New Thread: What's yrndlcit.exe?

CalamityJane said:
Hi Leo,

Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.
Click to expand...

No, it was definitely online and logged in... and the buble turned green after I posted... of course, one can't edit one's posts here, so I couldn't add the yep... it's strange, alright. I was going to go back to my usual Firefox instead of IE (used for the KAV) but something erased 3 FF .dll's (that happened when I first installed FF on this computer last year when I got it... it almost looks like IE is doing it, because I wasn't doing any AV stuff... whatever, it's a side issue).

Thanks, Jane.
 
Here is the KAV scan results (not good!)

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 17, 2008 4:45:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 517094
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52505
Number of viruses found: 23
Number of infected objects: 114
Number of suspicious objects: 2
Duration of the scan process: 00:58:24

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\SHIRLE~1\LOCALS~1\Temp\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Desktop\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\My Pictures\Setup.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ax skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat.LOG Object is locked skipped
C:\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\removed\Dell Support\DSAgnt.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu441.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\profsy.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cavnfmkr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mssdvoql.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll3f2tjw.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfwe334f.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfweff.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip/cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip ZIP: infected - 1 skipped
\ashell3\ntsc3plyr.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\shit\bbc5\gstdrvr8.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\shit\doc4\mmildot83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\shit\doc4\mmildot83122.exe NSIS: infected - 1 skipped
C:\shit\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\rex2\monidnpr3.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\shit\Temp\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059953.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059954.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059969.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059970.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0060960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060971.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060978.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060989.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060990.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060994.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0061013.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061039.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061040.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061046.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061056.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061090.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061091.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0062084.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063091.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063092.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063121.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063131.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063137.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063148.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063149.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063153.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063172.dll Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063177.dll Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063178.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063179.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063180.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063181.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063182.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063194.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP318\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\horrible\cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\WINDOWS\horrible\hrjxgroq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\imetrkcv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\nvpqsmo.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\WINDOWS\horrible\ocduwffh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\tejsngcs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\vhijifno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\LastGood\System32\ctfmon.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\lola.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\run2.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\WINDOWS\run2.exe NSIS: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4098AEB7-9611-4C3C-B248-7C861B1FBA74}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\v030817.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\winup3824.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\zup.exe Infected: Trojan-Proxy.Win32.Agent.ly skipped

Scan process completed.
..................
I'll come back with a reply on what I see there
 
True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed because some malware can deposit those on an infected machine for malicious purposes, but it can also be installed by a user on purpose. If that is that the case and you did install that on purpose it is fine to ignore the VNC "detection". But the others, ugh! This machine has been very badly infected and likely done damage to the system that may be not be fixable at this point.

The numerous trojans on there are alarming and very nasty. It is more than just Vundo. Many program files have been infected to run the virus when you run those programs (trojan awf)

If you have been considering a reformat/reinstall this would be a good reason to wipe the machine and start over with a fresh install.

Is there some reason that wasn't done before the machine was put up for auction?

I hope there wasn't any sensitive data left on that machine because at least one of the trojans found by KAV is a password and information stealer (family of trojans named Bzub): These types of trojans compromise system security by providing authentication information (logon, passwords, credit card numbers, etc.) to malicious users. This trojan steals the logon information of some Online Bank accounts. Aside from that, it also steals e-mail accounts and passwords that are stored in the user's computer system.


What do you wish to do? I can't guarantee we can get this all cleaned up with satisfactory results because of the damage to system and program files I already see there.
 
Last edited:
Hi, Jane - if you're willing, let's try to clean it up. In the following, I explain why I'd like to try, and why it's not a problem if you want to decline... it's my usual verbosity gone amok, so feel free to skip it!

This machine doesn't get used for much other 're willing, than 'net connection, and that normally with FF and Thunderbird... I also used it for Open Office work, mostly writer and calc. Although slightly flakey, it wasn't manifesting any great problems until just before the holidays when an acquaintance asked me to help her create some biz-card size handouts for campaigning... I made her a two-sided 2 x 10 standard biz-card document using OO writer and saved as .doc for her Office, but she was having trouble with it on her computer - I had noticed that MS Office was on here although I'd never used it, so I ran Word (which is what she uses, although I advise everyone to use OO) on this computer (never before used any of the MS Office on here) to try to walk her through editing and printing (and to see if it worked on Word more or less same as on Writer)... and I recall that when I ran Word, it popped up some MS-looking window wanting to register something to do with Office, which I simply closed... and that's when the grand fiasco began! As I said, I basically never used any of the other programs, so that's probably why it hung together for so long... I'm guessing that Word was (is) infected along with all the others.

