Need a bit of advice... lsasss.exe and more! :)

Viruses and worms
1

Hi guys,

I have read the stickies, but am still way confused. Hope you can help me!

I am running Avast Home 4.7.942, VPS 00725-1 19/03/2007, Win XP. I have no other virus software running.

I started my computer today and after booting up I immediately got a virus alert saying avast had detected virus lsasss.exe in my system 32 folder. I told avast to move it to the chest, then went to look in the chest to find out more. When I tried to open avast, during the memory scan on startup it encountered many infected files, most of them system processes that I recognized, usually program updaters. E.g. hpsysdrv.exe, adobeupdatemanager.exe, qttask.exe, jussched.exe etc. I moved them all to the chest, not knowing whether they really posed a risk or not.

Then avast told me that i needed to run a boot time scan to detect all of the infected files. I did this, and many more files were detected and moved to the chest. Now when I start my computer, most of the processes that normally run in my system tray are no longer there. Was it really necessary to quarantine these files? How do I restore the functionality of my PC? Below is a screen shot of the infected files.

http://www.billysalisbury.com/other_files/viruses.png

thanks!

Billy.

2

Right click them and scan them inside of the Chest. If any file is detected as clean, specially the ones regarding to your ‘old’ processes, you can restore.
For sure, you don’t have to restore infected files, the better will be Disable System Restore to delete infected restore points and then enable it again. All files (infected or no) into c:\System Volume Information\ will be deleted).

3

Cheers!

have scanned each of the files within the chest, and each shows up as:

[b]Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: hpsysdrv.exe (or whatever)
FileID: 18
Virus Description: Win32:Trojan-gen. {UPX!}[/b]

Even the lsasss.exe gives the same result. I’m still confused. Where is the actual virus “Win32:Trojan-gen. {UPX!}”. Most of the files were already on my system. Is lsasss.exe the actual virus, and on having managed to launch itself has “infected” all these other files so that they also appear as the same virus?

Do I now have to delete all of those files and reinstall each of the services/programs again? Having said that, I quite like having my system tray empty! I’m starting to think this virus may have done me a favour and infected all of the uneccessary system processes I had running!

cheers!

Billy.

4

Looks like Win32:Trojan-gen. {UPX!} is now picking up a few Zlob Trojans that avast! missed before, but also causing a few false positives?

Antivirus Version Update Result AhnLab-V3 2007.3.21.0 03.20.2007 no virus found AntiVir 7.3.1.43 03.20.2007 DR/Zlob.Gen Authentium 4.93.8 03.20.2007 is a security risk or a "backdoor" program Avast 4.7.936.0 03.19.2007 Win32:Trojan-gen. {UPX!} AVG 7.5.0.447 03.20.2007 Downloader.Zlob.FWR BitDefender 7.2 03.20.2007 Trojan.Downloader.Zlob.AIO CAT-QuickHeal 9.00 03.20.2007 TrojanDownloader.Zlob.gen ClamAV devel-20070312 03.20.2007 Trojan.Downloader.Zlob-545 DrWeb 4.33 03.20.2007 Trojan.Popuper eSafe 7.0.14.0 03.20.2007 Win32.Zlob.bjx

billysalisbury,

Don’t delete the files, rather see this tread for dealing with possible false positives:

http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

5

I think there are no false positives in this case.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=2

Searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Note: For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named “bak” at the
same path as the original file. Then the Trojan will replace the original file with a copy of itself.

;D

It explains what has happened to the “legitimate files”

To verify the user’s computer is infected with this nasty trojan, I would suggest having a look in the registry.

6

Seems it has been replicated itself to the other files.
You need to be clean…

Services will be installed with the applications themselves. But I think you’ll need to be clean and only after that try to install the missing applications.

For the future, try Mozy On-line backup on my signature and backup your files and data.

7

If Thomas123’s assessment is correct (Trojan.Zonebac) its the same as Agent.AWF according to Sophos

http://www.sophos.com/security/analyses/trojagentebs.html

A scan with FindAWF certainly couldn’t hurt.

