Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Loveletter.vbs Worm


  • Please log in to reply
1 reply to this topic

#1 GFC

GFC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 21 January 2008 - 04:32 PM

Hi there

I've discovered a few problems linked to LoveLetter.vbs but can't get rid of it. It's a bit complicated to explain so please bear with me whilst I try to explain the issues...........

Each time I opened Firefox and started to surf, I'd get various other Firefox windows opening with adverts. I scanned with Avast 4.0, AVG, Ad-Ware SE (all 3 are Home Editions) and Spybot S&D. I found nothing with any of these scans including Avast Boot Time Scan. However, I knew something was there as my system was so slow, my desktop photo had been overwritten and I kept getting the adverts opening in other Firefox Windows.

A friend suggested using ClamWIN anti-virus which I did. Whilst using ClamWIN (in Normal XP mode) Avast suddenly found LoveLetter.vbs in C:\Documents and Settings\"My user name"\Local Settings\Temp\clamav-fcd948e599fd513b7fceeb9929cac426d.00000dc0.clamtmp. When I looked in the Avast Chest the file that had been quarantined was called 'script.html'

I ran ClamWin again and again it found LoveLetter.vbs in the same folder but the file name had changed the alpha-numeric string between clamav- and -clamtmp

This continued each time I ran ClamWIN with the alpha-numeric string changing. I also found another version of the file in the Chest called 'comment.html'

At the same time I found some strange files (WHICH I CAN'T DELETE) in C:\Documents and Settings\"My user name"\Local Settings\Temp called 'Perflib_Perfdata_948.dat' and 'Perflib_Perfdata_f5c.dat' etc etc.....

Other strange files in the same folder are '~DF6D7D.tmp' and '~DF8AEA.tmp' etc etc......

I have deleted any files and registry keys associated with LoveLetter.vbs (as suggested in the Avast help pages about Worms etc) and since ran numerous scans finding nothing but I'm still worried that there may be something in the background. Each time I run ClamWIN the LoveLetter.vbs worm is still found by Avast On-Access scanner.

The only applications I've downloaded recently are VEOH and a Windows Media Player that lets you watch streaming TV (which I've now deleted).

I have now deleted ClamWIN, and ran, AVG, Ad-Ware SE, Spybot S&D and Zone Alarm scans and found nothing.........however the strange files mentioned above still exist............

AVAST, however did find another virus this evening in C:\Program Files\Alwil Software\Avast4\DATA\moved

Also just noticed that each time I boot up now that the IE icon is on my desktop when I had previously deleted it and always use Firefox. Also Firefox is not set as my default browser any more.

PLEASE HELP

Below are the HiJack and ComboFix logs...........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:14, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\vphc700.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Philips\Philips SPC710NC Webcam\TrayMin710.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=4070102
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [phc710] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrayMin710.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11034 bytes


