Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysweeper Has Blocked Access To Connection 8ad.com


  • Please log in to reply
259 replies to this topic

#31 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 07 January 2007 - 04:55 PM

Can you run the regsearch program, searching for lch.dll.
Then post that log that is created back here, so I can see the entries in full.

BC AdBot (Login to Remove)

 


#32 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 07 January 2007 - 06:20 PM

Only problem is that I thought you had a typo below (which turned out to have been a repeat of my typo)...

My original comments wrt llch.dll and the associated object are correct. My most recent message cited incorrectly lch.dll, which couldn't be found in a file search, but showed in the registry as reported. I just checked, and llch.dll is not in the register.

i.e. what I'm now posting is regsearch for lch.dll.

; Registry Search 2.0 by Bobbi Flekman ę 2005
; Version: 2.0.1.0

; Results at 07/01/2007 6:14:34 PM for strings:
; 'lch.dll'
; 'staropen'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\S-1-5-21-507921405-2147173071-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="lch.dll"

; End Of The Log...

Bill

#33 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 January 2007 - 01:48 PM

You still there, David? Bill

#34 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 15 January 2007 - 12:07 PM

Sorry Bill, I have just reapplied a subscription to this thread.
My thoughts are for the moment to step away from the registry and try something else.
First thing I want you to do is to again quote the exact error message you are getting.

Download WinPFind3U to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

1) In the 'Files Created Within' group click 30 days,
2) In the 'Files Modified Within' group select 30 days
3) In the 'File String Search' group select Non-Microsoft

Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Please save that file and upload it at this page.
Please let me know when you have done so...

#35 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 January 2007 - 12:52 PM

As requested. lower right pops up wit a notice from SpySweeper at start up:
"The internet communication shield has blocked access to: ADULTLINKSCO.COM"

The latter replaced what originally was "8AD.COM".

I have run Winpfind3u and uploaded to the link you provided.

Thks.

Bill

#36 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 15 January 2007 - 02:47 PM

No, nothing there either, let's try a few more things..

1) Please download and unzip Rootkit Revealer to your desktop.
Please leave the defaults set as they are to:
Hide NTFS Metadata Files: this option is on by default
Scan Registry: this option is on by default.

Note: Before performing a scan it is recommended to do the following to ensure the best results for a simpler and clearer log file to analyze:
1) Disconnect from or physically unplug the cable from the PC to the Internet connection.
2) Close down All Scheduling/Updating + Running Background tasks, etc.
3) Disable/turn off any program that might activate during the scan such as screensaver, anti-virus, anti-spyware. Programs that activate during the scan may cause RKR to display inaccurate/misleading log results.
4) Then after starting the scan, DO NOT not use the computer until the scan has completed.
5) When the scan has finished, save the log file and re-enable those programs you closed down, or reboot and then you can reconnect to the Internet.

Now launch rootkit revealer on the system and press the Scan button.
Please post the log here in this thread using Add Reply
(please double check that it has all been posted as it may be too long for one post)
If it is too long, you can upload it like you did with the winpfind log.

Then, Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

David

#37 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 January 2007 - 03:14 PM

For wwhat it's worth, note that the problem started over 30 days ago...Doing now. Will adv when completed.

#38 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 January 2007 - 03:30 PM

I uploaded the Rootkitrevealer file to the link you provided earlier.

Here is the HJT content:

StartupList report, 11/12/2006, 1:43:25 PM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-52.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Kaspersky Anti-Hacker.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SiS Windows KeyHook = C:\WINDOWS\system32\keyhook.exe
SiS Tray = C:\WINDOWS\system32\sistray.EXE
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
SiSUSBRG = C:\WINDOWS\SiSUSBrg.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SSA.exe = "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
AvaFind = "C:\Program Files\AvaFind\AvaFind.exe" /minimized
Window Washer = "C:\Program Files\Webroot\Washer\wwDisp.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Windows Live Toolbar\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Check Updates for Windows Live Toolbar.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://download.ewido.net/ewidoOnlineScan.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1143401756593

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,713 bytes
Report generated in 0.171 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Bill

#39 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 15 January 2007 - 04:50 PM

I think you didn't follow the last instructions just right.
At the bottom of the last post I wanted an uninstall list, not a startup list.
Please look again and post an uninstall list.
In the meantime I will look over the rootkit revealer log.

