View Full Version : yet another zlob post
sliverpix
2007-10-02, 06:17
:oops: yet another "fella" who caught a bug :oops:
spybot reports the zlob.dnsdownloader, google links redirect to add sites and porn links, eTrust Antivirus report trojan.win32.agent (of sime kind or another), and ive spent the last 5 hours picking thorugh posts, web logs, regestry entries systme logs... and im beat :sad: never thought I would say that.
I did locate agent.dll in Windows/System32/ directory, a registry entry pointing to Otoyax.exe and pwjvmxcc.exe (not sure what that one is). gacked the agent.dll and the entries for otoy and pwjvmxcc.exe. Restarted still showing zlob.
I can post HJT log when ready, but the kaspersky log will be a while yet. Im running it as soon as i post this.
sliverpix
2007-10-02, 13:13
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 02, 2007 5:54:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426197
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 119784
Number of viruses found: 8
Number of infected objects: 9
Number of suspicious objects: 2
Duration of the scan process: 01:31:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\bb3d89be2b010c65e41ce2a7dd91ea66_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\00022c2603476789e7f0234376038884_ba6f4d53-dbb1-4122-8d1b-3f67ab68fe10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\54906833400d5d1d213344e9285e0337_ba6f4d53-dbb1-4122-8d1b-3f67ab68fe10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6TT6AR5K\a_6_0[1].txt Infected: Trojan-Dropper.Win32.Agent.si skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Access\ACWZUSRT.MDT Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Access\System.mdw Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Address Book\sliverpix.wab Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Address Book\sliverpix.wab~ Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Credentials\S-1-5-21-1957994488-1078145449-854245398-1003\Credentials Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\08E382DC40DC2B571439BB7A5449C239 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\09F090C7AE92FC04744577C9E1B88C1F Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\0F47DC09E8159B59B1C54696782DEBA2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\107367539B7C89418A100A6FF29C5EAC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\1EF144DBD073C623BD1B4B085A16A163 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\25B3519F5635637170C6C3D8822ADF8B Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\25DC8EBAAF0977851B37F37B2F6458F4 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\2BBA88436E92E1ABCED8E68D74DC5B38 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\38903F72C99ED91E273055D020E053EF Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\56BDEAABA957B2AEC25CCE688FEE4362 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\58CD5A7B50D443BF92E53ED62BAAA1F2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\5E6E037B1F0A6390DCD368AB776498D5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\5F74056C561F814B7771CB2993A44DEB Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\6C68A73125F3238F044A8115D96841B6 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\84E94F4961B461F2C142199C3AB48F5B Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\8E4817082536D8AD08C5B04CE63CBC33 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\A66496915E372C06F0D8C0CC31F81B97 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\A722DD0408D31B48F1599878CA31591F Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\C0210176C0F75955614C71039BADF7FF Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\C69FAAD80E5717FDD06CDA402566AD77 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\C6A388187839B4F171205E785FD7FBD2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\D8FD7AB99572907971DF6A4722C343CC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\FA86BF66415C6947457ED2951ED081AE Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\FB788E090BC1F3AA2FBC9E8FB2859601 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\Content\FC56C550B2C1FAEA5324BA8B80374252 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\08E382DC40DC2B571439BB7A5449C239 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\09F090C7AE92FC04744577C9E1B88C1F Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\0F47DC09E8159B59B1C54696782DEBA2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\107367539B7C89418A100A6FF29C5EAC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\1EF144DBD073C623BD1B4B085A16A163 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\25B3519F5635637170C6C3D8822ADF8B Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\25DC8EBAAF0977851B37F37B2F6458F4 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BBA88436E92E1ABCED8E68D74DC5B38 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\38903F72C99ED91E273055D020E053EF Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\56BDEAABA957B2AEC25CCE688FEE4362 Object is locked skipped
sliverpix
2007-10-02, 13:14
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\58CD5A7B50D443BF92E53ED62BAAA1F2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\5E6E037B1F0A6390DCD368AB776498D5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\5F74056C561F814B7771CB2993A44DEB Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\6C68A73125F3238F044A8115D96841B6 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\84E94F4961B461F2C142199C3AB48F5B Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\8E4817082536D8AD08C5B04CE63CBC33 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\A66496915E372C06F0D8C0CC31F81B97 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\A722DD0408D31B48F1599878CA31591F Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\C0210176C0F75955614C71039BADF7FF Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\C69FAAD80E5717FDD06CDA402566AD77 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\C6A388187839B4F171205E785FD7FBD2 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\D8FD7AB99572907971DF6A4722C343CC Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\FA86BF66415C6947457ED2951ED081AE Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\FB788E090BC1F3AA2FBC9E8FB2859601 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\CryptnetUrlCache\MetaData\FC56C550B2C1FAEA5324BA8B80374252 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-1078145449-854245398-1003\64139f8ec2e225b349813a5af475bf72_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-1078145449-854245398-1003\6b29ae44e85efac3c72ff4d1865d73f1_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-1078145449-854245398-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-1078145449-854245398-1003\bb3d89be2b010c65e41ce2a7dd91ea66_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\sliverpix\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-1078145449-854245398-1003\d642018b883da684e9c7dcbbfa2f2836_9e4ad874-7c91-44bc-a335-4248ed845327 Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\Apple Computer\iTunes\iTunes.pref Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\ApplicationHistory\SL193.tmp.715db36d.