WoodGnome
2009-09-01, 09:33
Well.. first of all, I'm Woodgnome. :D:
And before reading on, keep in mind I have little experience with the "deeper" side of Malware, spyware and such. Swear, flame and adjust my mistakes, if they are made. I won't mind :) As long as its a good explaination. :')
Ok, so like a month ago I was opening some files here and there for fun @ C: partition. You know, taking a look inside this and there without adjusting stuff. But then I came across some wierd log's with.. information dating from 2004, so said the date stamp it had. It had all these kinds of commands which are quit common when you open a log file, but these all had some sort of suspiscion. So I downloaded Spybot SnD, AVG, Hitman pro and Ad-aware, and let them scan in normal, but also in safemode. First up I did 'm in normal mode, Spybot noticed some reg. changes due to I checked the find personal stuff tickbox, but also ran it without that checkd and it didnt have anything accept some cookies.
Ad-aware -> nothing
Hitman pro -> nothing
AVG -> nothing
hard headed as I am, I updated all, and went to safe mode and scanned again.
Spybot came with reg changes again I believe. Ad-aware with the story it found some documents it couldn't access, AVG also. And Hit man pro yet again, ensured me nothing was wrong.
Well, not knowing what to do with the situation, and helpers being on vakation, I just decided to reinstall XP. Unplugged Networkign cable and all, updated also then ran all 4 in normal mode again. This time, that didn't have anything special.
So I assumed, well, cold turkey.
So I try to get on my pornz this night @ 3o'.. page wouldn't load. So I thought, well who knows Spybot teatimer is anti porn. somehow i cam across interesting named buttons to click on, one being the "Show log" when right clicked on tray Icon. it shows the following;
25-8-2009 18:24:11 Toegestaan (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") toegevoegd in System Startup global entry!
26-8-2009 21:14:46 Toegestaan (based on user decision) value "SpybotDeletingB7575" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:14:49 Toegestaan (based on user decision) value "SpybotDeletingD1222" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:14:49 Toegestaan (based on user decision) value "SpybotDeletingA1481" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:14:51 Toegestaan (based on user decision) value "SpybotDeletingC9021" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:19 Toegestaan (based on user decision) value "SpybotDeletingB8377" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:51:21 Toegestaan (based on user decision) value "SpybotDeletingD8992" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:51:21 Toegestaan (based on user decision) value "SpybotDeletingA5947" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:23 Toegestaan (based on user decision) value "SpybotDeletingC999" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:28 Toegestaan (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") toegevoegd in System Startup global entry!
26-8-2009 22:22:03 Allowed (based on user decision) value "SpybotDeletingB7575" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingD1222" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingB8377" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingD8992" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingA7382" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC9444" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingA1481" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC9021" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingA5947" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC999" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:07 Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
27-8-2009 18:06:34 Allowed (based on user decision) value "SpybotDeletingA7382" (new data: "") deleted in System Startup global entry!
27-8-2009 18:06:35 Allowed (based on user decision) value "SpybotDeletingC9444" (new data: "") deleted in System Startup global entry!
Now, my paranoid says some malware is deleting spybot's virus detection system or something, and maybe even prevents updates from being installed.
Not being feeded enough paranoid yet, I go on coming across the Spybot>advanced>Tools>Uninstall info and then decide to go have some food. But whats wierd with the uninstall info uninstallfiles?
I never installed AVG7 -> I've got 8.5 installed. I've never installed DirectDrawEx, ICW, (IDNMitigationAPI's), Font core and so many many more, all of whom I never seen before, and when I click m for detailed info, their gray..
Also wierd maps like "microsoft frontpage" in C:\.
So now is this just pure paranoïd, or am I f'ed?
I've read here and there that technically its possible to feed a viruskunnen we hien.
Think you very much in the first place ;) Just ask incase you want/need more info.(Hope its not the wrong sub-forum, but I didn't think it would be a Hijackthis log.. :P
Edit: Adjusted a bit of dutch there, been up for a while so I mixed english and dutch x)
In addition I might add: My paranoid is really me being paranoid and chaos thinking, not some anti-spyware prog incase anyone woudl think that.
