Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Various Malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 adamcflo

adamcflo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 20 June 2008 - 05:05 PM

Thanks. I discovered I had a problem when someone hacked my World of Warcraft account.

Here is what Kaspersky found:

Infected: Trojan program Trojan-Downloader.JS.Agent.bwl c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\gqe4m0z4\vv[1].js 2 KB
Infected: Trojan program Trojan-PSW.Win32.OnLineGames.arjr c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\zazat3yd\111[1].exe 20 KB
Infected: Trojan program Exploit.Win32.IMG-ANI.s c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\xxs7w1qz\tt[1].gif 926 bytes
Infected: Trojan program Trojan-Downloader.Win32.FraudLoad.akv c:\documents and settings\nobody\local settings\temp\fhstsul8.exe 59 KB
Infected: Trojan program Exploit.JS.RealPlr.go c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\dtewo4av\old[1].htm 3.8 KB
Infected: Trojan program Trojan-PSW.Win32.OnLineGames.arjq c:\documents and settings\nobody\local settings\temp\orzow.dll 15.3 KB
Infected: Trojan program Exploit.JS.CVE-2006-1359.ai c:\documents and settings\nobody\local settings\temporary internet files\content.ie5\9efi9tgs\le[1].htm 6 KB

============
I am also suspicious of some nwiz and qttrack files showing up in my registry under the system 32 folder. I'm totally out of my element here, so here is the DSS log:
============

Deckard's System Scanner v20071014.68
Run by Nobody on 2008-06-19 16:43:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2008-06-19 22:43:43 UTC - RP368 - Deckard's System Scanner Restore Point
91: 2008-06-19 19:41:16 UTC - RP367 - Installed Kaspersky Anti-Virus 7.0.
90: 2008-06-19 08:24:39 UTC - RP366 - Software Distribution Service 3.0
89: 2008-06-18 08:38:21 UTC - RP365 - System Checkpoint
88: 2008-06-17 08:25:58 UTC - RP364 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-22 08:39:46 UTC - RP277 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Nobody.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:00 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nobody\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nobody.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184989830645
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4097 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>

S3 AR5523 (NETGEAR WG111T USB2.0 Wireless Card Service) - c:\windows\system32\drivers\wg11tnd5.sys (file missing)
S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111458&REV_A2\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111458&REV_A2\3&13C0B0C5&0&09
Service:

Class GUID:
Description: RAID Controller
Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00011283&REV_10\4&3B1D9AB8&0&6040
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00011283&REV_10\4&3B1D9AB8&0&6040
Service:

Class GUID:
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&6840
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&6840
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-19 14:28:58 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-18 17:14:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-19 and 2008-06-19 -----------------------------

2008-06-19 16:24:48 0 d-------- C:\Program Files\Trend Micro
2008-06-19 16:02:27 0 d-------- C:\Documents and Settings\Nobody\Application Data\Lavasoft
2008-06-19 13:42:05 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-19 13:42:05 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-19 13:41:26 10784 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-19 13:41:26 1535776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-19 13:41:26 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-19 13:41:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-19 13:36:14 0 d-------- C:\kav
2008-06-10 13:56:44 0 d-------- C:\Documents and Settings\Nobody\Application Data\Apple Computer
2008-06-10 13:56:22 0 d-------- C:\Program Files\iPod
2008-06-10 13:56:12 0 d-------- C:\Program Files\iTunes
2008-06-10 13:55:59 0 d-------- C:\Program Files\Bonjour
2008-06-10 13:55:27 0 d-------- C:\Program Files\QuickTime
2008-06-10 13:55:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-10 13:54:51 0 d-------- C:\Program Files\Apple Software Update
2008-06-10 13:54:45 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-10 13:54:31 0 d-------- C:\Program Files\Common Files\Apple
2008-06-10 13:54:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-23 17:53:35 0 d-------- C:\WINDOWS\Polaroid_536