#40 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 January 2007 - 05:00 PM

Sorry, I actually saved the Uninstall from HJT, but then opened and copied startup that was there from a while ago. Here's what you asked for:

acqurl
Ad-Aware SE Professional
Adobe Acrobat 6.0.1 Professional
Adobe Flash Player 9 ActiveX
Advanced Uninstaller PRO 2004 - version 6
Ava Find
avast! Antivirus
CCleaner (remove only)
C-Media 3D Audio
Diskeeper Professional Edition
DVD5R
Easy CD & DVD Creator 6
Google Deskbar
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
InCD (Ahead Software)
IncrediMail Xe
InterVideo WinDVD 4
InterVideo WinDVD Creator 2
iolo technologies' System Mechanic 5 Professional
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
Kaspersky™ Anti-Hacker 1.5
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
LView Pro Evaluation Version
MetaFrame Presentation Server Client
Microsoft Bootvis
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2005
Microsoft Office XP Professional with FrontPage
Microsoft Project 2000
Mozilla Firefox (2.0.0.1)
Mozilla Thunderbird (1.0.2)
MSN Messenger 7.5
Nero Suite
Opera
RealPlayer
Roxio UDF Reader
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sympatico Security Advisor 1.4.10
Sympatico™ Scan and Clean utility
TaxWrite
TrojanHunter 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VX2 Cleaner plug-in for Ad-Aware SE
Winamp (remove only)
Window Washer 5
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Toolbar
Windows Live Toolbar
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 11
YOU DON'T KNOW JACK Volume 3

Bill

#41 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 15 January 2007 - 05:19 PM

Ok, the rootkit revealer log is just fine, no problems at all. Now I think I've got to the stage where I am completely run dry on ideas, I really can think that this is a false positive from SpySweeper. I googled the question and found a number of threads of SpySweeper alerting the user that it was trying to access a spyware site. However no solution was ever reached, even after multiple scans. I can really only conclude that it's a false positive, I've run nearly every scanner in the book, but nothing had been found. My only possible recommendation would be to uninstall and then reinstall the program and see if that helps; then perhaps you could just just leave the program uninstalled and try another of the excellent free antispyware programs available.

If like I can refer you to another Hijackthis helper and see if they are able to uncover anything that I might have missed. I'm sorry that this problem seems to be unsolved, but I'm all out of ideas. Let me know what you want to do..

#42 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 January 2007 - 05:52 PM

The only problem is that I have an identical setup on a 2nd system with no such alerts (plus this one has that related object in the register that I mentioned way back when - wrt QcBar, whereas this one doesn't).

Is there no way to log the activity within the system and commands relating to contact from the system that results in a call-to/from adultlinksco on the web?

I'd like to retain SS because (1) I believe it isn't a false positive and (2) I believe SS offers protection that others don't (opinions not necessarily based on anything).

In case you missed earlier mention, it is now longer than 30 days since this 1st happened.

Bill

#43 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:59 AM

Posted 17 January 2007 - 06:07 PM

Hi Bill and welcome :thumbsup:

Your helper asked me to pop in for a look-see.
I don't plan on taking over the thread but rather DTrojanator & I tag-team a little.
DTrojanator will continue working with you. I'm just helping him find the problem.

Do you also get these warnings from SS when browsing or just at boot-up?
If it's warning you of outgoing connection to these URLs...something is doing it and we gotta find it.

Looks like you have Kaspersky Antihacker installed. Anything in its logs to indicate who is calling these sites?

I would like to have a look at a couple more logs please.