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\ApplicationHistory\SL1A9.tmp.7fd71f4b.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\Google\autofill.dat Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\control.xml Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\harrypotter4dvd.bmp Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\jupdate1.5.0.xml Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\jusched.log Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\maybelline2.bmp Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\nascar.bmp Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\Q-Setup.log Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\Qurb.log Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\sims2ofb.bmp Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temp\soccer.bmp Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\0DWD6NOT\b1d4ffcbab0947bea4db892f7e43499bfb82ed2da7d044cf8f447903b73967fca[1].js Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\0DWD6NOT\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\0NDZA2J9\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\1W0Z91OP\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\6LN0XG7U\BurstingInteractionsPipe[1].htm Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\6LN0XG7U\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\C123SH27\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\CH2FKH63\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\DVNB55WE\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\DWSJP1KT\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\OTEN4HAF\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\PRR7X5WE\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\U3E7E5I7\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\UD8JA5QT\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\W7TF66JL\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\W9GFKZSN\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\WTI7WPUF\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\Content.IE5\Y9LMRUXK\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\History\History.IE5\MSHist012007100220071003\index.dat Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\Temp\cax97.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\Temp\~DFE4C1.tmp Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sliverpix.SLIVERCOMP\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-1957994488-1078145449-854245398-1003\Dc1.xls Object is locked skipped
C:\RECYCLER\S-1-5-21-1957994488-1078145449-854245398-1003\Dc2.lnk Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\WPA.bak Object is locked skipped
C:\System Volume Information\_restore{159CB225-65A3-485E-B238-7E75D9665C68}\RP550\A0068896.dll Infected: Trojan.Win32.Agent.qg skipped
C:\System Volume Information\_restore{159CB225-65A3-485E-B238-7E75D9665C68}\RP550\change.log Object is locked skipped
C:\temp\pootz_58.exe/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\temp\pootz_58.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\temp\pootz_58.exe WiseSFX: infected - 2 skipped
C:\temp\SAHPackage.exe Infected: Trojan-Dropper.Win32.Agent.lh skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SLIVERCOMP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT04022.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Downloads\WoW Addons\Auction House\WOWEcon.exe Infected: Trojan-PSW.Win32.WOW.ps skipped
E:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
sliverpix
2007-10-02, 13:16
Logfile of HijackThis v1.99.1
Scan saved at 7:15:43 AM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAV.exe
E:\Downloads\Tweaks and Tools\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091B08A0-1336-1F75-E47E-01405A46D189} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [pwjvmxcc] C:\WINDOWS\system32\pwjvmxcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.slivers-net.org
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {4453D895-F2A1-4A38-A285-1EF9BD3F6D5D} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143093171484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-440000000000} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E2F9D054-D2B5-4CE8-9BDF-8BF3A81DB7E9} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2.2 - Unknown owner - E:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
pskelley
2007-10-12, 16:10
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Let me apologize and show you this: "Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't"
You also missed this: http://forums.spybot.info/forumdisplay.php?f=37
I am showing you this to help in the future, all volunteers, we work at many forums and when we stop by to help we look for folks with 0 responses or who have waited without help and posted in the Waiting Room. In your case neither happened. I can see you were infected at the time you posted, if you have not resolved your issues, please post a fresh HJT log and describe briefly any symptoms and post any error message you may received "word for word", and I will respond as soon as possible after you post. If your issues are resolved, please post to let me know so I can close your topic.
Thanks...Phil
pskelley
2007-10-19, 09:35
No response in over a week, this topic is closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks