Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with CoolWWWsearch, and others?


  • Please log in to reply
14 replies to this topic

#1 panpanputt

panpanputt

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 December 2008 - 12:53 AM

Windows XP, internet explorer, Avast! installed and running.
Internet began running slowly... now taking minutes to load a basic page.

Ran Spybot Search & Destroy and fixed problems. SS&D identified but unable to fix CoolWWWSearch.

What to do?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 13 December 2008 - 05:58 AM

Use SAS to find and remove the malware.
Be sure to update SAS before rebooting into safe mode to run the scan.
Instructions for using SAS are in the link below. Post the SAS log back here.

http://www.bleepingcomputer.com/forums/ind...t&p=1040160

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 December 2008 - 12:29 PM

Thanks for the help.

Below is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2008 at 11:23 AM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 01:59:17

Memory items scanned : 153
Memory threats detected : 0
Registry items scanned : 4338
Registry threats detected : 23
File items scanned : 20198
File threats detected : 67

Adware.E404 Helper/Variant-AA
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{446EF370-1987-49DB-AAFF-8EC680903F7A}
HKU\S-1-5-21-1292428093-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}

Trojan.FakeAlert-IEBT
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CFEE97A3-4911-444D-8BE8-E243A23D3DE2}
HKU\S-1-5-21-1292428093-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFEE97A3-4911-444D-8BE8-E243A23D3DE2}

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@libertymutual.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyeicjcdp.stats.esomniture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@account.live[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@kelleybluebook.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[4].txt
C:\Documents and Settings\Owner\Cookies\owner@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickcash[1].txt
C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.virtrigger[1].txt
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.rightmedia.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.rightmedia.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.rightmedia.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.rightmedia.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3j32th9r.default\cookies.txt ]

Trojan.MSDirect
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DNLSVC\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECT\0000#Capabilities

Adware.Media-Codec/ZLob
C:\Program Files\Applications

Adware.E404 Helper/Dropper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738\A0068436.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP743\A0069482.EXE

Adware.E404 Helper/456
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738\A0068441.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP743\A0069487.DLL

Trojan.Downloader-Gen/Suspicious
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\DROPPER.EXE

Rogue.MS AntiVirus-Installer/B
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K446KDC2\MSXSETUP[1].EXE

Thanks again.

#4 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 13 December 2008 - 01:08 PM

I see you use Firefox. If you don't have the NoScript addon, I suggest you get it. It will protect you from "driveby" downloads
of malware and many others. Adblock Plus is excellent, too. https://addons.mozilla.org/en-US/firefox/addon/722

You have/had some serious malware. Use another program--Malwarebytes Antimalware to scan your computer, too.
Here is a link to instructions for its use.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

Use Ccleaner to remove the temporary files, empty logs, cookies, etc. During install you will be offered the Yahoo Toolbar.
UNcheck if not wanted.
http://www.ccleaner.com/

Please post the logs for another scan using SAS and MBAM after scanning.
Let us know how the computer is running and if you still have evidence of malware.

Edited by buddy215, 13 December 2008 - 01:10 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 December 2008 - 08:05 PM

I actually don't use Firefox (just internet explorer), so I just uninstalled Firefox.
I ran CCleaner.
No obvious signs of infections.
Thanks.

MBAM Log:

Malwarebytes' Anti-Malware 1.24
Database version: 1051
Windows 5.1.2600 Service Pack 2

2:38:38 PM 12/13/2008
mbam-log-12-13-2008 (14-38-38).txt

Scan type: Quick Scan
Objects scanned: 76727
Time elapsed: 43 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2008 at 05:38 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 01:42:06

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 4337
Registry threats detected : 2
File items scanned : 18693
File threats detected : 1

Adware.E404 Helper/Variant-AA
HKU\S-1-5-21-1292428093-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}

Trojan.FakeAlert-IEBT
HKU\S-1-5-21-1292428093-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFEE97A3-4911-444D-8BE8-E243A23D3DE2}

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@clickcash[1].txt

#6 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 13 December 2008 - 09:21 PM

The MBAM program was not updated. When you open the program choose update before doing a quick scan.
The latest update is 1498

Do a scan using Sdfix. Instructions are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1042092

Post back with the updated MBAM scan log and the Sdfix log.

Let us know how the computer is running.

Always good to have another browser on board. Just this week Microsoft announce that their was an IE zero day exploit
in the wild. Right now the only protection is using a different browser. They will likely come up with a patch next week. Maybe.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 December 2008 - 05:57 PM

Ran the recommended; logs below.
Seems to be running okay now.
Logs look okay?
Thanks.