1.) Copy the following text to a new notepad file
Save as file name peek.bat
As file types: all files
Save it to your desktop.

cd %systemdrive%\

dir /s allch.dll > %systemdrive%\peek.txt
dir /s llch.dll >> %systemdrive%\peek.txt
dir /s qabar.dll >> %systemdrive%\peek.txt
dir /s qcbar.dll >> %systemdrive%\peek.txt
dir /s lch.dll >> %systemdrive%\peek.txt

notepad peek.txt

Once saved; double click it and let it run. It is going to do a recursive search through the entire drive for the files listed in batch above and log results.
After search is done notepad will pop up with results.

Post results here please.

Most of the logs you have done so far do 30 day search. I want to go further back because you mention it started before this 30 day time frame.

Please download LFiles by sebdraluorg to your Desktop or to your usual Download Folder.

http://systemzeb.free.fr/Soft/LFiles.zip

Create a folder on the desktop called LFiles. You can do this by right clicking on an empty space on the Desktop, select New folder from the popup menu and name it LFiles.
Extract all files from the zip archive into that folder. Don't run anything in the Lfiles folder till I tell you.

Attached is a file called listfiles.zip. I have to zip it cus I can't attach batch files here.
You will need to save this file and extract it to your LFiles folder.
It must be in LFiles folder to work.

Once saved, Open LFiles folder and double click ListFiles.bat. Let it run.
It will search certain folders for files created within last 60 days and log results.
Once its finished a notepad file pops up with results.

Please post results here.

**note. It may take more than one post to get entire log in. I understand you upgraded to IE7 recently so log will be quite long.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#44 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 17 January 2007 - 06:47 PM

Hi, Blender. Only at start-up, but I sometimes get a SS alert message bottom right on powering down - always of 2 alerts - but it never responds to my attempt to activate the button detail (probably, I'm guessing, because SS at that point is shut down). I'm assuming the reference to 2 alerts relates to that at start-up and that when the protection comes off at power down. The power down message only mentions 2 alerts and not the web address or anything else.

Wrt Kaspersky, you'd have to monkey-see/do me. I did look at the 3 logs, and the last reference is to Nov 23, indicating repulsed.

Here are the results of peek.bat:

Volume in drive C is BCW
Volume Serial Number is 9891-937B
Volume in drive C is BCW
Volume Serial Number is 9891-937B
Volume in drive C is BCW
Volume Serial Number is 9891-937B
Volume in drive C is BCW
Volume Serial Number is 9891-937B
Volume in drive C is BCW
Volume Serial Number is 9891-937B

When ListFiles.bat is run, I get the message "Run-time error '6': Overflow. Here are the results generated:

C:\WINDOWS\system32\wpa.dbl
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\initdebug.nfo
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\CONFIG.NT
C:\WINDOWS\system32\wmvcore.dll
C:\WINDOWS\system32\jupdate-1.5.0_09-b03.log
C:\WINDOWS\system32\PerfStringBackup.INI
C:\WINDOWS\system32\perfh009.dat
C:\WINDOWS\system32\perfc009.dat


C:\Documents and Settings\Bill\ntuser.dat.LOG -->17/01/2007 6:43:36 PM
C:\Documents and Settings\Bill\NTUSER.DAT -->17/01/2007 5:06:24 PM
C:\Documents and Settings\Bill\ntuser.ini -->17/01/2007 5:06:12 PM

