Something's hiding

Latest Scans

Peku, Again Kaspersky crashed my browser [before finishing database download]. it worked when I tried again. Interestingly Kaspersky identifies the Keyfinder file [mentioned previously but not identified by MBAM, and not picked up on previous Kaspersky scans], but not the Keygen file [identified by MBAM].
All scans run in Normal Mode.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 20, 2009 15:58:15
Records in database: 1654946
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 173151
Threat name: 4
Infected objects: 71
Suspicious objects: 0
Duration of the scan: 04:37:11


File name / Threat name / Threats count
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
C:\Documents and Settings\Administrator.COMPUTER\My Documents\ReActivate\WinXP_Activate\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Thunderbird\Profiles\bqze3qas.default\Mail\localhost\Trash Infected: Trojan-Clicker.HTML.IFrame.abn 5
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Sunfraud.ax 3
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cw 3
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\INBOX Infected: Trojan-Spy.HTML.Bankfraud.cm 2

The selected area was scanned.

=====================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:P, on 1/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HiJackThis.new.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O8 - Extra context menu item: Save Flash - res://C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206762645578
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4527 bytes

======================================================

Thanks, D58
 
Hi D58

Empty this folder
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Thunderbird\Profiles\bqze3qas.default\Mail\localhost\Trash

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe.
  • Copy the lines in the codebox below.
Code: 
:files
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
C:\Documents and Settings\Administrator.COMPUTER\My Documents\ReActivate\WinXP_Activate\keyfinder.exe 
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Please reply with

the OTMoveIt3.log

Thanks peku006
 
Movit Success

Peku, Folder - C:\Documents and Settings\Administrator.COMPUTER\Application Data\Thunderbird\Profiles\bqze3qas.default\Mail\localhost\Trash
does not exist. Found - C:\Documents and Settings\Administrator.COMPUTER\Application Data\Thunderbird\Profiles\bqze3qas.default\Mail\Local Folders\Trash.sbd
EMPTY. Emptied Trash IN Thunderbird. Also found other instances of C:\~\bqze3qas.default\Mail\Local Folders\Trash.sbd - EMPTY.
Note that ALL instances of Mail Folders in question are backups from OLD mail account @BWN.NET that no longer exists [closed over 1 1/2 yrs ago].
Probably could delete ALL without a problem.

========== FILES ==========
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
C:\Doca-Mozilla\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
C:\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
C:\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
C:\Documents and Settings\Administrator.COMPUTER\My Documents\ReActivate\WinXP_Activate\keyfinder.exe moved successfully.
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
C:\Documents and Settings\Administrator.COMPUTER\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
D:\C_Backup\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
D:\C_Backup\Documents and Settings\montyl\Application Data\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd\OLD.sbd moved successfully.
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net\Archive.sbd moved successfully.
D:\C_Backup\Documents and Settings\Mozilla\Users50\monty\l0je4a4r.slt\News\mail.bwn.net moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01212009_030407
 
Hi D58
Yes , delete all the old folders

Logs look good. How's the computer running now?
 
Mail Files Deleted

Peku, All files deleted [except current T-Bird trash folder, it would probably be recreated, but didn't want to take the chance] no adverse effects on Thunderbird. Strange, the listed files ~\INBOX were all 0 KB. PC running ok except Photoshop Plug-in 'Vividia' [which ran fine before this problem] now generates a memory access error, and locks up Photoshop. I tried reinstalling it [Vividia, not PhP yet], but no good. I know some settings/tweaks are changed by ComboFix. Could this be the cause? Should any scans be run in safe mode for detection of files hidden/protected by malware?
Thanks again, D58
 
Hi D58
now generates a memory access error, and locks up Photoshop
Click to expand...
what kind of notification you get......"Out of Memory" Error Message or someone else

I know some settings/tweaks are changed by ComboFix. Could this be the cause?
Click to expand...
it is not possible....
Should any scans be run in safe mode for detection of files hidden/protected by malware
Click to expand...
does not need........
 
Last edited:
Error message

Peku, Exact message "Memory Access Violation". Cropped screen cap of error message box attatched. As you can see - multiple instances of the message open. Photoshop can only be shut down using Task Master/End Process.
D58
 
PhP Plugin Working

Peku, DEP exclusion worked. Otherwise system seems ok, no crashes, freezes, or other software problems. Before I forget, Re additional firewalling beyond Windows Firewall [frequent advice in summation phase of problems] I am connected to DSL through a full function, encrypted router.
Thanks, D58
 
Hi Hi D58
Great that your machine is running better now, the scans are fine and it looks like your machine is clean :yahoo:

Here are some firewalls which are free for personal use and most used:
1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools:

Delete RSIT from your desktop, also delete this folder C:\rsit.

uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.


Happy safe surfing! :bigthumb:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
You must log in or register to reply here.
Back
Top