And before reading on, keep in mind I have little experience with the "deeper" side of Malware, spyware and such. Swear, flame and adjust my mistakes, if they are made. I won't mind :) As long as its a good explaination. :')
Ok, so like a month ago I was opening some files here and there for fun @ C: partition. You know, taking a look inside this and there without adjusting stuff. But then I came across some wierd log's with.. information dating from 2004, so said the date stamp it had. It had all these kinds of commands which are quit common when you open a log file, but these all had some sort of suspiscion. So I downloaded Spybot SnD, AVG, Hitman pro and Ad-aware, and let them scan in normal, but also in safemode. First up I did 'm in normal mode, Spybot noticed some reg. changes due to I checked the find personal stuff tickbox, but also ran it without that checkd and it didnt have anything accept some cookies.
Ad-aware -> nothing
Hitman pro -> nothing
AVG -> nothing
hard headed as I am, I updated all, and went to safe mode and scanned again.
Spybot came with reg changes again I believe. Ad-aware with the story it found some documents it couldn't access, AVG also. And Hit man pro yet again, ensured me nothing was wrong.
Well, not knowing what to do with the situation, and helpers being on vakation, I just decided to reinstall XP. Unplugged Networkign cable and all, updated also then ran all 4 in normal mode again. This time, that didn't have anything special.
So I assumed, well, cold turkey.
So I try to get on my pornz this night @ 3o'.. page wouldn't load. So I thought, well who knows Spybot teatimer is anti porn. somehow i cam across interesting named buttons to click on, one being the "Show log" when right clicked on tray Icon. it shows the following;
25-8-2009 18:24:11 Toegestaan (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") toegevoegd in System Startup global entry!
26-8-2009 21:14:46 Toegestaan (based on user decision) value "SpybotDeletingB7575" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:14:49 Toegestaan (based on user decision) value "SpybotDeletingD1222" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:14:49 Toegestaan (based on user decision) value "SpybotDeletingA1481" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:14:51 Toegestaan (based on user decision) value "SpybotDeletingC9021" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:19 Toegestaan (based on user decision) value "SpybotDeletingB8377" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:51:21 Toegestaan (based on user decision) value "SpybotDeletingD8992" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup user entry!
26-8-2009 21:51:21 Toegestaan (based on user decision) value "SpybotDeletingA5947" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:23 Toegestaan (based on user decision) value "SpybotDeletingC999" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") toegevoegd in System Startup global entry!
26-8-2009 21:51:28 Toegestaan (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") toegevoegd in System Startup global entry!
26-8-2009 22:22:03 Allowed (based on user decision) value "SpybotDeletingB7575" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingD1222" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingB8377" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingD8992" (new data: "") deleted in System Startup user entry!
26-8-2009 22:22:04 Allowed (based on user decision) value "SpybotDeletingA7382" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC9444" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingA1481" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC9021" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingA5947" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:06 Allowed (based on user decision) value "SpybotDeletingC999" (new data: "") deleted in System Startup global entry!
26-8-2009 22:22:07 Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
27-8-2009 18:06:34 Allowed (based on user decision) value "SpybotDeletingA7382" (new data: "") deleted in System Startup global entry!
27-8-2009 18:06:35 Allowed (based on user decision) value "SpybotDeletingC9444" (new data: "") deleted in System Startup global entry!
Now, my paranoid says some malware is deleting spybot's virus detection system or something, and maybe even prevents updates from being installed.
Not being feeded enough paranoid yet, I go on coming across the Spybot>advanced>Tools>Uninstall info and then decide to go have some food. But whats wierd with the uninstall info uninstallfiles?
I never installed AVG7 -> I've got 8.5 installed. I've never installed DirectDrawEx, ICW, (IDNMitigationAPI's), Font core and so many many more, all of whom I never seen before, and when I click m for detailed info, their gray..
Also wierd maps like "microsoft frontpage" in C:\.
So now is this just pure paranoïd, or am I f'ed?
I've read here and there that technically its possible to feed a viruskunnen we hien.
Think you very much in the first place ;) Just ask incase you want/need more info.(Hope its not the wrong sub-forum, but I didn't think it would be a Hijackthis log.. :P
Edit: Adjusted a bit of dutch there, been up for a while so I mixed english and dutch x)
In addition I might add: My paranoid is really me being paranoid and chaos thinking, not some anti-spyware prog incase anyone woudl think that.