ComboFix 08-01-20.1 - Delphine et Johnny 2008-01-21 21:20:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.422 [GMT 0:00]
Running from: C:\Program Files\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 09:51 . 2008-01-21 16:02 <DIR> d-------- C:\Documents and Settings\Delphine et Johnny\Application Data\skypePM
2008-01-21 09:51 . 2008-01-21 09:51 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-20 20:46 . 2008-01-20 20:46 <DIR> d-------- C:\Documents and Settings\Delphine et Johnny\.housecall6.6
2008-01-20 20:02 . 2008-01-20 20:04 1,953,799 --a------ C:\Program Files\stinger.exe
2008-01-20 19:19 . 2008-01-20 19:19 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-20 19:12 . 2008-01-20 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-20 19:06 . 2008-01-20 19:06 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-20 16:03 . 2008-01-20 16:03 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-20 16:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 14:34 . 2008-01-20 14:34 1,550,759 --a------ C:\Program Files\ComboFix.exe
2008-01-20 00:09 . 2008-01-20 00:09 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-01-19 23:22 . 2008-01-20 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-18 23:31 . 2008-01-21 17:41 1,113 --a------ C:\rollback.ini
2008-01-18 23:25 . 2008-01-18 23:25 <DIR> d-------- C:\Documents and Settings\Delphine et Johnny\Application Data\MailFrontier
2008-01-18 22:42 . 2008-01-18 22:42 210,416 --a------ C:\Program Files\zaSetup_en.exe
2008-01-18 21:38 . 2008-01-18 21:38 407,680 --a------ C:\Program Files\aswclnr.exe
2008-01-16 22:34 . 2008-01-16 22:36 6,432 --a------ C:\WINDOWS\system32\acdb.err
2008-01-16 21:55 . 2008-01-16 21:55 <DIR> d-------- C:\Documents and Settings\Delphine et Johnny\Application Data\.clamwin
2008-01-16 17:12 . 2008-01-16 15:40 17,452,125 --a------ C:\Program Files\clamwin-0.91.2-setup.exe
2008-01-15 20:56 . 2008-01-15 21:00 6,026,816 --a------ C:\Program Files\Firefox Setup 2.0.0.11.exe
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-04 21:45 . 2008-01-04 21:45 <DIR> d-------- C:\Program Files\Veoh Networks
2008-01-04 21:41 . 2008-01-04 21:42 18,207,736 --a------ C:\Program Files\VeohSetup-3.8.0.1051.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 21:22 5,324,064 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 21:17 13,485 ----a-w C:\Program Files\bleeping computer.txt
2008-01-21 20:45 71,612 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 20:42 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\Skype
2008-01-21 20:36 11,036 ----a-w C:\Program Files\hijackthis.log
2008-01-21 20:29 6,218 ----a-w C:\Program Files\aswclnr.log
2008-01-20 21:54 294 ----a-w C:\Program Files\stinger.txt
2008-01-20 21:54 17 ----a-w C:\Program Files\stinger.opt
2008-01-20 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 19:40 --------- d-----w C:\Program Files\Lavasoft
2008-01-20 19:25 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-20 19:22 --------- d-----w C:\Program Files\Java
2008-01-20 19:14 --------- d-----w C:\Program Files\QuickTime
2008-01-20 13:24 --------- d-----w C:\Program Files\Skype
2008-01-20 00:32 --------- d-----w C:\Program Files\CCleaner
2008-01-19 10:00 2,479,104 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-18 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-18 21:00 --------- d-----w C:\Program Files\GemMaster
2008-01-18 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-17 23:36 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\dvdcss
2008-01-16 21:55 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\.clamwin
2008-01-15 21:17 1,491,592 ----a-w C:\Program Files\install_flash_player.exe
2008-01-14 22:38 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\Azureus
2008-01-13 11:37 --------- d-----w C:\Program Files\Azureus
2008-01-11 22:34 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\LimeWire
2008-01-08 22:10 2,406,400 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-06 00:52 3,101,696 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-04 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 14:21 --------- d-----w C:\Program Files\ZoneAlarmSB
2007-12-16 13:11 7,523,492 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-05 20:53 --------- d-----w C:\Documents and Settings\Delphine et Johnny\Application Data\ArcSoft
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 21:56 73,768 ----a-w C:\Documents and Settings\Delphine et Johnny\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 22:17 21,321,008 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-11-07 21:52 2,400,784 ----a-w C:\Program Files\WLinstaller.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-11-05 20:21 18,040,176 ----a-w C:\Program Files\Install_Messenger_nous.exe
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 17:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-09-06 09:29 122,368 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-09-02 20:53 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-08-31 18:01 1,579,360 ----a-w C:\Program Files\taskmanager17.exe
2007-08-28 06:52 2,076,672 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-08-24 20:28 2,072,064 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-08-08 18:59 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-08-05 05:29 16,826,732 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_04_18_35_13_full.dmp.zip
2007-08-05 05:28 16,571,209 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_04_18_34_51_full.dmp.zip
2007-08-05 05:26 89,250 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_04_18_35_00_small.dmp.zip
2007-08-05 05:26 85,664 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_04_18_34_57_small.dmp.zip
2007-08-05 05:26 16,573,973 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_04_16_18_41_full.dmp.zip
2007-08-05 05:26 110,453 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_04_16_17_04_small.dmp.zip
2007-08-05 05:26 107,657 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_04_18_29_54_small.dmp.zip
2007-06-30 17:49 318,904 ----a-w C:\Program Files\wmpfirefoxplugin.exe
2007-06-24 18:55 3,244,032 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-05-09 16:23 832,786 ----a-w C:\Program Files\SopCastOcx.zip
2007-04-20 14:12 574 ----a-w C:\Program Files\changeLog.txt
2007-03-23 20:55 1,035,271 ----a-w C:\Program Files\wrar362.exe
2007-03-15 17:58 98,554,909 ----a-w C:\Program Files\OOo_2.1.0_Win32Intel_install_en-US.exe
2007-02-11 13:02 9,453,630 ----a-w C:\Program Files\vlc-0.8.6a-win32.exe
2007-01-27 21:00 9,862,208 ----a-w C:\Program Files\Azureus_2.5.0.4_Win32.setup.exe
2007-01-27 20:29 2,473,984 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-01-27 20:29 1,473,024 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-01-11 18:58 25,755,448 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-01-06 22:48 20,155,344 ----a-w C:\Program Files\SkypeSetup.exe
2007-01-05 21:18 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
2006-01-09 17:37 505,979 ----a-w C:\Program Files\Power Defragmenter.exe
2007-01-05 20:38 168 --sh--r C:\WINDOWS\system32\CD39C35D4C.sys
2007-01-05 20:39 6,266 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_16.10.42.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-20 19:07:34 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81100000003}\SC_Reader.exe
- 2007-03-13 23:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-13 23:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 01:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-01-15 21:17:39 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-01-20 20:40:47 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-01-19 16:30:25 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-21 20:47:23 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2008-01-20 14:41:53 410,520 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-01-21 20:46:52 508,744 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-01-18 23:32:04 7,588,909 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-01-21 14:41:28 7,603,688 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-01-21 20:46:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
2007-10-17 13:53 57384 --a------ C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-16 14:21 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-16 14:21 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57 395776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 17:51 3481600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 18:48 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51 1032192]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 15:57 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05 1117184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-07 12:11 185896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"phc710"="C:\WINDOWS\vphc700.exe" [2005-07-20 18:56 339968]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-10-17 13:53 243240]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-02 22:54:28 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TrayMin710.exe.lnk - C:\Program Files\Philips\Philips SPC710NC Webcam\TrayMin710.exe [2007-09-01 17:11:55 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)

R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 13:53]
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [2007-10-17 13:53]
R3 phc700;USB PC Camera (phc710);C:\WINDOWS\system32\DRIVERS\phc700.sys [2005-06-07 13:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:19:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 21:22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 21:24:06
ComboFix2.txt 2008-01-20 16:11:38
.
2008-01-10 21:54:46 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:18 AM

Posted 05 February 2008 - 04:49 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users