Other than OS files, I don't really care a lot about disinfecting Office or most of the rest of it - I can reinstall clean versions of Mozilla and Open Office - I'm more concerned that the sh!t on here doesn't get loose and infect my XP Pro system, so I'd be perfectly happy to erase as much of the infected stuff as possible (realizing that the registry will then be full of orphans and have to be cleaned out).

This is a Dell notebook, and it does have the handy-dandy MS XP sticker on the bottom. with the product key, so I presume I could install XP again without any extreme hassles, although I've never installed XP from scratch... I do have XP install discs, although not the ones for this box. Since I mainly use this for 'net access and writing (almost all of my programming work is done on Linux and I do use this computer for PUtty to ssh to those computers) I am thinking that if we need to burn it down, I will try to reinstall XP and if that turns into a rat's nest, I'll install a Linux (FC 7 preferably, but my FC 7 install DVD only works on dual-layer capable DVD drives and I think this one won't handle it - maybe there's a way around that)... Mozilla and Open Office work just fine on Linux (I use them on a SuSE notebook all the time).

Still, I'd like to try to disinfect (and then lock it up safe), if you have the time and the inclination, at least partly because so many of my friends and neighbors are Windowers and this storm of malware is all over the place (my two younger sons are pretty staunch Mac users, so they have a tendency to ignore the whole mess... if I were into music and video as they are, I'd probably go the same way... you?)

So... if you will, let's try to clean it... and if you say no, I will most certainly understand!

Thanks, again!
 
CalamityJane said:
True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed
Click to expand...

Sure - I knew that, but I wasn't sure if you were referring to it, or to the logmein, or something other, tha's all!

Thanks!
 
We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.
 
Last edited:
This machine has numerous difficult to remove trojans, it's going to take quite a few steps to address them.

First, the awf trojan infects valid software programs so it continues to run and respawn if you run any of the affected programs. Therefore I need a report from this free tool to try identify which ones have been infected and where the clean backups might be (if they are there)

You should be able to download these from a clean computer and put them on CD or removable media to transfer to the affected machine so that you can keep it off the net.

Click here to download FindAWF.exe and save it to your desktop.
http://noahdfear.geekstogo.com/FindAWF.exe

* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* You will be presented with a Menu.

* Press 1 then press Enter.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

.........................
Next tool:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

There will be more, but let's see what those produce before going to the next step.
 
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 01/18/2008
The current time is: 14:12:09.99


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\REMOVED\DELLSU~1\BAK

07/19/2004 07:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK

05/25/2007 02:21 PM 3,993,935 template.rab
04/05/2007 10:55 AM 5,759 WapClients.cfg
2 File(s) 3,999,694 bytes

Directory of C:\PROGRA~1\REMOVED\BROADC~1\CLIENT~1\BAK

09/10/2002 09:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\REMOVED\DELL\ACCESS~1\BAK

11/01/2002 04:47 PM 208,560 dadapp.exe
1 File(s) 208,560 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24588 Jan 25 2007 "C:\Program Files\removed\Dell Support\DSAgnt.exe"
306688 Jul 19 2004 "C:\Program Files\removed\Dell Support\bak\DSAgnt.exe"
4817711 Nov 27 2007 "C:\Program Files\LogMeIn\template.rab"
3993935 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\template.rab"
5750 Nov 27 2007 "C:\Program Files\LogMeIn\WapClients.cfg"
5759 Apr 5 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\WapClients.cfg"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
16696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterdat.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterdat.dll"
21264 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinteruint.dll"
16448 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinteruint.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
24024 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprocnt.dll"
17472 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprocnt.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
12088 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook9x.dll"
12352 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook9x.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
172352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_sc.exe"
172616 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_sc.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
24588 Jan 25 2007 "C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\removed\Broadchump\Client Foundation\bak\CFD.exe"
208560 Nov 1 2002 "C:\Program Files\removed\Dell\AccessDirect\bak\dadapp.exe"


end of report
 
SDFix: Version 1.127

Run by SHIRLEY WILLIAMS on Fri 01/18/2008 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SMTSMX~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SPMSMT~1.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU441 - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 14:38:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Aug 2005 187,904 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe"
Fri 4 Jan 2008 1,043,800 A.SH. --- "C:\WINDOWS\horrible\ommudpvh.tmp"
Sat 27 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 17 Jan 2008 7,531,128 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\631bea423a2590540110f7e11fcbd692\BIT1.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:05 PM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6857 bytes
 
Sorry to slip in here.

CalamityJane said:
We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.
Click to expand...
itsleo, please respond to those questions and also my PM, thank you.
 
tashi said:
Sorry to slip in here.


itsleo, please respond to those questions and also my PM, thank you.
Click to expand...

Please note that I was responding to a FOLLOWING post, and that I did respond to your PM. My assumption is that if the questions were vitally important she would not have proceeded - was there a complaint?
 
No, we still need answers. Is this machine being used at an office and also is the data on it belong to a former employee because it may be needed to have someone do forensics on it. Maybe I'll just ask Tashi to do that with you via PM (questions, that is not forensics). I can't really proceed until we have answers to those because of the security implications of a compromised machine.
 
Last edited:
CalamityJane said:
No, we still need answers. Is this machine being used at an office
Click to expand...

It is not used for office work. It is a NOTEBOOK computer, and it goes with me most of the time - or it did before it cratered. It goes home, it goes upstairs, downstairs, it goes to other people's houses, coffee shops, et cetera. The reason I got it in the first place was so I had a portable that I could run a USB 11g wireless antenna on it - my other notebook is Linux and it doesn't play well with the wireless.

CalamityJane said:
and also is the data on it belong to a former employee
Click to expand...

To the best of my knowledge, there is no data on it that is belong to a former employee. I may have moved data to a backup directory in case it was needed by anyone, but if so, it can go away... this is why - as I believe I have stated several times now - I have no problem burning it down.

CalamityJane said:
because it may be needed to have someone do forensics on it.
Click to expand...

I have absolutely no idea what you are talking about here - what forensics, on what data, to what end?

CalamityJane said:
Maybe I'll just ask Tashi to do that with you via PM.
Click to expand...

Do that? What that?

Look - I already said, if you don't think it's worth while, just say so... I can try to reinstall XP on it, and if that doesn't work, I'll put a Linux on it.
 
Hello Leo,

Let me explain why the questions.

The KAV scan has revealed a very serious trojan on the machine

You stated early on:
the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP)
Click to expand...

It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

C:\Documents and Settings\SHIRLEY WILLIAMS\
C:\Program Files\LogMeIn
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition

I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
It was this one that is the Bzub:

C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
............................................
Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?
Name Win32.BZub.ic
Threat Level
Alias Win32.BZub.ic,
Date 25 February, 2007
Type Win32,Trojan
Damage Theft of information,Other
Platform Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Analysis Win32.BZub.ic installs a .dll in the Windows System folder, and register this .dll as a COM object and a BHO (Browser Helper Object) for Microsoft Internet Explorer. It also lowers Windows Firewall security settings, and steals data from the infected computer.

Malicious activity

Here are some of the actions performed by this Trojan on execution:

In order to lower Windows Firewall security settings, it adds the following registry entry:

[SPACE]"ProgramFiles\Internet Explorer\EXPLORE.EXE" = "ProgramFiles\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List\

The Trojan registers the said .dll as a Browser Helper Object by creating the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{78364D99-A640-4DDF-B91A-67EFF8373045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\browser helper obJects\{78364D99-A240-4dff-B11A-67E448373045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B11A-67E448373048}

It adds the following registry entries:

"(default)" = "C:\WINDOWS\system32\ipv6mons.dll"
"Enable Browser Extensions" = "yes"
"ThreadingModel" = "apartment"

to the following registry subkey:

HKEY_CLASSES_ROOT\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InProcServer32

in order to register the DLL as a Browser Helper Object.