C:\Documents and Settings\All Users\ntuser.dat.LOG -->11/01/2007 10:15:01 AM

C:\Program Files\AcqURL\ACQ.INI -->14/01/2007 10:56:10 PM
C:\Program Files\AcqURL\ACQ.drt -->14/01/2007 10:56:10 PM
C:\Program Files\AcqURL\acq.dat -->14/01/2007 10:56:00 PM
C:\Program Files\AcqURL\Acqurl.GID -->15/12/2006 2:18:00 PM
C:\Program Files\AcqURL\Disk.ACQ -->30/11/2006 6:52:53 PM
C:\Program Files\AcqURL\Disk.bak -->30/11/2006 6:52:00 PM
C:\Program Files\AcqURL\ManualURL.txt -->30/11/2006 6:51:29 PM
C:\Program Files\Legacy\Legacy8.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Legacy7.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Legacy6.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Legacy5.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Legacy2.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Legacy.usr -->09/01/2007 1:26:59 PM
C:\Program Files\Legacy\Language.usr -->09/01/2007 1:26:59 PM
C:\Program Files\LView Pro 20\LViewPro.GID -->27/12/2006 3:21:20 PM
C:\Program Files\Mozilla Firefox\install.log -->14/01/2007 1:58:34 PM
C:\Program Files\Mozilla Firefox\xpistub.dll -->12/12/2006 10:12:29 PM
C:\Program Files\Mozilla Firefox\xpicleanup.exe -->12/12/2006 10:12:28 PM
C:\Program Files\Mozilla Firefox\xpcom_core.dll -->12/12/2006 10:12:27 PM
C:\Program Files\Mozilla Firefox\xpcom_compat.dll -->12/12/2006 10:12:26 PM
C:\Program Files\Mozilla Firefox\xpcom.dll -->12/12/2006 10:12:25 PM
C:\Program Files\Mozilla Firefox\updater.exe -->12/12/2006 10:12:24 PM
C:\Program Files\Mozilla Firefox\ssl3.dll -->12/12/2006 10:12:24 PM
C:\Program Files\Mozilla Firefox\smime3.dll -->12/12/2006 10:12:23 PM
C:\Program Files\Mozilla Firefox\plds4.dll -->12/12/2006 10:12:22 PM
C:\Program Files\Mozilla Firefox\plc4.dll -->12/12/2006 10:12:21 PM
C:\Program Files\Mozilla Firefox\nssckbi.dll -->12/12/2006 10:12:20 PM
C:\Program Files\Mozilla Firefox\nss3.dll -->12/12/2006 10:12:19 PM
C:\Program Files\Mozilla Firefox\nspr4.dll -->12/12/2006 10:12:18 PM
C:\Program Files\Mozilla Firefox\js3250.dll -->12/12/2006 10:12:17 PM
C:\Program Files\Mozilla Firefox\firefox.exe -->12/12/2006 10:12:16 PM
C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll -->12/12/2006 10:12:15 PM
C:\Program Files\Mozilla Firefox\updater.ini -->04/12/2006 11:15:24 PM
C:\Program Files\Mozilla Firefox\softokn3.dll -->04/12/2006 11:15:23 PM
C:\Program Files\Mozilla Firefox\softokn3.chk -->04/12/2006 11:15:23 PM
C:\Program Files\Mozilla Firefox\freebl3.dll -->04/12/2006 11:15:23 PM
C:\Program Files\Mozilla Firefox\freebl3.chk -->04/12/2006 11:15:23 PM
C:\Program Files\Mozilla Firefox\browserconfig.properties -->04/12/2006 11:15:23 PM
C:\Program Files\Mozilla Firefox\README.txt -->04/12/2006 11:15:18 PM
C:\Program Files\Mozilla Firefox\LICENSE -->04/12/2006 11:15:18 PM
C:\Program Files\Opera\OperaDef6.ini -->29/12/2006 5:38:26 AM
C:\Program Files\Opera\OUsr600.dat -->29/11/2006 11:31:21 PM
C:\Program Files\Spybot - Search & Destroy\advcheck.dll -->02/01/2007 3:04:20 PM
C:\Program Files\Spybot - Search & Destroy\Tools.dll -->02/01/2007 3:03:18 PM
C:\Program Files\Spybot - Search & Destroy\unins000.dat -->27/12/2006 12:42:55 PM
C:\Program Files\Spybot - Search & Destroy\unins000.exe -->27/12/2006 12:39:41 PM
C:\Program Files\SpywareBlaster\sbversion2.txt -->13/01/2007 11:55:30 AM
C:\Program Files\SpywareBlaster\rsdatabase.dtb -->06/01/2007 7:12:42 PM
C:\Program Files\SpywareBlaster\sbdatabaseinf.dtb -->09/12/2006 12:36:02 PM
C:\Program Files\SpywareBlaster\sbdatabase.dtb -->09/12/2006 12:36:02 PM
C:\Program Files\TrojanHunter 4.2\THSec.dll -->17/01/2007 6:17:34 PM
C:\Program Files\TrojanHunter 4.2\THGuard.ini -->17/01/2007 5:05:47 PM
C:\Program Files\TrojanHunter 4.2\signatures.zip -->14/01/2007 8:25:48 PM
C:\Program Files\TrojanHunter 4.2\IL.ini -->13/01/2007 2:41:43 PM
C:\Program Files\TrojanHunter 4.2\winstate.ini -->13/01/2007 2:41:41 PM
C:\Program Files\TrojanHunter 4.2\TrojanHunter.ini -->13/01/2007 2:41:41 PM
C:\Program Files\TrojanHunter 4.2\TreeState.dat -->13/01/2007 2:41:41 PM
C:\Program Files\Winamp\Winamp.ini -->08/01/2007 11:22:01 AM
C:\Program Files\Winamp\winamp.m3u -->08/01/2007 11:21:58 AM

