------- Teacher at Malware Removal University | ASAP & UNITE Member
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 6th September 2008 - 11:09 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.