Smitfraud and torpig
- Thread starter IFKSJOLD
- Start date
:The CPU seems rather slow (not as much as it has been) but it might just be me remembering it faster. Don't worry about that problem...
When running Spybot it still registers SMITFRAUD-C. TOOLBAR888, TORPIG and some tracking coockies
When i run XoftSpySE it registers TORPIG and a bunch of other moderate/low risk stuff (coockies). Something called WIN32.SALITY.X (type: Registry Value) is checked as a severe risk together with TORPIG.
A quick AVG Anti-Spyware finds 9 tracking coockies.
Don't know if it's what you called inactive viruses and i can try and post some logs on it if you need it?
When running Spybot it still registers SMITFRAUD-C. TOOLBAR888, TORPIG and some tracking coockies
When i run XoftSpySE it registers TORPIG and a bunch of other moderate/low risk stuff (coockies). Something called WIN32.SALITY.X (type: Registry Value) is checked as a severe risk together with TORPIG.
A quick AVG Anti-Spyware finds 9 tracking coockies.
Don't know if it's what you called inactive viruses and i can try and post some logs on it if you need it?
Spybot log (found in previous check reports). This is the most recent check done after i did as posted and the one finding the further problems.
02.07.2007 16:10:44 - ##### check started #####
02.07.2007 16:10:44 - ### Version: 1.4
02.07.2007 16:10:44 - ### Date: 02-07-2007 16:10:44
02.07.2007 16:10:45 - ##### checking bots #####
02.07.2007 16:14:07 - found: Smitfraud-C.Toolbar888 Settings
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:21:01 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:09 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:16 - ##### check finished #####
and this one a bit longer:
--- Report generated: 2007-07-02 16:21 ---
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-27 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-27 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-27 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-06-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-27 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-27 Includes\PUPSC.sbi (*)
2007-06-27 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-27 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-27 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-27 Includes\Trojans.sbi (*)
2007-06-27 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
02.07.2007 16:10:44 - ##### check started #####
02.07.2007 16:10:44 - ### Version: 1.4
02.07.2007 16:10:44 - ### Date: 02-07-2007 16:10:44
02.07.2007 16:10:45 - ##### checking bots #####
02.07.2007 16:14:07 - found: Smitfraud-C.Toolbar888 Settings
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:21:01 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:09 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:16 - ##### check finished #####
and this one a bit longer:
--- Report generated: 2007-07-02 16:21 ---
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-27 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-27 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-27 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-06-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-27 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-27 Includes\PUPSC.sbi (*)
2007-06-27 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-27 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-27 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-27 Includes\Trojans.sbi (*)
2007-06-27 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Shaba
Security Expert: Emeritus
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
It should look like this ->
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
Empty this folder:
C:\WINDOWS\Temp\
Empty Recycle Bin
Re-scan with spybot
Post a fresh spybot report.
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
It should look like this ->
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
Empty this folder:
C:\WINDOWS\Temp\
Empty Recycle Bin
Re-scan with spybot
Post a fresh spybot report.
Shaba
Security Expert: Emeritus
Hi
Please download the Killbox.
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341234.TMP
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Then just move on, please
Please download the Killbox.
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341234.TMP
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Then just move on, please
Hi
Got Killbox, ran it, deleted the files and did as told...
Though no Pending Operations prompt.
Restarted (files are gone)
Emptied Killbox folder and recycle bin
The Spybot search finds both Virtumonde and Torpig :sad: (the smitfraud seems to be gone).
