Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log: Persistent Pop-ups


  • This topic is locked This topic is locked
26 replies to this topic

#1 water

water

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 05 July 2005 - 12:39 PM

I scanned my notebook by Spybot, Adaware and Ewido but the annoying pop-ups keep appearing. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 上午 12:33:49, on 2005/7/6
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents And Settings\jasper\Local Settings\Temp\HijackThis.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [Microsoftz turn Control] read.pif
O4 - HKLM\..\Run: [Microsoftm EEGS bleeprol] loor.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftm EEGS bleeprol] loor.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...bridge-c420.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 06 July 2005 - 01:07 PM

Hello water and welcome to BleepingComputer.

You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


I would like you to have a file scanned for me. Go to the Jotti's malware scan site and submit the following files for a malware scan:

C:\WINNT\system32\internat.exe

Post the results of the scans in your next reply.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [Microsoftz turn Control] read.pif
O4 - HKLM\..\Run: [Microsoftm EEGS bleeprol] loor.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftm EEGS bleeprol] loor.pif

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...bridge-c420.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINNT\wees.exe <--Files
C:\WINNT\runm.pif
C:\WINNT\read.pif
C:\WINNT\loor.pif
C:\WINNT\System32\wees.exe
C:\WINNT\System32\runm.pif
C:\WINNT\System32\read.pif
C:\WINNT\System32\loor.pif

If any of these resist being deleted, boot into Safe Mode and try from there.


Reboot and post a fresh HJT log along with the Jotti results.
Derfram
~~~~~~

#3 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 07 July 2005 - 11:15 AM

Thanks.

I deleted the files you mentioned in the HJT scan and reboot my machine. However, during the initial phase of the re-start, an error message came out saying that C:\WINNT\System32\Isass.exe terminated unexpectedly with status code 128. The machine then restarted again and the same error message re-appeared. I had to physically shut it down and turn it on manually.

I tried the Jotti scan and here is the result. The new HJT log is also enclosed.

Service load: 0% 100%

File: internat.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f4206fca3b1d2feab50738ec2485d5f3
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Last file scanned at least one scanner reported something about: Backdoor.Win32.FTPCentre.1 in Server.zip, detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.Downloader
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.AV-Killer
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan-PSW.Win32.Lineage.hx
NOD32 a variant of Win32/PSW.Lineage.DN
Norman Virus Control Sandbox: W32/FileInfector
UNA X
VBA32 Backdoor.Win32.FTPCentre.1


You're free to (mis)interpret these automated, flawed statistics at your own discretion.


78978 files (48015 of those unique) have been uploaded & scanned since 07/Jun/2005, the day of the last database purge.
13363 of those 48015 files contained a virus or any other form of malware.
This page has been visited 123253 times in this time period.


Logfile of HijackThis v1.99.1
Scan saved at 上午 12:16:33, on 2005/7/8
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehaf32.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 07 July 2005 - 04:12 PM

an error message came out saying that C:\WINNT\System32\Isass.exe terminated unexpectedly with status code 128.

Is the machine booting normally now? That error is an indication of the Sasser virus. Go to http://vil.nai.com/vil/stinger/, download and run s-t-i-n-g-e-r.exe as instructed on the page.

After that completes..

Download ETRemover_V130.zip.
- Unzip it into it's own folder.

Reboot into Safe Mode.

Open the ETRemover folder and double click on ETRemover_V130.exe to run it.
- Click on "Kill EliteToolbar" and let it scan your system.
- If it asks to delete your 'prefetch files', allow it to do so.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehaf32.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINNT\msnmsgr.exe <--Files
C:\WINNT\System32\msnmsgr.exe


Reboot normally and post a fresh HJT log.

Edited by ddeerrff, 07 July 2005 - 04:21 PM.

Derfram
~~~~~~

#5 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 08 July 2005 - 01:53 PM

I tried the methods you mentioned but still encountered a few problems.

1. The "Isass.exe terminated unexpectedly with Code 128" problem remains.
2. In one re-booting ocassion, a message box saying "Isass.exe has generated errors and will be closed by window. You need to restart the program. An error log is created" appears.
3. When scanning by ET Remover, a message saying "C:\WINNT\system32\command.com C:\WINNT\system32\AUTOEXEC.NT The system is not suitable for running MS-DOS and Microsoft Window Applications. Choose CLOSE to terminate the application." After I clicked CLOSE, the DOS screen showed that "prefetch: The system cannot find the file specified. Also, it asked me whether I want to delete C:\WINNT\temp\*.*/f. I clicked NOT.
4. In another re-booting ocassion, a message box saying "The system cannot log you on due to the following error: The network request is not supported. Please try again and consult your system administrator."
5. Finally, the booting time is very long.