It adds the following registry entry:

"Enable Browser Extensions" = "yes"

to the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

in order to register the DLL as a Browser Helper Object.

It creates the following files to store stolen information from the infected computer:

System\form.txt
System\info.txt
System\shot.html

It may steal the following information:

Host name and IP Address
Outlook Express Accounts
SMTP and POP3 Server
Password for Internet Explorer AutoComplete
MSN Explorer Signup account
Windows Cached Passwords
URLs visited
HTTP POST request
Content of HTTP FORM
TAN and PIN numbers of bank accounts

It searches for .pfx files on the infected computer.

It attempts to export and steal the crypto keys and certificates stored within the above files.
Click to expand...
Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If you wipe all that info now they won't know. It should have been wiped before it was put up for auction. Does nobody realize this?
 
Last edited:
CalamityJane said:
Hello Leo,

Let me explain why the questions.

The KAV scan has revealed a very serious trojan on the machine

You stated early on:


It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

C:\Documents and Settings\SHIRLEY WILLIAMS\
C:\Program Files\LogMeIn
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition

I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
It was this one that is the Bzub:

C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
............................................
Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?

Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If wipe all that info now they won't know. It should have been wiped before it was put up for auction. Doesn't nobody realize this?
Click to expand...

I understand about removing the data prior to ditching the computer. It didn't happen. Whether you, I, we, or they understand this or not is essentially a moot point.... barn doors, spilt milk, dead-mule flogging, and all that sort of thing.

The former owner was a County JP, and from what I can see she used the computer mostly for personal things. There was an old DOS-based program and its xBase data files on the computer, which I personally moved into a "backup" directory and archived onto CDs. I probably should have erased it, but I didn't...

I seriously doubt that any of this particular data was stolen, but if it was, it was almost certainly useless to the thieves.

I don't know what your background in government and law enforcement is, but I do have some experience, and I can assure you that - at least on a state and local level - there is no money and no interest in investigating maybe's, particularly given the - in my view - absolute fact that live computers on the desks of government employees all over the country are far more likely to be regurgitating data to whatever cybercriminals may be lurking.

So... I do truly appreciate everything you've done so far...
shall we continue cleaning, or should I just burn it down? As I stated, I'd like to keep the XP - and I think I mentioned because of the wireless playing better - but some of the newer Linuxes apparently now have improved the wireless NIC code - one of my clients said he put Ubuntu (I think it was Ubuntu) on his notebook and the wireless jumped right up, although he did have to manually download an inf from MS... so maybe that's not as much of a chore as it was a year ago!
 
CalamityJane said:
It creates the following files to store stolen information from the infected computer:

System\form.txt
System\info.txt
System\shot.html

It may steal the following information:

Host name and IP Address
Outlook Express Accounts
SMTP and POP3 Server
Password for Internet Explorer AutoComplete
MSN Explorer Signup account
Windows Cached Passwords
URLs visited
HTTP POST request
Content of HTTP FORM
TAN and PIN numbers of bank accounts

It searches for .pfx files on the infected computer.

It attempts to export and steal the crypto keys and certificates stored within the above files.[/b]
Click to expand...

Hi, Jane. I checked for those files. Now, I don't know if the indicated files above (form.txt, etc) have already been eliminated, or simply didn't exist, but there are no such files on the system at this time.

Furthermore - again - I DO NOT USE MS programs unless absolutely necessary (in fact, running the KAV online was, I believe, the first time I have used IE at all on the infected computer; on my XP Pro system at home I use IE only for my day-trading access, since the authors were stupid enough to use MS's java extensions and it doesn't work with FF or Opera). I have stated more than once that I don't use IE, nor do I use MS Office; I stated that I use Thunderbird, from which one should infer that I do not use Outlook, but let me state that unequivocally, anyway: I do not use any version of Outlook. I assume (always dangerous) that the trojan steals data from the directories known to be inhabited by IE, Office, Outlook, etc. The old data may have been there, I don't know, but if it was, it was almost certainly no longer valid.

I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.
 
I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.
Click to expand...
That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

If you decide to clean it, let me know - I'll try.
 
CalamityJane said:
That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

If you decide to clean it, let me know - I'll try.
Click to expand...

I don't know what happens with other County computers - I'll see what I can find out.

Most people don't have a good understanding of government functioning at ANY level... here's a quick lesson: elected officials work for the voters / taxpayers, and not for some other official. For example, your County Clerk does not work for your County Judge and is under no obligation to take orders from the Judge (or the state, or anyone else)... likewise, the County Attorney doesn't work for the District Attorney or your state Attorney General or anyone else. Your state may or may not have laws specifying what can, should, or must be done with any forms of records (read, "data"), other than retention, availability or non-availability to the public, and so on. No official is liable for the acts of criminals, even in such a case as failure to lock doors or filing cabinets...

I'm not saying your points aren't good IDEAS, but - as far as I am aware, and speaking generally - they aren't LAWS, other than "best efforts" sort of things, and defining best efforts and culpability for failure to make such efforts are incredibly hard to prosecute, even if such prosecution were desirable, which it - again, generally - almost never seems to be, at least not from the standpoint of one elected official (or staff) taking after another elected official (or staff).

It looks to me like your heart and your interest aren't really in this, so unless you really, actually WANT to keep banging on this thing, I think I'm going to see if I can just format and (re-)install a generic XP Home on the thing. Besides, we've both spent already far more time and energy than the damned thing is worth - I'd bet there are identical ones on eBay going for less than the value of your time... in case you can't tell, I'm feeling pretty damn apologetic for even starting this in the first place... but I'm one of those people who hate like hell to junk something that can be fixed... it's sorta like spending three or four hours trying to fix a steam iron insstead of throwing the (*&#@$ thing away and buying a new one for $12.95....

I'm sure there will be fun and games involved in finding the secret mystery Dell drivers, but I have (re-)installed plain vanilla Windowses on other Dells (and Compaqs and Gateways - albeit no notebooks, and only a couple of XP versions - I borrowed a CD from the local store and used the original product key from the computer's sticker, no big deal, although I did have to talk to someone at MS about one of them and cross my heart that this was the same computer but with a new hard disk after the old one crashed), without huge problems ensuing. Maybe I'll get with Dell and see if they can provide the CDs... The computer has a gen-you-wine Dell / Windows sticker on it, product key and all. And if that doesn't work, I'm 100% certain I can install any of a large number of Linuxes on it, and I'm guessing that the wireless is going to be much less of an issue now... and, of course, the virus issue - for all practical purposes - simply doesn't exist.

Anyway, if you are interested, fine, I'm game to see what can be done - as I have repeatedly stated, I have absolutely no problem with simply erasing / replacing any or all of the apps or OS, by which I mean that if it's easier to erase and replace than to sanitize, that's what we do!

What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!
 
itsleo said:
What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!
Click to expand...
If this were my computer, I would wipe it first and reinstall because of the type of malware that has been running on it. Some of the installed software programs are now infected and may need to be uninstalled/reinstalled. The security settings have been lowered by this trojan:
Trojan Zonebac (aka Trojan Agent AWF)
http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99

Trojan Bzub we have already covered - it does other system damage as well. There are a number of trojan downloader agents (these trojans download additional malware to the machine). It is all in the Kaspersky scan report.

I don't mind helping you try to clean it but I cannot guarantee we can find what settings/exploits have already been made to ensure an intruder can get back in.

If you choose to reinstall Windows please be sure that you can get Service Pack 2. Right now the machine is on SP1 and is no longer receiving critical security updates to Windows and is at the moment quite far behind so it is exploitable and vulnerable to attack. We could try to clean it up as best as possible and hopefully an install of SP2 would reset a lot of the security settings that have been compromised - but I can't guarantee it. The system logs indicate problem trying to validate and get updates, but of course you should not do that upgrade to SP2 before getting the malware off of there first.

I just need to know which way you want to go with this. I have gone over the logs and enumerated what infections are present and steps to begin to remove them but holding off until you tell me in which direction you would like to proceed.

And yes, it is easier to do this:
If it's easier to erase and replace than to sanitize....
Click to expand...
 
Last edited:
You must log in or register to reply here.
Back
Top