heres the log from spybot (probably with to much info but i forgot to uncheck some of the report optins):
--- Search result list ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 6.4: Sikkerhedsopdatering til Windows Media Player 6.4 (KB925398)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Opdatering til Windows XP (KB894391)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896358)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896423)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896428)
/ Windows XP / SP3: Opdatering til Windows XP (KB898461)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899587)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899591)
/ Windows XP / SP3: Opdatering til Windows XP (KB900485)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB900725)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901017)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901190)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901214)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB902400)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB904706)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905749)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB908519)
/ Windows XP / SP3: Opdatering til Windows XP (KB908531)
/ Windows XP / SP3: Opdatering til Windows XP (KB910437)
/ Windows XP / SP3: Opdatering til Windows XP (KB911280)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911562)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911927)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB913580)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914388)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914389)
/ Windows XP / SP3: Opdatering til Windows XP (KB916595)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917344)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917422)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917953)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918118)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918439)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB919007)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920213)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920670)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920683)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920685)
/ Windows XP / SP3: Opdatering til Windows XP (KB920872)
/ Windows XP / SP3: Opdatering til Windows XP (KB922582)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB922819)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923694)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923980)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924270)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924496)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924667)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926436)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927779)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927802)
/ Windows XP / SP3: Opdatering til Windows XP (KB927891)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928843)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929123)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929969)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB930178)
/ Windows XP / SP3: Opdatering til Windows XP (KB930916)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931261)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931768)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931784)
/ Windows XP / SP3: Opdatering til Windows XP (KB931836)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB932168)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB933566)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935839)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935840)
--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: cc6bc45dd5a58158645e7fb2953604fe
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41b88784128c1eb3a24a928ce58b2455
Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, QuickTime Task
command: "C:\Programmer\QuickTime\qttask.exe" -atboottime
file: C:\Programmer\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 77824
MD5: 63657c6e0df49bbaabf6f5800bcb5479
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
file: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1f6573d67dd5dc06dd29ec7fcf81dc6f
Located: HK_LM:Run, TkBellExe
command: "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
file: C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
size: 180269
MD5: 77ed13fd3196ebc7311ccd6899c7488c
Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
file: C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
size: 153136
MD5: 59d9856cd1420e2af778821b7e1b81d0
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22-10-2006 23:08:42
Date (last access): 04-07-2007 11:08:02
Date (last write): 22-10-2006 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 25-06-2007 17:35:52
Date (last access): 04-07-2007 11:08:06
Date (last write): 31-05-2005 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
Got Killbox, ran it, deleted the files and did as told...
Though no Pending Operations prompt.
Restarted (files are gone
)Emptied Killbox folder and recycle bin
The Spybot search finds both Virtumonde and Torpig :sad: (the smitfraud seems to be gone).
heres the log from spybot (probably with to much info but i forgot to uncheck some of the report optins
): --- Search result list ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 6.4: Sikkerhedsopdatering til Windows Media Player 6.4 (KB925398)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Opdatering til Windows XP (KB894391)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896358)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896423)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896428)
/ Windows XP / SP3: Opdatering til Windows XP (KB898461)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899587)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899591)
/ Windows XP / SP3: Opdatering til Windows XP (KB900485)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB900725)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901017)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901190)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901214)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB902400)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB904706)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905749)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB908519)
/ Windows XP / SP3: Opdatering til Windows XP (KB908531)
/ Windows XP / SP3: Opdatering til Windows XP (KB910437)
/ Windows XP / SP3: Opdatering til Windows XP (KB911280)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911562)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911927)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB913580)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914388)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914389)
/ Windows XP / SP3: Opdatering til Windows XP (KB916595)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917344)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917422)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917953)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918118)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918439)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB919007)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920213)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920670)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920683)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920685)
/ Windows XP / SP3: Opdatering til Windows XP (KB920872)
/ Windows XP / SP3: Opdatering til Windows XP (KB922582)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB922819)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923694)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923980)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924270)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924496)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924667)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926436)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927779)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927802)
/ Windows XP / SP3: Opdatering til Windows XP (KB927891)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928843)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929123)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929969)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB930178)
/ Windows XP / SP3: Opdatering til Windows XP (KB930916)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931261)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931768)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931784)
/ Windows XP / SP3: Opdatering til Windows XP (KB931836)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB932168)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB933566)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935839)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935840)
--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: cc6bc45dd5a58158645e7fb2953604fe
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41b88784128c1eb3a24a928ce58b2455
Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, QuickTime Task
command: "C:\Programmer\QuickTime\qttask.exe" -atboottime
file: C:\Programmer\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 77824
MD5: 63657c6e0df49bbaabf6f5800bcb5479
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
file: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1f6573d67dd5dc06dd29ec7fcf81dc6f
Located: HK_LM:Run, TkBellExe
command: "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
file: C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
size: 180269
MD5: 77ed13fd3196ebc7311ccd6899c7488c
Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
file: C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
size: 153136
MD5: 59d9856cd1420e2af778821b7e1b81d0
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22-10-2006 23:08:42
Date (last access): 04-07-2007 11:08:02
Date (last write): 22-10-2006 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 25-06-2007 17:35:52
Date (last access): 04-07-2007 11:08:06
Date (last write): 31-05-2005 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
Well, found these instead....