Regarding the HJT scan. I deleted the items you've specified but in the latest HJT scan, I still found them there. Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 上午 02:51:43, on 2005/7/9
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 08 July 2005 - 03:16 PM

Were you able to download and run Stinger? If so, did it find anything?


To fix the "C:\WINNT\system32\command.com C:\WINNT\system32\AUTOEXEC.NT The system is not suitable for running MS-DOS and Microsoft Window Applications" error, download and run XP_Fix.exe from this page.
(Yes, this should work for Win2K also)

Then boot into safe mode and attempt again to run ET Remover. "delete C:\WINNT\temp\*.*/f" was asking to delete files in the temp folder. Either Yes or No is OK at this point.


I would like you to have a file scanned for me. Go to the Jotti's malware scan site and submit the following files for a malware scan:

msnmsgr.exe

It may be located at
C:\WINNT\msnmsgr.exe or
C:\WINNT\System32\msnmsgr.exe

Post the results of the scans in your next reply.

Edited by ddeerrff, 08 July 2005 - 03:29 PM.

Derfram
~~~~~~

#7 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 09 July 2005 - 12:07 PM

Thanks. I did download Stinger and the first scan before my last reply identified and cleaned a few bugs (sorry I forgot their names).

I just tried the Stinger scan again and it showed the machine is clean. The ET Remover also said the my machine is clean. I then re-did the whole process you mentioned in your previous reply and deleted the msnmsgr.exe from the HJT scan under the Save Mode. (Previously, I fixed them under Normol Mode. Maybe that is the reason why they were still there after the HJT scan.) I guess the msnmsgr.exe file has been deleted sucessfully this time because I couldn't locate it under Jotti's browse.

However, when I re-started the machine, the "error Code 128" re-appeared.

Here is the latest HJT scan.

Logfile of HijackThis v1.99.1
Scan saved at 上午 01:06:10, on 2005/7/10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Security Oanagers] svghostb.exe
O4 - HKLM\..\RunServices: [Microsoft Security Oanagers] svghostb.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 09 July 2005 - 12:38 PM

Everything I find related to that error still is pointing to the Sasser virus.

Download and run the Microsoft Malicious Software removal tool.

Then go to http://www.windowsupdate.com and install all available critical and security updates. In particular, you need to have 'Windows 2000 hotfix - KB835732' installed.

Then run the Malicious Software removal tool again.

Let me know if that helps any.

Edited by ddeerrff, 09 July 2005 - 11:03 PM.

Derfram
~~~~~~

#9 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 10 July 2005 - 12:40 AM

The Microsoft Malicious Remover scan showed that the machine is clean. I went to the download centre but the default list of downloads do not include the file you mentioned (ie. Window 2000 Hot Fix).

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 10 July 2005 - 11:42 AM

Open Hijackthis:
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...
The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.
Derfram
~~~~~~

#11 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 11 July 2005 - 11:08 AM

Here is the log.

Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (僅供移除)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
a-squared Free 1.6
BlackICE
DirectX 9 Hotfix - KB839643
ewido security suite
HijackThis 1.99.1
hp deskjet 3500
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel® PRO Ethernet Adapter and Software
Java 2 Runtime Environment, SE v1.4.2_06
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Lucent Technologies Soft Modem AMR
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office 2000 Professional
Microsoft VGX Q833989
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
Norton AntiVirus 2003
Norton WMI Update
RealPlayer
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Windows 2000 Hotfix - KB820888
Windows 2000 Hotfix - KB822831
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB829558
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix (SP5) Q818043
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinZip
Yahoo! Anti-Spy
Yahoo! Install Manager
Yahoo! Toolbar

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 11 July 2005 - 07:17 PM

Please download and install "Security Update for Windows 2000 (KB835732)" from the Microsoft download site here.

Reboot and post a new HJT log (a scan log, not an uninstall log).
Derfram
~~~~~~

#13 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 12 July 2005 - 08:52 AM

The pop-ups hit me again. I did Spybot scan and it showed that they are CallingHome.biz and Elitum.EliteBar. I am not sure whether it is helpful but here is the Ad Aware scan result.


Ad-Aware SE Build 1.05
Logfile Created on:2005年7月12日 下午 09:44:51
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R52 30.06.2005
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?

