View Full Version : Trojan Horse PSW Generic 5.VXD file cscu.dll
pnbgibbs
2007-11-15, 10:57
Hi there,
I have run the Kaspersky online scanner, but output very long.
Below is HJT log:
I would greatly appeciate your help.
Kindest regards,
Phil
-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:47:26, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spamihilator\Spamihilator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.32.7:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AC8DC2C-D007-4FBB-A1A5-95033E860888} - C:\WINDOWS\system32\cscu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-phil gibbs.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4687/mcfscan.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
pskelley
2007-11-16, 16:44
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Hi Phil, I may need that Kaspersky scan results especially if it showing anything, the HJT log is showing little. Let's remove what I do see, and see what happens.
Information first: http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32/Agent.ADH&threatid=172775
These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
You may wish to consider this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Let's do this and see what happens:
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4AC8DC2C-D007-4FBB-A1A5-95033E860888} - C:\WINDOWS\system32\cscu.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\guard.tmp (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Open AVG Anti-Spyware, update the program and run a complete system scan. Delete or quarantine anything it locates and save the scan report to post.
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the AVG Anti-Spyware 7.5 scan report, a new HJT log and some feedback.
Thanks...Phil
pnbgibbs
2007-11-16, 19:44
Hi there,
Many, many thanks for feedback. The AVG Anti-Spyware is clear.
The HJT output is below. It removed 3/4 of the ones you asked me to attempt, but left the issue = cscu.dll. Please see below.
I have followed the recommendations at http://forums.spybot.info/showthread.php?p=125627 including AVENGER but did not work. I have also gone into MS-DOS and tried to delete from there.
The issue files is a C:\WINDOWS\system32\cscu.dll. Please advise.
Thansk a million for all your help.
Cheers,
Phil
____________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:56, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spamihilator\Spamihilator.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.32.7:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AC8DC2C-D007-4FBB-A1A5-95033E860888} - C:\WINDOWS\system32\cscu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-phil gibbs.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4687/mcfscan.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
pskelley
2007-11-16, 21:14
Thanks for returning your logs and the feedback, please do this first, this may be a hidden Vundo infection.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HijackThis.exe, call it pnbgibbs.exe then restart the computer and post a new HJT log.
It will look like this: C:\Program Files\Trend Micro\HijackThis\pnbgibbs.exe
I just want to make sure of what we are dealing with before we proceed.
Thanks
If you ran Avenger correctly and that did not remove that file: cscu.dll then we may have a problem, Avenger is a very powerful tool I do not move to until I have tried other removal methods.
Why don't you scan that file with one more more of these and see what it is: C:\WINDOWS\system32\cscu.dll
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
Make sure you can see it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
pnbgibbs
2007-11-19, 11:34
Hi there,
Many, many thanks for feedback - much appreciated.
I renamed the HJT file as pnbgibbs.exe, rebooted and ran pnbgibbs.exe, rescanned and attached (below):
I have already run Kaspersky online, so have attached in separate email.
I can see the file, but as I mentioned cannot delete, even in MS DOS i.e. del /f cscu.dll.
I will try & run http://virusscan.jotti.org/ & http://www.virustotal.com/ and report back.
Many thanks again,
Phil
___________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22:32, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spamihilator\Spamihilator.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\pnbgibbs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.1affordablecall.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.1affordablecall.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.32.7:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AC8DC2C-D007-4FBB-A1A5-95033E860888} - C:\WINDOWS\system32\cscu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-phil gibbs.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-phil gibbs.html (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4687/mcfscan.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
pnbgibbs
2007-11-19, 11:35
Hi there,
Below are the results:
----------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 14, 2007 11:50:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/11/2007
Kaspersky Anti-Virus database records: 459062
-----------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 103619
Number of viruses found: 12
Number of infected objects: 86
Number of suspicious objects: 37
Duration of the scan process: 05:57:34
Infected Object Name / Virus Name / Last Action
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012/stream/data0001 Infected: not-a-virus:AdWare.Win32.Shopper.c skipped
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012/stream Infected: not-a-virus:AdWare.Win32.Shopper.c skipped
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012 Infected: not-a-virus:AdWare.Win32.Shopper.c skipped
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream Infected: not-a-virus:AdWare.Win32.Shopper.c skipped
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe NSIS: infected - 4 skipped
C:\1MyFiles\Downloads\Software\eXeem0.20 File sharing ex SuprNova.exe/Stream/data0076/stream/data0006 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\1MyFiles\Downloads\Software\eXeem0.20 File sharing ex SuprNova.exe/Stream/data0076/stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\1MyFiles\Downloads\Software\eXeem0.20 File sharing ex SuprNova.exe/Stream/data0076 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\1MyFiles\Downloads\Software\eXeem0.20 File sharing ex SuprNova.exe/Stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\1MyFiles\Downloads\Software\eXeem0.20 File sharing ex SuprNova.exe Inno: infected - 4 skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\1MyFiles\Downloads\Software\[Full] coral paint shop pro x with Bonus.zip ZIP: infected - 7 skipped
C:\Documents and Settings\All Users\Application Data\Avg7\l_102687.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/20 Oct 2003 11:20 from dawn:(agt.indexOf(.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Friends-Family/Friends/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: suspicious - 5 skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\History\History.IE5\MSHist012007111420071115\index.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\ntuser.dat Object is locked skipped
C:\Documents and Settings\Phil Gibbs\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil Gibbs\UserData\index.dat Object is locked skipped
C:\Program Files\Spamihilator\plugins\HerculeFilter.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DHRNCV0J.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{98AF4527-E683-4082-ACAD-3916F6B02E68}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{25D77E0E-3F04-46D3-A348-7E644865F54D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\cscu.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT002f7.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05040.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
pnbgibbs
2007-11-19, 11:55
Hi there,
I remember now, I have already tried to run http://virusscan.jotti.org/ with firewall removed (in ZA I switiched the firewall settings from High to OFF temporarily)and got the following message 'The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file'
The same thing happens when try to upload to http://www.virustotal.com/ (again with firewall off & even tried via SSL) - Message = '0 bytes size received / Se ha recibido un archivo vacio'
I believe that I ran Avenger correctly as I followed instructions on http://forums.spybot.info/showthread.php?p=125627, but may be worth going through again.
Once again, many thanks for your help and support - greatly appreciated.
Phil
pskelley
2007-11-19, 13:59
I have already run Kaspersky online, so have attached in separate email.That was not the Kaspersky Online scanner, simply a tool Kaspersky makes available for individual files.
Be aware I can not remove this malware file for you, I can only supply you with the tools available. Beyond that, I can only suggest a reformat.
Start looking at this information:
http://support.microsoft.com/kb/308421
http://www.google.com/search?hl=en&q=how+to+take+ownership+of+a+file+in+Windows+XP&btnG=Google+Search
Kaspersky online scanner results
Number of infected objects: 86
That does not look like a complete scan? If you cut it off, please do not post the part already there again.
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012/stream/data0001 Infected: not-a-virus:AdWare.Win32.Shopper.c skipped
around 18 items here and I have no idea what you are doing. I would wipe out whatever this is, I am posting only one item, they start the Kaspersky scan if you want to look.
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I hate to tell you what to do with mail storage, but a lot of stuff here is probably exploits and suspicious. It's not hard to see in the scan, I would delete all of that.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:22:32, on 19/11/2007
O2 - BHO: (no name) - {4AC8DC2C-D007-4FBB-A1A5-95033E860888} - C:\WINDOWS\system32\cscu.dll
Make sure all files and filers are enabled so you can see this file, then navigate to it and mouse over to see the file size. If you get a reading other than 0 bytes, then you are not uploading it properly. Now that you see where it is, ues the online scanners to navigate to the file and and upload it. I would also like you to upload that file to here:
http://www.bleepingcomputer.com/submit-malware.php?channel=4
Make sure you have followed the instructions I posted to take ownership of that file to see if you could delete it manually.
Avenger instructions:
Download Avenger from here: http://swandog46.geekstogo.com/avenger.zip
Save it to your Desktop.
Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below (don't copy the word "CODE in the box header, just the box contents starting at Files to delete) and paste it in the box that opens:
Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it manually.
Files to delete:
C:\WINDOWS\system32\cscu.dll
WARNING: This script is not a general fix. If you are not this user, running this script could damage your
system
Thanks
pnbgibbs
2007-11-19, 23:40
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Purchases/Sales/eBay/Spoof emails/01 Sep 2005 18:28 from eBay:eBay: Service Message [Thu, 01 Sep 2.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Purchases/Sales/eBay/Spoof emails/01 Oct 2005 20:46 from eBay Inc:eBay Inc - important fraud alert.html Infected: Trojan-Spy.HTML.Bayfraud.hl skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Purchases/Sales/eBay/Spoof emails/08 Oct 2005 20:01 from eBay Inc:eBay EmaiI Verification - [%To_E.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Purchases/Sales/eBay/Spoof emails/09 Oct 2005 22:15 from eBay:eBay Inc: Please Confirm Your Intern.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Friends-Family/Friends/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/07 Sep 2005 10:42 from ANS PAYROLL Team:BANK TRANSFER CONFIRMATI.html Infected: Trojan-Spy.HTML.Bankfraud.iv skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/15 Sep 2005 00:03 from eBay Inc:eBay - Security Update.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/29 Nov 2005 22:33 from DEUTSCHE BANK:DEUTSCHE BANK BANKING.html Infected: Trojan-Spy.HTML.Bankfraud.ld skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/29 Nov 2005 22:32 from Halifax:IMPORTANT NOTICE FROM Halifax Int.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/01 Dec 2005 11:45 from Halifax:Halifax Internet banking: URGENT .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/01 Dec 2005 12:28 from Halifax bank:OFFICIAL INFORMATION TO ALL .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/02 Dec 2005 05:24 from Halifax:BANKING MAIL FROM Halifax Interne.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/03 Dec 2005 10:46 from Halifax:Customer service: your account in.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/04 Dec 2005 02:23 from Halifax:Halifax Internet banking: Importa.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/04 Dec 2005 03:03 from Halifax bank:Halifax Internet banking: Im.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/04 Dec 2005 18:37 from Halifax:Halifax Internet banking customer.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/05 Dec 2005 14:53 from Halifax bank:Halifax Internet banking: YO.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/Virus/Spam/05 Dec 2005 16:12 from Halifax:Halifax Internet banking: SERVICE.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/1AffordableCall/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst/Personal Folders/1AffordableCall/Promo e-mails/Pot Addresses/20 Oct 2003 11:20 from dawn:(agt.indexOf(.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip/outlook.pst Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 1-4-06.zip ZIP: infected - 18, suspicious - 5 skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
pnbgibbs
2007-11-19, 23:41
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/20 Oct 2003 11:20 from dawn:(agt.indexOf(.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/Friends-Family/Friends/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/07 Sep 2005 10:42 from ANS PAYROLL Team:BANK TRANSFER CONFIRMATI.html Infected: Trojan-Spy.HTML.Bankfraud.iv skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip/ID 0220712.exe Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:32 from Halifax:IMPORTANT NOTICE FROM Halifax Int.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:33 from DEUTSCHE BANK:DEUTSCHE BANK BANKING.html Infected: Trojan-Spy.HTML.Bankfraud.ld skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 11:45 from Halifax:Halifax Internet banking: URGENT .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 12:28 from Halifax bank:OFFICIAL INFORMATION TO ALL .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/02 Dec 2005 05:24 from Halifax:BANKING MAIL FROM Halifax Interne.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/03 Dec 2005 10:46 from Halifax:Customer service: your account in.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 02:23 from Halifax:Halifax Internet banking: Importa.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 03:03 from Halifax bank:Halifax Internet banking: Im.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 18:37 from Halifax:Halifax Internet banking customer.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 14:53 from Halifax bank:Halifax Internet banking: YO.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 16:12 from Halifax:Halifax Internet banking: SERVICE.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/13 Dec 2006 10:56 from billing@jewelryadviser.com:ERROR 74479: [/ERR 74479.exe Infected: Trojan-Downloader.Win32.Nurech.s skipped
C:\1MyFiles\Abackup\outlook 10-5-07.pst Mail MS Mail: infected - 15, suspicious - 5 skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/20 Oct 2003 11:20 from dawn:(agt.indexOf(.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/Friends-Family/Friends/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/07 Sep 2005 10:42 from ANS PAYROLL Team:BANK TRANSFER CONFIRMATI.html Infected: Trojan-Spy.HTML.Bankfraud.iv skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip/ID 0220712.exe Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:32 from Halifax:IMPORTANT NOTICE FROM Halifax Int.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:33 from DEUTSCHE BANK:DEUTSCHE BANK BANKING.html Infected: Trojan-Spy.HTML.Bankfraud.ld skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 11:45 from Halifax:Halifax Internet banking: URGENT .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 12:28 from Halifax bank:OFFICIAL INFORMATION TO ALL .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/02 Dec 2005 05:24 from Halifax:BANKING MAIL FROM Halifax Interne.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/03 Dec 2005 10:46 from Halifax:Customer service: your account in.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 02:23 from Halifax:Halifax Internet banking: Importa.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 03:03 from Halifax bank:Halifax Internet banking: Im.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 18:37 from Halifax:Halifax Internet banking customer.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 14:53 from Halifax bank:Halifax Internet banking: YO.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 16:12 from Halifax:Halifax Internet banking: SERVICE.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/13 Dec 2006 10:56 from billing@jewelryadviser.com:ERROR 74479: [/ERR 74479.exe Infected: Trojan-Downloader.Win32.Nurech.s skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip/outlook.pst Infected: Trojan-Downloader.Win32.Nurech.s skipped
