Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trj/multidropper.afs, Adware.commonname.a Etc.


  • Please log in to reply
19 replies to this topic

#1 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:08:23 PM

Posted 13 December 2005 - 10:43 AM

Symptoms: constant freezing while surfing, desktop freezing, mouse dissapearing and text size changing at any given moment, and sound volume going up upon re-boot and once not heard at all. Re-boot brought back sound though. Occured only once.

Also when attempting a Google search, I get this:

http://auto.search.msn.com/response.asp?MT...&prov=gogl&utf8

It happens often enough to worry me. It seems to be a redirection of sorts. But maybe is just MSN IE getting confused.

If you click on link above now it goes to MSN search. But when it happens, it shows a blank page and I just refresh and it goes to Google.

Edit: I just attempted to google for "counterspy" and it tried to go straight to "counterspy.com" Not the Google search results
But I was misdirected to "East End Interiors. And "counterspy.com" shows in the address bar. :thumbsup:



I scanned with Adaware, Spybot, and AVG Free. They all came up clean.

So I scanned with both Panda Activescan and BitDefender.

Here are the results:

Panda Activescan


Incident Status Location

Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\SYSTEM\inetadpt.dll
Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM\WINNET.INI
Adware:adware/igetnet Not disinfected C:\WINDOWS\SYSTEM\rules.dat
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\SYSTEM\in10b6s.dll
Adware:adware/gator Not disinfected Windows Registry
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\BIL.INF
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\BI6.INF
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\BIINI.INF
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\BID.INF
Virus:Trj/Multidropper.AFS Not disinfected C:\WINDOWS\SYSTEM\icode504.exe
Adware:Adware/SaveNow Not disinfected C:\WINDOWS\SYSTEM\w1u.dll
Adware:Adware/Transponder Not disinfected C:\WINDOWS\SYSTEM\in10b6s.dll
Adware:Adware/WebSearch Not disinfected C:\!Submit\msmene.dll

BitDefender

Screenshot of BitDefender results:

Posted Image

BitDefender Online Scanner - Real Time Virus Report



Generated at: Mon, Dec 12, 2005 - 18:10:38

Scan Info




Scanned Files 48099


Infected Files 3

Virus Detected

Application.Adware.CommonName.A 1

BehavesLike:Trojan.Downloader 2


Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:12 AM, on 12/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE ?
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE ?
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS_SFX\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://.www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .fli: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://.www.msn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://.www.msn.com
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by9fd.bay9.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...363/mcfscan.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://142.163.191.17/activex/AxisCamControl.ocx
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

Edited by Scarlett, 14 December 2005 - 04:32 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 December 2005 - 07:58 AM

Howdy Miss Scarlett :thumbsup:

Have you Killboxed any of the files Panda revealed or checked to see if Bit Defender really deleted the files it says it did?


Lets see what WinPFind says.


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Unzip it and be sure to Extract All Files.

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and post the WinPFind results,please.

#3 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)

Posted 15 December 2005 - 08:04 AM

Hi ya Crete. :thumbsup:

Have you Killboxed any of the files Panda revealed or checked to see if Bit Defender really deleted the files it says it did?


Um... no and no.
Edit:Should I use Killbox? You would have to help me with it, it has been awhile.

And do you want me to look for the supposed deleted files?
And my system can not withstand WinPFind.
I tried it before, here: http://www.bleepingcomputer.com/forums/ind...ndpost&p=165201

Edited by Scarlett, 15 December 2005 - 08:19 AM.

Posted Image

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 December 2005 - 08:20 AM

And Good Morning to you :thumbsup:

You will need to remove the old version of Killbox and replace with the latest version.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\SYSTEM\inetadpt.dll
    C:\WINDOWS\SYSTEM\WINNET.INI
    C:\WINDOWS\SYSTEM\rules.dat
    C:\WINDOWS\SYSTEM\in10b6s.dll
    C:\WINDOWS\INF\BIL.INF
    C:\WINDOWS\INF\BI6.INF
    C:\WINDOWS\INF\BIINI.INF
    C:\WINDOWS\INF\BID.INF
    C:\WINDOWS\SYSTEM\icode504.exe
    C:\WINDOWS\SYSTEM\w1u.dll
    C:\WINDOWS\SYSTEM\in10b6s.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Verify that all the files listed from BitDefender and Panda are no longer anywhere to be found.


If you havent allready,Scan the System with WinPFind,per my last instructions.


Restart Normal and post the WinPFind results and let me know how the file search went?

#5 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:08:23 PM

Posted 15 December 2005 - 09:12 AM

WinPFind does not run on my system. I gave you a link in my above post , to a former HJT thread of mine, where I went nuts trying to run it. lol

My system can not withstand it.
Sorry
But I will get to the other instructions as soon as I can.

Have to go to work, be back this eve.

Edited by Scarlett, 15 December 2005 - 09:13 AM.

Posted Image

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 December 2005 - 09:22 AM

Whoops Sorry about that.

Does Silent Runners Work or have you ever tried it?

#7 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)

Posted 15 December 2005 - 09:28 AM

Yes! I was able to run Silent Runners. :thumbsup:
Posted Image

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 December 2005 - 10:15 AM

OK,we can pick this up when you get home if needed.

Here is my can for Silent Runners if you need it?


OK,I need you to download and run Silent Runners:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it and select Extract all files

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post

#9 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:08:23 PM

Posted 15 December 2005 - 09:58 PM

Ok Crete :thumbsup: I have been hard at it.

Killbox - Done

Verify that all the files listed from BitDefender and Panda are no longer anywhere to be found


While in Safe Mode - Only found:

C:\_Restore\Temp\A0001024.CPY <---- Can not delete Access Denied

C:\Windows \CNBABEIE.exe => (NSIS o) = bzip2_nsis0007 <----Deleted

Adware:Adware/WebSearch Not disinfected C:\!Submit\msmene.dll <---- Deleted

The deleted ones are in Recycle Bin. Should I go ahead and delete them from there?

SilentRunners results

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LoadQM" = "loadqm.exe" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf" [MS]
PerUser_Paint_Inis\(Default) = "Windows Setup - Paint"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis_remove 64 c:\windows\INF\applets.inf" [MS]
PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 c:\windows\INF\enable.inf" [MS]
PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_RNA_Inis\(Default) = "Windows Setup - Dial-Up Networking"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 c:\windows\INF\rna.inf" [MS]
PerUser_DCC_Inis\(Default) = "Windows Setup - Direct Cable Connection"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 c:\windows\INF\rna.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore\(Default) = "Microsoft Outlook Express 6"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}.Restore\(Default) = "Address Book 5"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]


System Policies [Description]:
------------------------------

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1 - 4
c:\windows\SYSTEM\msafd.dll [MS], 5 - 7
c:\windows\SYSTEM\rsvpsp.dll [MS], 8 - 9


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://.www.msn.com
[Strings]: SEARCH_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
[Strings]: MS_START_PAGE_URL=http://.www.msn.com

Missing lines (compared with English-language version):
[Strings]: 3 lines


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Fax Monitor\Driver = "AWFMON32.DLL" [file not found]
Lexmark 1000 LanguageMonitor\Driver = "KELANGMN.DLL" [file not found]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 89 seconds, including 18 seconds for message boxes)

Edited by Scarlett, 15 December 2005 - 10:21 PM.

Posted Image

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 December 2005 - 05:51 AM

I believe that file in the temp folder may be associated with either System Restore or is an old bug thats been disabled.

You can scan it at these 2 sites

http://www.virustotal.com/flash/index_en.html
and
http://virusscan.jotti.org/


By chance did you make this change?

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]

#11 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)

Posted 16 December 2005 - 06:30 AM

Thanks again Crete :thumbsup:

I submitted it to both sites. BitDefender is still the only one picking up on it. :flowers:
I do not understand why I can not delete it even in Safe Mode.

Virus Total

This is a report processed by VirusTotal on 12/16/2005 at 12:17:28 (CET) after scanning the file "A0001024.CPY" file.

Antivirus Version Update Result
AntiVir 6.33.0.61 12.16.2005 no virus found
Avast 4.6.695.0 12.15.2005 no virus found
AVG 718 12.15.2005 no virus found
Avira 6.33.0.61 12.16.2005 no virus found
BitDefender 7.2 12.16.2005 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 12.16.2005 no virus found
ClamAV devel-20051108 12.15.2005 no virus found
DrWeb 4.33 12.16.2005 no virus found
eTrust-Iris 7.1.194.0 12.16.2005 no virus found
eTrust-Vet 12.3.3.0 12.16.2005 no virus found
Fortinet 2.54.0.0 12.16.2005 no virus found
F-Prot 3.16c 12.15.2005 no virus found
Ikarus 0.2.59.0 12.16.2005 no virus found
Kaspersky 4.0.2.24 12.16.2005 no virus found
McAfee 4651 12.15.2005 no virus found
NOD32v2 1.1325 12.15.2005 no virus found
Norman 5.70.10 12.16.2005 no virus found
Panda 8.02.00 12.15.2005 no virus found
Sophos 4.00.0 12.16.2005 no virus found
Symantec 8.0 12.16.2005 no virus found
TheHacker 5.9.1.057 12.16.2005 no virus found
VBA32 3.10.5 12.15.2005 no virus found

Jotti


File: A0001024.CPY_

Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 8d683d2bb5f62fa42a4b61ffc127c621
Packers detected: -

Scanner results

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.Downloader (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

By chance did you make this change?

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]


I believe that I have my homepage locked down in SpywareBlaster
So yes I have made that change.

Question: I was so into getting this started, that I forgot that it was update Tuesday (MS).
I need the service pack update for IE. But have not installed it yet.
Should I?

Edited by Scarlett, 16 December 2005 - 08:13 AM.

Posted Image

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 December 2005 - 06:30 PM

Do the Online Scan at Kaspersky first and lets see what it shows us.

After that,the updates should be good to go!


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#13 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:08:23 PM

Posted 16 December 2005 - 09:39 PM

I tried twice to run Kapersky Online and it would not update???
What would cause this?
I am a bit low on memory, so.. could that be the problem?


Posted Image

Oh and can I delete those files that are in the recycle bin?

Edited by Scarlett, 16 December 2005 - 09:57 PM.

Posted Image

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2005 - 05:35 AM

Definatly empty the recycle bin.

That notice indicated that the Internet connection was not established with the Kaspersky update site.

Try this online scan instead and lets see what happens
http://support.f-secure.com/enu/home/ols.shtml

#15 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)

Posted 17 December 2005 - 10:36 AM

:thumbsup: :flowers:

Ran F-Secure

Results:

Finished: 2 viruses found

Scanned files: 14908 Warning: 2 file(s) still infected!


c:\!KillBox\icode504.exe Trojan-Downloader.Win32.VB.kr

c:\!KillBox\in10b6s.dll Trojan-Dropper.Win32.Mudrop.ae



What next?
It was at the very end and then found these. Yikes!
They are in Killbox??? I do not understand.

:huh:

Edited by Scarlett, 17 December 2005 - 10:38 AM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users