04.07.2007 11:27:29 - ##### check started #####
04.07.2007 11:27:29 - ### Version: 1.4
04.07.2007 11:27:29 - ### Date: 04-07-2007 11:27:29
04.07.2007 11:27:30 - ##### checking bots #####
04.07.2007 11:35:09 - found: Torpig Temporary file
04.07.2007 11:35:10 - found: Torpig Temporary file
04.07.2007 11:38:36 - found: Virtumonde Settings
04.07.2007 11:39:11 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:19 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:25 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:27 - ##### check finished #####
and this one:
--- Report generated: 2007-07-04 11:39 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Let me know if you need the long one which include all the Spybot report options.
04.07.2007 11:27:29 - ##### check started #####
04.07.2007 11:27:29 - ### Version: 1.4
04.07.2007 11:27:29 - ### Date: 04-07-2007 11:27:29
04.07.2007 11:27:30 - ##### checking bots #####
04.07.2007 11:35:09 - found: Torpig Temporary file
04.07.2007 11:35:10 - found: Torpig Temporary file
04.07.2007 11:38:36 - found: Virtumonde Settings
04.07.2007 11:39:11 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:19 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:25 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:27 - ##### check finished #####
and this one:
--- Report generated: 2007-07-04 11:39 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd
Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Let me know if you need the long one which include all the Spybot report options.
Shaba
Security Expert: Emeritus
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd]
It should look like this ->
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
Please download the OTMoveIt by OldTimer.
Re-scan with spybot
Post a fresh spybot report.
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd]
It should look like this ->
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
Please download the OTMoveIt by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\Temp\$_2341234.TMP
C:\WINDOWS\Temp\$_2341233.TMP
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Re-scan with spybot
Post a fresh spybot report.
04.07.2007 12:17:51 - ##### check started #####
04.07.2007 12:17:51 - ### Version: 1.4
04.07.2007 12:17:51 - ### Date: 04-07-2007 12:17:51
04.07.2007 12:17:52 - ##### checking bots #####
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:27:43 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:48 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:49 - ##### check finished #####
--- Report generated: 2007-07-04 12:27 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
04.07.2007 12:17:51 - ### Version: 1.4
04.07.2007 12:17:51 - ### Date: 04-07-2007 12:17:51
04.07.2007 12:17:52 - ##### checking bots #####
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:27:43 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:48 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:49 - ##### check finished #####
--- Report generated: 2007-07-04 12:27 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Shaba
Security Expert: Emeritus
Hi
A bit better.
Copy text below to Notepad and save it as rem.bat (save it as all files, *.*)
@ECHO OFF
attrib -r -h C:\WINDOWS\Temp\*.*
del /a /f /q C:\WINDOWS\Temp\*.*
It should look like this ->
Doubleclick rem.bat; black dos windows will flash, that's normal.
(In case you are unsure how to create a bat file, take a look here with screenshots.)
Re-scan with spybot
Post a fresh spybot report.
A bit better.
Copy text below to Notepad and save it as rem.bat (save it as all files, *.*)
@ECHO OFF
attrib -r -h C:\WINDOWS\Temp\*.*
del /a /f /q C:\WINDOWS\Temp\*.*
It should look like this ->
Doubleclick rem.bat; black dos windows will flash, that's normal.
(In case you are unsure how to create a bat file, take a look here with screenshots.)
Re-scan with spybot
Post a fresh spybot report.