MBAM Log (Pre-SDFix)

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/14/2008 8:21:57 AM
mbam-log-2008-12-14 (08-21-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 95736
Time elapsed: 1 hour(s), 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhccebj0e33t (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\768890 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738\A0068437.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738\A0068439.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738\A0068440.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP743\A0069483.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


SDFix Log

SDFix: Version 1.217
Run by Administrator on Mon 12/15/2008 at 04:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 17:10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\.tt211.tmp"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\.tt211.tmp:*:Enabled:enable"
"C:\\WINDOWS\\neos.exe"="C:\\WINDOWS\\neos.exe:*:Enabled:enable"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 3 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!


MBAM Log (post SDFix)

Malwarebytes' Anti-Malware 1.31
Database version: 1503
Windows 5.1.2600 Service Pack 2

12/15/2008 5:52:46 PM
mbam-log-2008-12-15 (17-52-46).txt

Scan type: Quick Scan
Objects scanned: 57736
Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 15 December 2008 - 06:51 PM

There is a file in the SD Fix log that several sites report as a trojan and one site says is safe. Best to submit the file to
http://www.virustotal.com/ and it will scan the file with several programs.

The file is in this line "C:\\WINDOWS\\neos.exe"="C:\\WINDOWS\\neos.exe:*:Enabled:enable"

Go to the Virus Total site in the link above and click on the browse button. Browse to C:\\WINDOWS\\neos.exe
When you find the file neos.exe, double click on it and follow the prompt to submit.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 December 2008 - 07:18 PM

I am unable to locate the neos.exe when I browse for it on virustotal.com.
I also did a search for it and was still unable to locate it.
?
Thanks.

#10 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 15 December 2008 - 07:26 PM

Try unhiding the windows files and folders. Then search with Virus Total again.

Windows XP and Windows 2003

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#11 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 December 2008 - 07:39 PM

I unhid the files and folders and still no luck locating the file.
Thanks.

#12 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 15 December 2008 - 07:55 PM

I am like 90% certain that is malware.

There is another odd thing about your logs. (Trojan.TDSS) is only showing up in your system restore. Is it possible that your antivirus program removed TDSS before you submitted logs? We will clean up system restore last. Those files want reinfect you as long as you don't use system restore.

Use Dr. Web Cureit. The directions are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1042539

After that scan check SAS for updates and if there are new ones run another scan in safe mode after updating in regular mode.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#13 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 16 December 2008 - 02:26 PM

Back in August Quietman7 requested you post a HJT log in the HJT forum. His concern was the same as mine about "neos.exe". I ran across this while looking today for more info on neos.exe. HJT log wasn't posted, so here we are again. :thumbsup:

This file name is also used by Instant messaging client that can communicate over several networks (ICQ, MSN, Yahoo, Jabber). Primarily used as a Jabber client. neosmt.com
A messenger by Novamens S.A.

Do you recognize any of the info in the above paragraph?

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#14 panpanputt

panpanputt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 17 December 2008 - 07:32 AM

I ran Dr. WebCureIt and then SAS.
I don't see the SAS log. Is that because when I logged on in safe mode I logged on as administrator rather than myself?

As for messenging, I have loaded and use periodically MSN Messenger.

Dr.WebCureIt Log:

RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Owner\Desktop\Security\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Owner\Desktop\Security;Archive contains infected objects;Moved.;
mocean worker.mp3;C:\Documents and Settings\Owner\My Documents\My Music\iTunes\iTunes Music;Trojan.Click.18899;Incurable.Moved.;
shake ya boogie.mp3;C:\Documents and Settings\Owner\My Documents\My Music\iTunes\iTunes Music;Trojan.Click.18899;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0068434.dll;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738;BackDoor.Tdss.7;Deleted.;
A0068438.dll;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP738;BackDoor.Tdss.7;Deleted.;
A0069606.reg;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP744;Trojan.StartPage.1505;Deleted.;
A0070011.exe;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP745;Tool.Prockill;;
A0070159.reg;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP745;Trojan.StartPage.1505;Deleted.;
A0070253.reg;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP746;Trojan.StartPage.1505;Deleted.;
A0070254.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP746\A0070254.exe;Tool.Prockill;;
A0070254.exe;C:\System Volume Information\_restore{69DAF4D7-5412-4938-A8B6-3F5B15A87B88}\RP746;Archive contains infected objects;Moved.;
open.exe;C:\WINDOWS\Downloaded Program Files;Trojan.WinShow.20480;Deleted.;
AMSDP_3.dll;C:\WINDOWS\system32;Trojan.DownLoader.origin;Incurable.Moved.;

#15 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 AM

Posted 17 December 2008 - 08:34 AM

Due to being unable to identify the neos.exe and what Dr. Web Cureit found, I recommend that you post a Hijack This log
for the experts to review. Post the log in the HJT Forum. DO NOT post the log in this forum.

Directions for posting the HJT log in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Click on the "statistics/log" tab after opening SAS. You should see a list of all logs saved by SAS.

The neos.exe might be used by a messenger used during an online gaming session.

If you are using P2Ps to download music, movies, programs, cracks, etc. be aware that is a sure way to get some very bad
malware.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users