PDA

View Full Version : Smitfraud in Recover tab 3-07 and Trojan-Downloader.BAT.Ftp.ca



aaronmo
2007-12-30, 10:26
I have read and understand the instructions on the first sticky in this forum.

I purged the files, emptied recycle bin and ran Kaspersky. Kaspersky says I am infected with 1 virus - Trojan-Downloader.BAT.Ftp.ca

Here is my HJT log followed by my Kaspersky log.

Will the two other computers in our home network be infected / affected because of this?

Thanks much for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:04 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\aaron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5230 bytes

------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 2:15:17 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500159
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106739
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:08:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\cert8.db Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\history.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\key3.db Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\parent.lock Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93NOOGJQ\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\E7X9BHFW\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RAS4GDU0\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UQ686QYF\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FB288610-E417-4368-8328-325B70B7C22C}\RP971\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\i.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6557.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_724.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

aaronmo
2007-12-30, 21:43
I deleted the i.bat file in windows folder and emptied my recycle bin. I will rescan with Kaspersky. I think I may be clean now. Unless someone else sees something else we need to do, you can archive this or wherever it goes so that you can devote resources to others.

Thanks to all you wonderful people that help us clean out the bad guys!

aaronmo
2007-12-31, 00:51
It's in system restore

C:\System Volume Information\_restore{FB288610-E417-4368-8328-325B70B7C22C}\RP971\A0232158.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped

Should I turn off System Restore, restart and then turn System Restore back on? Thnx

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 5:00:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106537
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:07:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aaron Morgan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\History\History.IE5\MSHist012007123020071231\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Aaron Morgan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93NOOGJQ\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\E7X9BHFW\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RAS4GDU0\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UQ686QYF\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FB288610-E417-4368-8328-325B70B7C22C}\RP971\A0232158.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped
C:\System Volume Information\_restore{FB288610-E417-4368-8328-325B70B7C22C}\RP972\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6AD41F96-8EE7-4CFF-B0F8-EF8995C105DF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6557.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1ec.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-01-02, 00:00
Sorry for the wait, the holidays are slowing us down. You are correct, clean youe System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

If you have no more malware issues, I'll wish you a Happy New Year:euro:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

aaronmo
2008-01-02, 15:04
Ad Aware was not installed on this computer, so after turning off System Restore, rebooting, turning it on again, clean Kaspersky scan, I downloaded and ran Ad Aware. It caught another different trojan, (which I did not write down the name). I let Ad Aware take care of it. I rescanned with Ad Aware and Kaspersky and they both say I am clean. Yay!

Sometime, maybe when I still had the trojan and before AdAware took care of it, I updated Java, downloaded/installed SpyBlaster, downloaded/installed Outpost and disabled Windows firewall. I could not access Outpost by clicking on the icon in the tray or going through My Programs. When I tried to update, it continually tried to update with the same component (same size) but it never seemed to update. What I mean is that it said it's updating, it finished, but then when I clicked update (from My Program>Agnitum>Outpost>Update) it did the same thing again with the same file size.

So do you think I need to do something else since Outpost mysteriously started working today? It bothers me that this morning it seems fixed. I can click on it in the tray and the program comes up. The other machine has Outpost asking permission all the time for one thing and another but not this one. Do you think I'm still infected with something?

OK, now I'm going to read the links you sent. Thanks for the help! No problems about the wait! Happy New Year!

pskelley
2008-01-02, 15:10
I have never used the product, here is a free user forum where you ask ask your questions:
http://www.outpostfirewall.com/forum/

Here are other free firewalls if Outpost does not work out for you:
http://www.personalfirewall.comodo.com/
http://www.jetico.com/index.htm#/jpfirewall.htm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Hope this helps:bigthumb:

Thanks

aaronmo
2008-01-03, 18:37
So you think it's program related and not malware related?

Thnx

pskelley
2008-01-03, 18:47
I am not 100% sure what you are asking me. Perhaps this information will help:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/
http://en.wikipedia.org/wiki/Russian_Business_Network

There is no doubt the malware is out there and the days of being able to feel secure online do not exist anymore no matter what programs you run. If you randomly surf websites sooner or later you are going to get infected. Combine good programs well maintained with common sense about where you go online and you stand a chance of staying clean.

That is only my opinion.

Thanks

aaronmo
2008-01-04, 02:18
Scarey stuff! Thanks for your time!