8

To confirm, extract one of the infected files and submit to VirusTotal.

9

Hi Guys,

Thanks so much for all the help! I downloaded Find AWF and ran it. Sure enough, loads of BAK folders. So what do I do now? Here’s the report below. Some of it’s in spanish as my windows is spanish. But it’s pretty simple! archivo=file, serie=serial, volumen=volume, archivos de programa=program files, unidad=unit/drive etc!

Find AWF report by noahdfear ©2006

bak folders found


El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\MESSEN~1\BAK

             0 archivos              0 bytes
             2 dirs   3,105,267,712 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\QUICKT~1\BAK

19/05/2006  10:59           282,624 qttask.exe
             1 archivos        282,624 bytes
             2 dirs   3,105,267,712 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\SPYCAT~1\BAK

18/06/2005  10:19            98,421 SpyCatcher.exe
             1 archivos         98,421 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\HP\KBD\BAK

03/02/2005  00:44            61,440 KBD.EXE
             1 archivos         61,440 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\WINDOWS\SMINST\BAK

14/04/2004  21:43           233,472 RECGUARD.EXE
             1 archivos        233,472 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\WINDOWS\SYSTEM\BAK

07/05/1998  17:04            52,736 hpsysdrv.exe
             1 archivos         52,736 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\WINDOWS\SYSTEM32\BAK

25/10/2004  23:17            90,112 ps2.exe
             1 archivos         90,112 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\ALWILS~1\AVAST4\BAK

15/01/2007  18:28           108,160 ashDisp.exe
             1 archivos        108,160 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\HP\HPSOFT~1\BAK

12/05/2005  06:12            49,152 HPwuSchd2.exe
             1 archivos         49,152 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\PRESONUS\1394AU~1\BAK

             0 archivos              0 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\ZERO2000\ATTS\BAK

09/12/2000  22:54           401,144 msagent.exe
07/03/2000  16:55           844,448 spchapi.exe
19/10/1998  22:46         1,021,232 tv_enua.exe
             3 archivos      2,266,824 bytes
             2 dirs   3,105,263,616 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\HP\DRIVERS\HPLSBW~1\BAK

11/05/2005  01:50           253,952 lsburnwatcher.exe
             1 archivos        253,952 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\ADOBE\ACROBA~1.0\READER\BAK

24/10/2005  14:53           307,200 AdobeUpdateManager.exe
             1 archivos        307,200 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\ADOBE\ACROBA~3.0\ACROBAT\BAK

22/10/2006  23:24           620,152 Acrotray.exe
             1 archivos        620,152 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\ARCHIV~1\REAL\UPDATE~1\BAK

24/04/2006  12:28           180,269 realsched.exe
             1 archivos        180,269 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\GOOGLE\GOOGLE~2\121128~1.546\BAK

05/02/2007  13:44           171,448 GoogleToolbarNotifier.exe
             1 archivos        171,448 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\HP\DIGITA~1\{33D6C~1\BAK

02/06/2005  07:35            49,152 hphupd08.exe
             1 archivos         49,152 bytes
             2 dirs   3,105,259,520 bytes libres
El volumen de la unidad C es HP_PAVILION
El n£mero de serie del volumen es: 00E4-97E6

Directorio de C:\ARCHIV~1\JAVA\JRE15~2.0_1\BIN\BAK

15/12/2006  03:23            75,520 jusched.exe
             1 archivos         75,520 bytes
             2 dirs   3,105,259,520 bytes libres


Duplicate files of bak directory contents

282624 19 May 2006 "C:\Archivos de programa\QuickTime\bak\qttask.exe"
 98421 18 Jun 2005 "C:\Archivos de programa\SpyCatcher 2006\bak\SpyCatcher.exe"