Ok, now it seems that Virtumonde is gone, but torpig still exists:
04.07.2007 12:51:53 - ##### check started #####
04.07.2007 12:51:53 - ### Version: 1.4
04.07.2007 12:51:53 - ### Date: 04-07-2007 12:51:53
04.07.2007 12:51:53 - ##### checking bots #####
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 13:01:14 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:18 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:19 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:20 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:21 - ##### check finished #####
--- Report generated: 2007-07-04 13:01 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
04.07.2007 12:51:53 - ##### check started #####
04.07.2007 12:51:53 - ### Version: 1.4
04.07.2007 12:51:53 - ### Date: 04-07-2007 12:51:53
04.07.2007 12:51:53 - ##### checking bots #####
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 13:01:14 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:18 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:19 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:20 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:21 - ##### check finished #####
--- Report generated: 2007-07-04 13:01 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Can't seem to find the files in the folder
C:\WINDOWS\Temp
And i have marked the show hidden files option....
I believe they dissapeared after running killbox but spybox still found them???
???
What to do then?? is Spybot just oversensitive...? or is it even another hidden problem??
C:\WINDOWS\Temp
And i have marked the show hidden files option....
I believe they dissapeared after running killbox but spybox still found them???
???
What to do then?? is Spybot just oversensitive...? or is it even another hidden problem??
Shaba
Security Expert: Emeritus
Hi
Well they might be superhidden.
1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Re-scan with spybot
Post:
- c:\avenger.txt
- spybot report
Well they might be superhidden.
1. Please download The Avenger by Swandog46 to your Desktop.
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Re-scan with spybot
Post:
- c:\avenger.txt
- spybot report
Ok, it seems more complicated than i thought....Well did as told, but the avenger folder does not contain anything and as i followed the reboot the dos command box contained a cannot find file or file does not exist message but only saw it briefly...
alas...no avenger.txt and also no C:\avenger\backup.zip?????
But here is the hijackthis log and the next post will contain a new spybot report:
Logfile of HijackThis v1.99.1
Scan saved at 13:38:51, on 04-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
C:\Programmer\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
alas...no avenger.txt and also no C:\avenger\backup.zip?????
But here is the hijackthis log and the next post will contain a new spybot report:
Logfile of HijackThis v1.99.1
Scan saved at 13:38:51, on 04-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
C:\Programmer\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
Yup all of it....
The new spybot report:
04.07.2007 13:43:42 - ##### check started #####
04.07.2007 13:43:42 - ### Version: 1.4
04.07.2007 13:43:42 - ### Date: 04-07-2007 13:43:42
04.07.2007 13:43:42 - ##### checking bots #####
04.07.2007 13:50:12 - found: Torpig Temporary file
04.07.2007 13:50:13 - found: Torpig Temporary file
04.07.2007 13:53:40 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:44 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:45 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:46 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:47 - ##### check finished #####
--- Report generated: 2007-07-04 13:53 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
The new spybot report:
04.07.2007 13:43:42 - ##### check started #####
04.07.2007 13:43:42 - ### Version: 1.4
04.07.2007 13:43:42 - ### Date: 04-07-2007 13:43:42
04.07.2007 13:43:42 - ##### checking bots #####
04.07.2007 13:50:12 - found: Torpig Temporary file
04.07.2007 13:50:13 - found: Torpig Temporary file
04.07.2007 13:53:40 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:44 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:45 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:46 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:47 - ##### check finished #####
--- Report generated: 2007-07-04 13:53 ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP
Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Shaba
Security Expert: Emeritus
Hi
I think that we can't do much more.
Looks like those files don't exist(if avenger can't find those, it's 99,9% sure that they don't). If they do exist, they're leftovers and quite harmless.
You can try to run temp file cleaner and tell me if those still exist after that:
Please download ATF Cleaner by Atribune and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
I think that we can't do much more.
Looks like those files don't exist(if avenger can't find those, it's 99,9% sure that they don't). If they do exist, they're leftovers and quite harmless.
You can try to run temp file cleaner and tell me if those still exist after that:
Please download ATF Cleaner by Atribune and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.