References detected during the scan:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):10 total references
MRU List(TAC index:0):29 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Tracking Cookie(TAC index:3):2 total references
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2005-7-12 下午 09:44:51 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\jasper\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\jasper\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 152
ThreadCreationTime : 2005-7-12 下午 01:28:12
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 2005-7-12 下午 01:28:19
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 172
ThreadCreationTime : 2005-7-12 下午 01:28:23
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 2005-7-12 下午 01:28:24
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 236
ThreadCreationTime : 2005-7-12 下午 01:28:24
BasePriority : Normal
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 388
ThreadCreationTime : 2005-7-12 下午 01:28:28
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 436
ThreadCreationTime : 2005-7-12 下午 01:28:28
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 488
ThreadCreationTime : 2005-7-12 下午 01:28:29
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:9 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 512
ThreadCreationTime : 2005-7-12 下午 01:28:29
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:10 [blackd.exe]
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 616
ThreadCreationTime : 2005-7-12 下午 01:28:35
BasePriority : Normal
FileVersion : 3.6.317
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by license agreement

#:11 [ewidoctrl.exe]
FilePath : C:\Program Files\Ewido\security suite\
ProcessID : 644
ThreadCreationTime : 2005-7-12 下午 01:28:36
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright c 2004
OriginalFilename : ewidoctrl.exe

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 672
ThreadCreationTime : 2005-7-12 下午 01:28:39
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:13 [netlib.exe]
FilePath : C:\WINNT\system32\
ProcessID : 792
ThreadCreationTime : 2005-7-12 下午 01:28:43
BasePriority : Normal


#:14 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 772
ThreadCreationTime : 2005-7-12 下午 01:28:45
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:15 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 864
ThreadCreationTime : 2005-7-12 下午 01:28:46
BasePriority : Normal
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
ProductName : MicrosoftR WindowsR Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:16 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 928
ThreadCreationTime : 2005-7-12 下午 01:28:48
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:17 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 964
ThreadCreationTime : 2005-7-12 下午 01:28:49
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:18 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1064
ThreadCreationTime : 2005-7-12 下午 01:28:51
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:19 [msnmsgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1180
ThreadCreationTime : 2005-7-12 下午 01:29:03
BasePriority : Normal


#:20 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\
ProcessID : 1244
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal


#:21 [jucheck.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\
ProcessID : 1264
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : UpdateChecker Module
FileDescription : UpdateChecker Module
InternalName : UpdateChecker
LegalCopyright : Copyright 2002
OriginalFilename : UpdateChecker.EXE

#:22 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1280
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright c RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:23 [msnmsgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1288
ThreadCreationTime : 2005-7-12 下午 01:29:08
BasePriority : Normal


#:24 [blackice.exe]
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 1360
ThreadCreationTime : 2005-7-12 下午 01:29:08
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc. BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by license agreement

#:25 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 784
ThreadCreationTime : 2005-7-12 下午 01:30:18
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:26 [asm.exe]
FilePath : C:\
ProcessID : 3112
ThreadCreationTime : 2005-7-12 下午 01:30:35
BasePriority : Normal


#:27 [asm.exe]
FilePath : C:\
ProcessID : 3120
ThreadCreationTime : 2005-7-12 下午 01:30:35
BasePriority : Normal


#:28 [conime.exe]
FilePath : C:\WINNT\system32\
ProcessID : 3176
ThreadCreationTime : 2005-7-12 下午 01:30:39
BasePriority : Normal
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : CONIME.EXE

#:29 [regedit.exe]
FilePath : C:\WINNT\
ProcessID : 340
ThreadCreationTime : 2005-7-12 下午 01:30:42
BasePriority : Normal
FileVersion : 5.00.2195.6707
ProductVersion : 5.00.2195.6707
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Registry Editor
InternalName : REGEDIT
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGEDIT.EXE

#:30 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 3224
ThreadCreationTime : 2005-7-12 下午 01:30:45
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:31 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3264
ThreadCreationTime : 2005-7-12 下午 01:30:57
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:32 [internat.exe]
FilePath : C:\WINNT\system32\
ProcessID : 3292
ThreadCreationTime : 2005-7-12 下午 01:32:07
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Keyboard Language Indicator Applet
InternalName : INTERNAT
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE

#:33 [blackice.exe]
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 3324
ThreadCreationTime : 2005-7-12 下午 01:32:08
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc. BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by license agreement

#:34 [welcome.exe]
FilePath : C:\WINNT\
ProcessID : 3152
ThreadCreationTime : 2005-7-12 下午 01:32:16
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Welcome to Windows NT
InternalName : Welcome
LegalCopyright : Copyright © Microsoft Corp. 1998-1999
OriginalFilename : WELCOME.EXE

#:35 [icwconn1.exe]
FilePath : C:\Program Files\Internet Explorer\Connection Wizard\
ProcessID : 3352
ThreadCreationTime : 2005-7-12 下午 01:32:45
BasePriority : Normal
FileVersion : 5.00.3502.6602
ProductVersion : 5.00.3502.6602
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Connection Wizard
InternalName : icwconn1
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : icwconn1.exe