11894024 28 Jul 2006 “C:\Storage\Downloads\Software\Utilities\spycatcher-express.exe”
61440 3 Feb 2005 “C:\hp\KBD\bak\KBD.EXE”
233472 14 Apr 2004 “C:\WINDOWS\SMINST\bak\RECGUARD.EXE”
52736 7 May 1998 “C:\WINDOWS\system\bak\hpsysdrv.exe”
90112 25 Oct 2004 “C:\hp\drivers\KEYBOARD\PS2.EXE”
90112 25 Oct 2004 “C:\WINDOWS\system32\bak\ps2.exe”
108160 15 Jan 2007 “C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe”
108160 15 Jan 2007 “C:\Archivos de programa\Alwil Software\Avast4\bak\ashDisp.exe”
49152 12 May 2005 “C:\Archivos de programa\HP\HP Software Update\bak\HPwuSchd2.exe”
401144 9 Dec 2000 “C:\Archivos de programa\zero2000\atts\bak\msagent.exe”
844448 7 Mar 2000 “C:\Archivos de programa\zero2000\atts\bak\spchapi.exe”
1021232 19 Oct 1998 “C:\Archivos de programa\zero2000\atts\bak\tv_enua.exe”
253952 11 May 2005 “C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe”
976472 5 Oct 2006 “C:\Archivos de programa\Archivos comunes\Adobe\Updater\AdobeUpdater.exe”
45200 27 Sep 2006 “C:\Archivos de programa\Archivos comunes\Adobe\Updater5\AdobeUpdaterInstallMgr.exe”
307200 24 Oct 2005 “C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe”
3884658 4 Jul 2006 “C:\Documents and Settings\HP_Propietario\Mis documentos\Updater\helpcenter1\AdobeUpdater403.exe”
3898680 7 Feb 2007 “C:\Documents and Settings\HP_Propietario\Mis documentos\Updater\helpcenter2\AdobeUpdater_404.exe”
620152 22 Oct 2006 “C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\acrotray.exe”
620152 22 Oct 2006 “C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe”
180269 24 Apr 2006 “C:\Archivos de programa\Archivos comunes\Real\Update_OB\bak\realsched.exe”
52272 5 Feb 2007 “C:\Archivos de programa\Google\googletoolbar4user.exe”
61440 14 Sep 2006 “C:\Archivos de programa\Google\Google Earth\googleearth.exe”
559784 24 Apr 2006 “C:\Archivos de programa\Archivos comunes\Real\GToolbar\GoogleToolbarInstaller.exe”
138168 5 Feb 2007 “C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe”
14405024 20 Oct 2006 “C:\Storage\Downloads\Software\Utilities\GoogleEarthWin.exe”
171448 5 Feb 2007 “C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe”
16451776 24 Jun 2006 “C:\Storage\Downloads\DC++\MUSIC\Google.Earth.Pro\GoogleEarthPro.exe”
49152 2 Jun 2005 “C:\Archivos de programa\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe”
36972 2 Jan 2005 “C:\Archivos de programa\Java\jre1.5.0\bin\jusched.exe”
36975 10 Nov 2005 “C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe”
49263 9 Nov 2006 “C:\Archivos de programa\Java\jre1.5.0_10\bin\jusched.exe”
49263 12 Oct 2006 “C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe”
75520 15 Dec 2006 “C:\Archivos de programa\Java\jre1.5.0_11\bin\bak\jusched.exe”

end of report

Cheers! Billy.

P.S. I am still connected to the internet all the time. Is this foolish?

10

Hi billysalisbury,

The FindAWF tool finds any bak folders on your computer, infected or not.

Many programs create backup folders and files.

To confirm that you actually have this infection, extract a couple of files detected as malware and send to VirusTotal.

For example: HPwuSchd2.exe

From the virus chest, extract this file to the desktop, then send it to:

http://www.virustotal.com/en/indexf.html

In English the button says ‘extract’: you will have to look for a similar button in Spanish. If avast! detects the file while you are trying to send it, you will have to temporarily disable avast.

11

I don’t think it would help to scan any of the backups as they are theoretically the clean copies, so

49152 12 May 2005 "C:\Archivos de programa\HP\HP Software Update\bak\HPwuSchd2.exe

might not be the best choice.