I'm assuming you didn't ask me to run the 60-day reports in the apps that David asked me to run for 30 days.

Bill

#45 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:59 AM

Posted 17 January 2007 - 10:52 PM

Hi

First log went fine. Looks like those files don't exist.

I'm assuming you didn't ask me to run the 60-day reports in the apps that David asked me to run for 30 days


The Listfiles.bat was supposed to show me new files created in last 60 days rather than last 30 like the tools Dave had you run.
Since the other logs showed nothing malicious in registry...I was just looking for files.

Kaspersky Antihacker I know little about. I never ran it. David may know more.
Nov 23 in your Kaspersky log... Is this about the time these connections attempts started?
Does the reference in log show what exactly was connecting?

Can you grab me a screenshot of the SS warning you see at boot?

To get a screenshot:
Press the "PrtSC" key or "Print Screen" key on keyboard. (it is to right of the f12 key)
Go to start> programs> accessories> paint.
Open Paint
Right click in open paint window and choose "paste"
Click "file"> "save as..."
Call it whatever you want.jpg
Change the file types as ".Jpg, .Jpeg" (this makes it smaller than the default .bmp)
Save it.

You can upload the screenshot to David's Mrc like you did with your rootkitreveal log and WinPFind log.


First time I have seen that error message with ListFiles. :thumbsup:
Lets hold off on that for now.
I'm not sure yet where the problem is. I think i'm just asking the program to do to much work causing it to choke. I may have to break up the batch a little and do 2 scans instead of 1. Later though.



Something else I spotted too when I looked at the rootkit log.
Since Norton is now uninstalled you can get rid of his "protected recycle bin" files that are taking up likely a few hundred MB at least. You will never be able to access what is there now anyway without Norton.
They are a waste of space since you have no access to the files there.

How do we do this?

Click start> run> type cmd and press enter.
"Dos" window pops up.

Type the following command and hit enter:

rmdir /s /q \\?\c:\recycler\nprotect

This may take a few minuites.
If you get any error messages; please let me know.
This will remove the whole hidden C:\RECYCLER\NPROTECT hidden directory and everything in it.

------------------------------

In your Post # 30 you had found this entry in regedit:
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatability\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}

This entry is fine to keep. It is what SpywareBlaster has installed to Block this malware install. It is stopping install of this ActiveX component if you visit a site that tries to install it.

I wonder if this is what SS is flagging? There is an easy enough way to check.

Can we try something?
Open your SpywareBlaster.
Once it is loaded; click on "Internet Explorer" at top.
Right click in the list window and choose "find"
Paste this int the find window:

{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}

Hit OK.

It will locate that item.
Uncheck it. (this removes the protection for that item only)
Click "remove protection for unchecked items"
SpywareBlaster will re-load and should show you 1 unprotected item in "status".
Exit SpywareBlaster.

Do a full reboot & see if SS gives you warning at boot or shutdown.
Let me know.
You can go back into SpywareBlaster and re-enable protection if you like.
If disabling it stops the warnings....we know it is a SS false positive. Just a minor "conflict".
It is common for Anti-Spyware apps to flag other antimalware apps protection. Also fairly easy for them to fix once they know about it.

Thanks :flowers:

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users