#:36 [wuauclt.exe]
FilePath : C:\WINNT\system32\
ProcessID : 652
ThreadCreationTime : 2005-7-12 下午 01:38:18
BasePriority : Normal
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:37 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3272
ThreadCreationTime : 2005-7-12 下午 01:44:35
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright c Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 29


Started registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
Value :

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\lq
Value : AC

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}

Registry Scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 10
Objects found so far: 39


Started deep registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Pagesearchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Barsearchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistantsearchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet ExplorerSearchURLsearchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "http://searchmiracle.com/sp.php"

Deep registry scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 4
Objects found so far: 43


Started Tracking Cookie scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jasper@centrport[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:jasper@centrport.net/
Expires : 2030-1-1 上午 08:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 1
Objects found so far: 44



Deep scanning and examining files (C:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jasper@centrport[1].txt
Category : Data Miner
Comment :
Value : C:\Documents And Settings\jasper\Cookies\jasper@centrport[1].txt

Elitum.ElitebarBHO Object Recognized!
Type : File
Data : 164636.dll
Category : Data Miner
Comment :
Object : C:\WINNT\Temp\
FileVersion : 1, 0, 0, 60
ProductVersion : 1, 0, 0, 60
ProductName : EliteToolBar Dynamic Link Library
FileDescription : EliteToolBar DLL
InternalName : EliteToolBar
LegalCopyright : Copyright © 2004
OriginalFilename : EliteToolBar.DLL


Disk Scan Result for C:\
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46


Deep scanning and examining files (D:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Disk Scan Result for D:\
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Hosts file scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
0 entries scanned.
New critical objects:0
Objects found so far: 46




Performing conditional scans...
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Conditional scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46

下午 09:53:44 Scan Complete

Summary Of This Scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Total scanning time:00:08:53.257
Objects scanned:71832
Objects identified:17
Objects ignored:0
New critical objects:17

#14 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:48 PM

Posted 12 July 2005 - 10:01 AM

Were you able to install 'KB835732' and did it help with the 'Lsass.exe error code 128'?

The Ebates, Elitum and Searchmiracle entries in the Ad-aware log appear to be registry remnants left over from previously removed infections. None of these appear to be running. Allow Ad-aware to remove these if it can.

I do see some suspicious files. Let's see what Jotti has to say:
Go to the Jotti's malware scan site and submit the following files for a malware scan:

C:\WINNT\asm.exe
C:\WINNT\system32\netlib.exe
C:\WINNT\system32\msnmsgr.exe

Post the results of the scans in your next reply.


In addition,
Download Silent Runners.
- Unzip it into it's own folder.

Open the folder into which you unzipped SilentRunners.
- Double click to run SilentRunners.vbs.
- If your antivirus complains, tell it to allow this script.
- This script takes a while, please wait until you get an 'All Done' message.
Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply.
Derfram
~~~~~~

#15 water

water
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 12 July 2005 - 10:16 AM

I guess I installed the Security Update sucessfully as the Code 128 error didn't appear when I re-booted the machine. (At least at the moment!)

However, despite cleaning up by Ad Aware, the pop-ups re-appear. (They are now right in front of me!) Even Spybot couldn't remove the Elite bug.

Regarding the 3 files you mentioned, I couldn't locate the first two. I scan the msnmsgr.exe and here is the result. (I remember I killed it last time in the Safe Mode under your instruction!) Since the machine is not very stable right now. I'll send you the Silent Runner scan in the next message.

Service load: 0% 100%

File: msnmsgr.exe
Status: INFECTED/MALWARE
MD5 3a04bd3bc72c75d545c39ee45f16d7b8
Packers detected: PE_PATCH, MEWBUNDLE, MEW
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Rbot.Gen.137701.MX
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot
BitDefender Found Backdoor.SDBot.0703BBFA
ClamAV Found Worm.Mytob.GH
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found W32/RBot-bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found Win32/Rbot
Norman Virus Control Found W32/Suspicious_M.gen
UNA Found nothing
VBA32 Found Backdoor.Win32.Rbot.gen

Last file scanned at least one scanner reported something about: HackTool.Win32.VB.ca in crackftp.zip, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus HackTool.Win32.VB.ca
NOD32 X
Norman Virus Control X
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion.


2999 files (2496 of those unique) have been uploaded & scanned since 11/Jul/2005, the day of the last database purge.
644 of those 2496 files contained a virus or any other form of malware.
This page has been visited 5142 times in this time period.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users