The primary executable in this example (C:\Archivos de programa\HP\HP Software Update\HPwuSchd2.exe) seems to be missing so I wonder if it was already put in quarantine by avast. Is there more to the avast! log than you posted?

If you do want to verify with Virus Total or Jotti these might be good choices

90112 25 Oct 2004 "C:\hp\drivers\KEYBOARD\PS2.EXE
108160 15 Jan 2007 "C:\Archivos de programa\Alwil Software\Avast4\bak\ashDisp.exe
620152 22 Oct 2006 "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

I also wonder if you’ve lost function with programs such as SpyCatcher or Quicktime.

If there is more to the avast! log would you post the entire thing, and also a ComboScan log

http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

EDIT:

Just notice the “extract this file” part. Ok, makes sense.

12

Mmmm, the plot thickens. Well, I just did the comboscan. here are the results:

ComboScan v20070306.20 run by HP_Propietario on 2007-03-21 at 19:34:40
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.

– Last 4 Restore Point(s) –
4: 2007-03-21 18:34:46 UTC - RP196 - ComboScan Restore Point
3: 2007-03-20 18:20:01 UTC - RP195 - Installed Nero 7 Premium
2: 2007-03-20 18:07:54 UTC - RP194 - Se instaló el controlador de impresora Microsoft Office Documen
1: 2007-03-20 17:56:27 UTC - RP193 - Se instaló el controlador de impresora Microsoft Office Documen

Performed disk cleanup.

– HijackThis (run as HP_Propietario.exe) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:36:26, on 21/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\PeerGuardian2\pg2.exe
C:\Storage\Downloads\Software\Utilities\security\comboscan.exe
C:\ARCHIV~1\HIJACK~1\HP_Propietario.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = “C:\Archivos de programa\Outlook Express\msimn.exe”
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Archivos de programa\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [FIREBOX] C:\Archivos de programa\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ayuda para la conexión - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Ayuda para la conexión - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17D0C64A-5283-4125-8256-105694C274ED} (MozillaPluginHostCtrl Class) - http://www.natuerlich-birkenstock.de/v1/spx33.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174404713531
O16 - DPF: {CD259AEC-23E6-4E64-8138-7E28D56666D7} (SQFViewer10X Element) - http://www.natuerlich-birkenstock.de/v1/SQFViewer10.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

13

– File Associations -----------------------------------------------------------

.bat - batfile - “%1” %*
.chm - chm.file - “C:\WINDOWS\hh.exe” %1
.cmd - cmdfile - “%1” %*
.com - comfile - “%1” %*
.exe - exefile - “%1” %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe “%1” %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - “%1” %*
.reg - regfile - regedit.exe “%1”
.scr - scrfile - “%1” /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe “%1” %*

