hi, I have 2 items of concern

1) something strange happened recently where upon connecting to the internet, my computer gave a warning that it would restart in 60 seconds, the message being something like "This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM". A quick google search indicates that this could be a symptom of the blaster or sasser worms, however I could not see the corresponding processes (msblast.exe or avserve.exe/(digits)_up.exe) in the task manager.

2) I was prompted to do a scan with avast (which I haven't done for a while), which turned up 2 files corresponding to a WoW keylogger (I guess this would explain how my brother's WoW account got hacked a while back). Avast quarantined the 2 files, but I am uncertain as to whether the cleanup is complete, and whether there might be other undetected keyloggers on my computer.

(scans with spybot and ad-aware (definitions recently updated), and online scans with etrust, bit defender and trend micro all came up with nothing)

I was wondering if you could have a look at my hijackthis log to see if you think there is anything unusual, and if you have any recommendations as to how to purge any worms or keyloggers that I might have on my computer

Logfile of HijackThis v1.99.1
Scan saved at 1:52:47 PM, on 2/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unwired.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

hi rda77,

your antivirus should take care of any worm (if its up to date). spybot would be better at sniffing out any keyloggers. i dont see anything in the log that looks out of place except for this:
InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe

any idea what that is?


shelf life

hi shelf life, thanks for your help. The mum.exe program is a tool provided by our internet service provider to monitor usage. The avast definitions are up to date, and a scan after the aforementioned one turned up nothing. I've been doing weekly scans with spybot and it hasn't turned up anything for a long time except cookies (I believe it didn't turn up anything either during the time my brother had his WoW account hacked). Is there anything that you would recommend that we do to search for hidden malware on our system?

hi rda77,


a tool provided by our internet service provider to monitor usage

to keep track of your bandwidth i guess.

if you want to get a 2nd opinion on any malware then i would download,update and scan with one of these:

superantispyware: has a free version

AVG antispyware: becomes a limited (no real time protection, unless you purchase)version after 30 days. can still update/scan though

http://www.superantispyware.com/

http://free.grisoft.com/freeweb.php/doc/20/lng/us/tpl/v5

shelf life

hi shelf life, scanning with AVG antispyware only turned up cookies but superantispyware found something in the registry. not sure if it's anything but pasting below:

SUPERAntiSpyware Scan Log
Generated 04/03/2007 at 09:23 PM

Application Version : 3.6.1000

Core Rules Database Version : 3211
Trace Rules Database Version: 1222

Scan type : Custom Scan
Total Scan Time : 00:22:58

Memory items scanned : 360
Memory threats detected : 0
Registry items scanned : 4507
Registry threats detected : 10
File items scanned : 25597
File threats detected : 2

Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities

Adware.Tracking Cookie
C:\Documents and Settings\aj\Cookies\aj@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\aj\Cookies\aj@ads.blizzard[1].txt

hi rda77,

what SAS found most likely isnt malware because you would have other indications of it in the hjt log and/or the AVG, spybot report. it would be difficult for malware to slip by all of them.

you can look here:
C\windows\system32\drivers\OREANS32.sys

and upload it so it can be checked out:
http://www.virustotal.com/en/indexf.html

hi shelf life, I couldn't find the file in that folder (or c drive), but if you think it's nothing it's ok. The 2 things I described in my first post are disconcerting, but maybe the first wasn't malware related (do you have any idea what could have caused it?) and hopefully the second is cleaned up. Anything else you would suggest following up with?

hi rda77,

that "shutdown notice" is a sign of a worm from several years ago due to a vulnerability in windows. you have up to date antivirus and from what i remember service pack 4 is the latest in W2k.
with all the malware scans and online scans i think you are safe.
you can run a blaster removal tool. there is a link to removal tool here:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99

ok thanks shelf life, appreciate all your help :)

hi rda77,

glad to help happy safe surfing.


for your reference:

Prevention-or How Can I Help Myself? (http://security-central.us/SafeHex/prevention.htm)

hi, sorry to be back, I just ran rootkitrevealer and wanted to post the log to see if it could be anything

HKU\S-1-5-21-1935655697-329068152-682003330-1001\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 23/03/2007 11:19 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 2/02/2006 11:48 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/02/2006 11:48 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:2432b3ea-153e-40fa-993a-f0448c27ebf3* 2/02/2006 11:18 AM 0 bytes Key name contains embedded nulls (*)

(i ran blacklight too and it came up with nothing)

i did a quick search of the sysinternals forums and it seems that the entries are false positives
thanks again for your help :)

hi rda77,

ok, good. Oreans registry entries might be anticracking protection that came with some software, (you know just in case you launch SôFtiCE).

see link:
http://www.oreans.com/index.php