C:\1MyFiles\Abackup\outlook 10-5-07.zip ZIP: infected - 16, suspicious - 5 skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/20 Oct 2003 11:20 from dawn:(agt.indexOf(.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/Friends-Family/Friends/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/07 Sep 2005 10:42 from ANS PAYROLL Team:BANK TRANSFER CONFIRMATI.html Infected: Trojan-Spy.HTML.Bankfraud.iv skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip/ID 0220712.exe Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/11 Jul 2006 19:30 from Dave Gollick:[ORDER ID 0220712] WorldPay /ID 0220712.zip Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:32 from Halifax:IMPORTANT NOTICE FROM Halifax Int.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/29 Nov 2005 22:33 from DEUTSCHE BANK:DEUTSCHE BANK BANKING.html Infected: Trojan-Spy.HTML.Bankfraud.ld skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 11:45 from Halifax:Halifax Internet banking: URGENT .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/01 Dec 2005 12:28 from Halifax bank:OFFICIAL INFORMATION TO ALL .html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/02 Dec 2005 05:24 from Halifax:BANKING MAIL FROM Halifax Interne.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/03 Dec 2005 10:46 from Halifax:Customer service: your account in.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 02:23 from Halifax:Halifax Internet banking: Importa.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 03:03 from Halifax bank:Halifax Internet banking: Im.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/04 Dec 2005 18:37 from Halifax:Halifax Internet banking customer.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 14:53 from Halifax bank:Halifax Internet banking: YO.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/05 Dec 2005 16:12 from Halifax:Halifax Internet banking: SERVICE.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst/Personal Folders/ZoneAlarm Challenged Mail/Virus/L1/info/bus.req @1Aff/Spam/13 Dec 2006 10:56 from billing@jewelryadviser.com:ERROR 74479: [/ERR 74479.exe Infected: Trojan-Downloader.Win32.Nurech.s skipped
C:\1MyFiles\Abackup\outlook 18-5-07.pst Mail MS Mail: infected - 15, suspicious - 5 skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/01 Jan 2003 18:21 from mag2from:Arial, Helvetica, sans.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/1AffordableCall/Mobile enquiries/Newsletter enquiries/02 Jan 2003 11:12 to mag2from:RE: Your e-mail to 1AffordableCall.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Friends-Family/Friends Reunited/10 Oct 2002 20:12 from register@friendsreunited.co.uk:Welcome to.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Spam/05 Jun 2003 20:06 to Spam (Federal Trade Commission); Spamming T.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/20 Feb 2003 12:15 from Annette Fischer:Fw: Joke Friendship to ur.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/20 Feb 2003 13:00 from Annette Fischer:Fw: Life for enjoyment .html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/20 Feb 2003 13:24 from Annette Fischer:Fw: biodata.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/20 Feb 2003 13:43 from Annette Fischer:Fw: war Againest Loneline.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/20 Feb 2003 14:03 from Annette Fischer:Fw: biodata.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst/Personal Folders/Virus/Examples/05 Jul 2003 08:17 from barbaragibson:A WinXP patch.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\1MyFiles\Downloads\Outlook\Outlook 7-10-03.pst Mail MS Mail: suspicious - 10 skipped
pnbgibbs
2007-11-19, 23:48
Hi there,
I have submitted the rest of Kaspersky online log = archived/deleted files now:
Logfile of Trend Micro HijackThis v2.0.2
I can see the file = 91.5 KB
Uploaded to:
1. http://www.bleepingcomputer.com/subm....php?channel=4
2. http://www.kaspersky.com/scanforvirus
Other points
C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012/stream/data0001 Infected: not-a-virus:AdWare.Win32.Shopper.c skipped deleted
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped deleted
I will try the AVENGER now and let you know.
Many many thanks again,
Phil
pnbgibbs
2007-11-20, 00:04
Hi there,
Thank you so much for your help.
Reegarding your other suggestions:
1. C:\1MyFiles\Downloads\Software\Anti spam\spamblockerutility.exe/stream/data0012/stream/data0001 Infected: not-a-virus:AdWare.Win32.Shopper.c skipped DELETED
C:\Documents and Settings\Phil Gibbs\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/1AffordableCall/Market/Web Promo/Promo e-mails/Pot Addresses/21 Oct 2003 12:00 from David Dstar:Fwd: FW: RULE BRITANNIA.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped DELETED
2: uPLOADED FILE TO http://www.bleepingcomputer.com/subm....php?channel=4
3: Tried AVENGER but failed to delete file = 91.5 KB, whcih I can see!
Any other thoughts?
thanks again,
Phil
pskelley
2007-11-20, 00:57
Nope, I have used the most powerful removal tool I have access to. Here is some information a Google:
http://www.google.com/search?hl=en&q=how+to+remove+cscu.dll&btnG=Google+Search
Some other information: http://www.google.com/search?hl=en&q=how+to+remove+a+file&btnG=Search
http://www.google.com/search?hl=en&q=how+to+unregister+a+.dll&btnG=Search
http://www.google.com/search?hl=en&q=take+ownership+of+a+file+in+XP&btnG=Search
Thanks
pnbgibbs
2007-11-21, 12:33
i there,
Thanks for all your efforts. if i find out how to remove without reformatting,I'll post it.
Once again thansk for all yur help.
Kindest regards,
Phil