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
3S adipfusb (ADI USB RNDIS Compatible Network Device - AD6489) - C:\WINDOWS\system32\drivers\adipfusb.sys
3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
1R AmdK8 (Controlador de procesador AMD) - C:\WINDOWS\system32\drivers\AmdK8.sys
3R Arp1394 (Protocolo de cliente ARP 1394) - C:\WINDOWS\system32\drivers\arp1394.sys
1R Asapi - C:\WINDOWS\system32\drivers\asapi.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3R aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
3S GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3S HidUsb (Controlador de clases HID de Microsoft) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HPZid412 (IEEE-1284.4 Driver HPZid412) - C:\WINDOWS\system32\drivers\HPZid412.sys
3R HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - C:\WINDOWS\system32\drivers\HPZipr12.sys
3R HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - C:\WINDOWS\system32\drivers\HPZius12.sys
1S intelppm (Controlador de procesador Intel) - C:\WINDOWS\system32\DRIVERS\intelppm.sys (not found)
3S KORGUMDS (KORG USB-MIDI Driver for Windows XP) - C:\WINDOWS\system32\drivers\KORGUMDS.SYS
3S ltmodem5 (LT Modem Driver) - C:\WINDOWS\system32\drivers\ltmdmnt.sys
3S mouhid (Controlador HID de mouse) - C:\WINDOWS\system32\drivers\mouhid.sys
3R NIC1394 (Controlador de red 1394) - C:\WINDOWS\system32\drivers\nic1394.sys
3R nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
0R ohci1394 (Controladora de host VIA OHCI compatible con IEEE 1394) - C:\WINDOWS\system32\drivers\ohci1394.sys
3R Ps2 - C:\WINDOWS\system32\drivers\PS2.sys
3R ps_1394 - C:\WINDOWS\system32\drivers\ps_1394.sys
3R ps_avs - C:\WINDOWS\system32\drivers\ps_avs.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3R RTL8023xp (Realtek 10/100/1000 NIC Family all in one NDIS XP Driver) - C:\WINDOWS\system32\drivers\Rtlnicxp.sys
3S rtl8139 (Controlador de Windows NT del adaptador Fast Ethernet PCI basado en Realtek RTL8139(A/B/C)) - C:\WINDOWS\system32\drivers\RTL8139.sys
3S SONYPVU1 (Controlador de filtro USB de Sony (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
3S usbaudio (Controlador de audio USB (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3R usbccgp (Controlador primario genérico USB de Microsoft) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft) - C:\WINDOWS\system32\drivers\usbehci.sys
3R usbohci (Controlador minipuerto de la controladora de host abierto USB de Microsoft) - C:\WINDOWS\system32\drivers\usbohci.sys
3R usbprint (Clase de impresora USB de Microsoft) - C:\WINDOWS\system32\drivers\usbprint.sys
3R usbscan (Controlador de escáner USB) - C:\WINDOWS\system32\drivers\usbscan.sys
3R USBSTOR (Dispositivo de almacenamiento masivo de datos USB) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3S USB_RNDIS (USB Remote NDIS Network Device Driver) - C:\WINDOWS\system32\drivers\usb8023k.sys
3R pgfilter - C:\Archivos de programa\PeerGuardian2\pgfilter.sys
1R vcdrom (Virtual CD-ROM Device Driver) - C:\WINDOWS\system32\drivers\VCdRom.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S Adobe LM Service - “C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe”
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2R aswUpdSv (avast! iAVS4 Control Service) - “C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe”
2R Autodesk Licensing Service - “C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe”
2R avast! Antivirus - “C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe”
3R avast! Mail Scanner - “C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe” /service
3R avast! Web Scanner - “C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe” /service
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3S Fax - C:\WINDOWS\system32\fxssvc.exe
3R FLEXnet Licensing Service - “C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe”
3S gusvc (Google Updater Service) - “C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe”
3S IDriverT (InstallDriver Table Manager) - “C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe”
2R mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - “C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe”
2R NVSvc (NVIDIA Display Driver Service) - C:\WINDOWS\system32\nvsvc32.exe
3S ose (Office Source Engine) - “C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE”
0S Pml Driver HPZ12 - \SystemRoot\C:\WINDOWS\system32\HPZipm12.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
3S NBService - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe

14

– Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-20 19:20:06 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-03-20 19:17:18 0 d-------- C:\WINDOWS\LastGood
2007-03-20 18:47:00 8576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2007-03-20 17:10:54 0 d-------- C:\Archivos de programa\MSXML 4.0<MSXML4~1.0>
2007-03-20 16:42:32 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-03-20 16:32:51 18200 --a------ C:\WINDOWS\system32\wups2.dll
2007-03-20 16:32:51 0 d-------- C:\WINDOWS\system32\SoftwareDistribution<SOFTWA~1>
2007-03-20 15:15:00 0 d-------- C:\WUTemp
2007-03-16 20:28:04 1327198 -ra------ C:\WINDOWS\tc_comm.dll
2007-03-16 20:28:03 954368 -ra------ C:\WINDOWS\pppdialer.exe<PPPDIA~1.EXE>
2007-03-16 20:20:22 11136 --a------ C:\WINDOWS\system32\drivers\usb8023k.sys
2007-03-16 20:20:22 27264 --a------ C:\WINDOWS\system32\drivers\rndismpk.sys
2007-03-15 19:09:47 0 d-------- C:\Archivos de programa\Archivos comunes\Vbox
2007-03-15 19:09:39 156672 --a------ C:\WINDOWS\sprof32.dll
2007-03-15 19:09:38 53760 --a------ C:\WINDOWS\PTPICK32.DLL
2007-03-15 19:09:38 58368 --a------ C:\WINDOWS\pfpick.dll
2007-03-15 19:09:38 48128 --a------ C:\WINDOWS\KPSYS32.DLL
2007-03-15 19:09:38 31744 --a------ C:\WINDOWS\KPSHARP.DLL
2007-03-15 19:09:38 31232 --a------ C:\WINDOWS\KPSCALE.DLL
2007-03-15 19:09:38 70144 --a------ C:\WINDOWS\KPFP32.DLL
2007-03-15 19:09:38 243712 --a------ C:\WINDOWS\KPCP32.DLL
2007-03-15 19:09:38 39095 --a------ C:\WINDOWS\Iccsigs.dat
2007-03-15 19:09:38 20992 --a------ C:\WINDOWS\icccodes.dll
2007-03-15 19:09:37 42483 --a------ C:\WINDOWS\ICCCODES.DAT
2007-03-15 19:09:30 6144 --a------ C:\WINDOWS\system32\W95FIBER.DLL
2007-03-15 19:09:30 33424 --a------ C:\WINDOWS\system32\URLCACHE.DLL
2007-03-15 19:09:30 401484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-03-15 19:09:30 210944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2007-03-15 19:09:30 94285 --a------ C:\WINDOWS\system32\MSVCIRTD.DLL
2007-03-15 19:09:30 5632 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2007-03-15 19:09:30 133392 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-03-15 19:09:30 133904 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2007-03-15 19:09:29 322832 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-03-15 19:09:29 32792 --a------ C:\WINDOWS\SPWHPT.DLL
2007-03-15 19:09:29 212480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-03-15 19:09:23 0 d-------- C:\WINDOWS\system32\Color
2007-03-15 19:09:23 0 d-------- C:\Kpcms
2007-03-13 13:17:55 0 d-------- C:\Archivos de programa\FinalBurner<FINALB~1>
2007-03-11 22:09:01 0 d-------- C:\Archivos de programa\DVDx
2007-03-11 21:26:31 0 d-------- C:\Archivos de programa\DVD Decrypter<DVDDEC~1>
2007-03-08 18:16:21 0 d-------- C:\WINDOWS\system32\bak
2007-03-08 18:16:21 0 d-------- C:\WINDOWS\system\bak
2007-03-08 14:15:10 0 d-------- C:\Archivos de programa\SAGEM
2007-03-02 12:00:48 0 d-------- C:\WINDOWS\Adder Robot [WB]<ADDERR~2>
2007-03-02 12:00:48 0 d-------- C:\Archivos de programa\Adder Robot [WB]<ADDERR~3>
2007-03-02 11:32:56 0 d-------- C:\WINDOWS\Adder Robot [SCK]<ADDERR~1>
2007-03-02 11:32:56 0 d-------- C:\Archivos de programa\Adder Robot [SCK]<ADDERR~2>
2007-02-28 17:50:44 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared<MACROV~1>