-- Find3M Report ---------------------------------------------------------------

2008-06-10 13:54:31 0 d-------- C:\Program Files\Common Files
2008-06-07 16:59:50 0 d-------- C:\Program Files\World of Warcraft
2008-05-23 17:53:35 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/09/2006 03:29 PM]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [03/09/2006 03:29 PM]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 05:42 AM C:\WINDOWS\soundman.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]
"nwiz"="nwiz.exe" [03/09/2006 03:29 PM C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{001F1062-D7A2-456A-AE04-EB9ABF822FE4}"= C:\DOCUME~1\Nobody\LOCALS~1\Temp\orzow.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-19 16:47:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2400+
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 511.48 MiB / 158.55 MiB
Pagefile Memory (total/avail): 866.18 MiB / 451.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.26 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 101.56 GiB total, 84.5 GiB free.
D: is Fixed (NTFS) - 10.22 GiB total, 5.14 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120814A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 101.56 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 10.22 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nobody\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRODO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nobody
LOGONSERVER=\\FRODO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nobody\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nobody\LOCALS~1\Temp
USERDOMAIN=FRODO
USERNAME=Nobody
USERPROFILE=C:\Documents and Settings\Nobody
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nobody (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Polaroid Digital Cam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9170E5EA-0739-4BBB-B27F-00BF316DC503}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type569 / Warning
Event Submitted/Written: 06/19/2008 02:24:23 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type564 / Warning
Event Submitted/Written: 06/19/2008 02:15:30 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type556 / Warning
Event Submitted/Written: 06/19/2008 01:44:17 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type551 / Error
Event Submitted/Written: 06/19/2008 01:40:43 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type547 / Warning
Event Submitted/Written: 06/19/2008 01:37:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5158 / Warning
Event Submitted/Written: 06/19/2008 04:46:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow.

For more information please see the following:
%FRODO275

Scan ID: {D74A12AB-42A5-4A4A-B9C6-DECE7557D5C4}

User: FRODO\Nobody

Name: %FRODO271

ID: %FRODO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRODO276

Alert Type: %FRODO278

Detection Type: 1.1.1593.02

Event Record #/Type5157 / Warning
Event Submitted/Written: 06/19/2008 04:46:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow.

For more information please see the following:
%FRODO275

Scan ID: {D88A4AF0-7BAF-4630-BF66-76803A9E5D67}

User: FRODO\Nobody

Name: %FRODO271

ID: %FRODO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRODO276

Alert Type: %FRODO278

Detection Type: 1.1.1593.02

Event Record #/Type5156 / Warning
Event Submitted/Written: 06/19/2008 04:46:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow.

For more information please see the following:
%FRODO275

Scan ID: {4F4F59E8-99DC-4910-ADF4-D648570217BB}

User: FRODO\Nobody

Name: %FRODO271

ID: %FRODO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRODO276

Alert Type: %FRODO278

Detection Type: 1.1.1593.02

Event Record #/Type5155 / Warning
Event Submitted/Written: 06/19/2008 04:46:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow.

For more information please see the following:
%FRODO275

Scan ID: {F6F3DBD8-AF48-499F-B393-2A55F3FEB626}

User: FRODO\Nobody

Name: %FRODO271

ID: %FRODO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRODO276

Alert Type: %FRODO278

Detection Type: 1.1.1593.02

Event Record #/Type5154 / Warning
Event Submitted/Written: 06/19/2008 04:46:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRODO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRODO27 can't undo changes that you allow.

For more information please see the following:
%FRODO275

Scan ID: {CF042FB0-B96A-45C8-91AC-B36359619062}

User: FRODO\Nobody

Name: %FRODO271

ID: %FRODO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRODO276

Alert Type: %FRODO278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-06-19 16:47:46 ------------





I'm a first time visitor to the site, and I've tried to provide as much detail of my problem as I can. I know nothing about the trojans on my computer. I hope that I've presented this properly, and I'm happy to provide any more information.

Thank you very much!<,
Adam.

BC AdBot (Login to Remove)

 


m

#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:17 PM

Posted 12 July 2008 - 04:01 AM

Hi Adam,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

It appears that your computer has been infected by a password-stealing trojan. If you use this computer for sensitive purposes, such as internet banking then you should immediately use a known clean machine to change all your passwords. Also consider notifying your bank(s) etc that your login credentials may have been compromised.



Please make new reports with DSS, if you need to download the program again you can do so from here:
http://www.techsupportforum.com/sectools/Deckard/dss.exe
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked press Scan!
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
Teacher at Malware Removal University | ASAP & UNITE Member

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:17 PM

Posted 15 July 2008 - 05:36 AM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:17 PM

Posted 17 July 2008 - 09:12 PM

Due to lack of response, this thread will now be closed.

If you are the topic starter and would like this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users