– Find3M Report ---------------------------------------------------------------

2007-03-21 19:36:20 0 d-------- C:\Archivos de programa\PeerGuardian2<PEERGU~1>
2007-03-21 19:34:36 0 d-------- C:\Archivos de programa\Trillian
2007-03-21 19:34:32 0 d-------- C:\Archivos de programa\DC++<DC__~1>
2007-03-21 19:34:02 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\Skype
2007-03-21 16:07:39 0 d-------- C:\Archivos de programa\Mozilla Firefox<MOZILL~1>
2007-03-20 19:57:59 467180 --a------ C:\WINDOWS\system32\perfh00A.dat
2007-03-20 19:57:59 83154 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-03-20 19:35:10 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\Ahead
2007-03-20 19:20:06 0 d-------- C:\Archivos de programa\Nero
2007-03-20 19:20:06 0 d-------- C:\Archivos de programa\Archivos comunes<ARCHIV~1>
2007-03-20 17:09:52 0 d-------- C:\Archivos de programa\Archivos comunes\System
2007-03-20 15:13:14 4320 --a------ C:\WINDOWS\mozver.dat
2007-03-20 11:50:17 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\Uniblue
2007-03-20 10:35:49 0 d-------- C:\Archivos de programa\QuickTime<QUICKT~1>
2007-03-17 18:37:14 0 d-------- C:\Archivos de programa\BitTorrent<BITTOR~1>
2007-03-16 20:20:22 0 d–h----- C:\Archivos de programa\InstallShield Installation Information<INSTAL~1>
2007-03-16 18:23:00 0 d–h----- C:\Archivos de programa\Zero G Registry<ZEROGR~1>
2007-03-15 19:09:23 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-03-15 18:58:22 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\Adobe
2007-03-13 13:23:14 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\FinalBurner Audio CD<FINALB~1>
2007-03-10 17:43:45 0 d-------- C:\Archivos de programa\SpyCatcher 2006<SPYCAT~1>
2007-03-09 18:07:22 0 d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard<WISEIN~1>
2007-03-09 14:08:30 0 d—s---- C:\Documents and Settings\HP_Propietario\Datos de programa\Microsoft<MICROS~1>
2007-03-08 18:16:21 0 d-------- C:\Archivos de programa\Messenger<MESSEN~1>
2007-03-08 16:52:50 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-03-08 16:52:50 341 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-05 11:49:33 0 d-------- C:\Archivos de programa\Java
2007-03-04 21:57:44 0 d-------- C:\Archivos de programa\Google
2007-03-01 23:00:31 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\BitTorrent<BITTOR~1>
2007-02-19 12:53:03 0 d-------- C:\Documents and Settings\HP_Propietario\Datos de programa\InterTrust<INTERT~1>
2007-02-19 12:52:05 0 d-------- C:\Archivos de programa\Tributs
2007-02-07 00:31:43 0 d-------- C:\Archivos de programa\DivX
2007-02-04 18:46:28 0 d-------- C:\Archivos de programa\Adder Robot<ADDERR~1>
2007-02-04 17:45:50 0 d-------- C:\Archivos de programa\Skype
2007-02-04 17:45:50 0 d-------- C:\Archivos de programa\Archivos comunes\Skype
2007-02-01 05:56:06 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-01 05:56:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-01 05:56:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-01 05:56:04 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 22:27:01 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-31 00:15:10 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-01-30 06:03:40 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 06:03:34 118520 -----n— C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 06:03:34 116472 -----n— C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 06:03:34 129784 -----n— C:\WINDOWS\system32\pxafs.dll
2007-01-30 06:03:26 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 06:03:26 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 05:56:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-30 05:56:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56:54 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-30 05:56:52 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-30 05:56:52 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-30 05:56:52 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 09:58:06 60416 -----n— C:\WINDOWS\system32\tzchange.exe
2007-01-15 18:32:07 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-15 18:23:20 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr

15

– Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“nwiz”=“nwiz.exe /install”
“PCDrProfiler”=“”
“avast!”=“C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe”
“AlcxMonitor”=“ALCXMNTR.EXE”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“Acrobat Assistant 8.0”=“"C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"”
@=“”
“FIREBOX”=“C:\Archivos de programa\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe”
“NeroFilterCheck”=“C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
“WIAWizardMenu”=“RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“UPnPMonitor”=“{e57ce738-33e8-4c51-8354-bb4de9d215d1}”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoCDBurning”=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d6b763d8-dc3b-11da-8dc9-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
newlycreated - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VCDROM

– End of ComboScan: finished at 2007-03-21 at 19:36:46 ------------------------

Actually, I think spycatcher stopped working a few days ago, maybe even a week. Because it was no longer working, I uninstalled it, which would explain why avast didn’t locate the virus and send it to the chest with all the others when i did the memory scan. However… The spycatcher folder is still there, and all that remains is the Bak folder with what I assume is the REAL spycatcher.exe! Obviously the uninstaller wasn’t expecting this folder to be there and left it alone. Adobe Acrobat also has the Bak folder containing a duplicate of the file I have in the Chest. Again I assume this is the original. I don’t see why any program would have a bakup folder just for one file, that file being the main exe file. I think it’s pretty safe to say that they are all infected files. One thing I don’t understand: Why is the virus so courteous as to make a backup copy of the file it is replacing? Why not just delete it and destroy the evidence?

here’s the results from jotti for adobeupdatemanager.exe

AntiVir
Found TR/Agent.37320
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen.
AVG Antivirus
Found Downloader.Generic3.VVP
BitDefender
Found Trojan.Clicker.Agent.ND
ClamAV
Found Trojan.Clicker-73
Dr.Web
Found Win32.HLLM.Limar
F-Prot Antivirus
Found W32/Downloader.BFIJ
F-Secure Anti-Virus
Found Trojan-Clicker.Win32.Agent.jh
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-Clicker.Win32.Agent.jh
NOD32
Found Win32/TrojanDownloader.Agent.AWF
Norman Virus Control
Found W32/DLoader.CFDX
Panda Antivirus
Found Trj/Clicker.ZJ
VirusBuster
Found Trojan.DL.Agent.SPJ
VBA32
Found Trojan-Clicker.Win32.Agent.jh

So, it seems pretty clear that these files were active on my system for a good few days(since spycatcher stopped working), with an active internet connection always present. I’m not sure why avast didn’t pick up on it earlier though. So what are the implications? What has this virus been doing for the last few days? should I be worried?

cheers!

Billy.

16
Just notice the "extract this file" part. Ok, makes sense.

:wink:

Here’s the lowdown on the virus:

Downloader.Agent.awf

Important information compiled by Derek at The Spykiller:

We have been seeing over the last few days/weeks what we thought were false positives by Ewido/Avgas and some antivirus programs.

They are not false positives but genuine detections. Other names it is known as are Trj/Lowzones.SU (Panda), Win32:Agent-BVS (Avast), Win32/Secdrop (Etrust),Trojan.Downloader.Agent.ANA(Bitdefender), W32/Agent.ALTU (Norman), Trojan.DownLoader.12953 (Dr web)and Downloader.Agent.FVH (AVG antivirus).

Downloader.Agent.awf replaces legitimate files that are common on most Windows PCs with a copy of itself and moves the legitimate file to a bak folder.

We now have an enormous problem on our hands where legitimate files are being replaced and we have no easy way to know just looking at logs. Use of tools like HijackThis that don’t give the file size are completely useless as we cannot tell if the files relating to the entries are genuine or not.

We understand that there is normally a bak folder created with the original moved there ( normally inside the same folder, but sometimes in root or in c:windows or system32 ) so once AVGAS (Ewido) or your antivirus has deleted the bad copy find the bak folder and restore the original(s).

The bad copy of the file will have a file size of 21504 bytes (20K).

So far this is a list of known file names affected. Analysts are sure there will be more and they all have the same file size of 21504 bytes (20k) and identical checksums. There will often be a lot of them on a computer and they could replace any file on the computer or even add the file & folder even if the application targeted is not installed.

Any time you see any of these files in a HJT log do a scan with Ewido (Avgas) or a good antivirus online scanner before saying system is clean, especially with unexplained pop-ups or other problems.

It has been suggested that it’s “targetting” every file running from HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun or HKCU - RunServices - main startup and Global startup.

This means that it reads HKLM and HKCU run keys, sees the file name and location, and replaces that file with a copy of itself and it might do it with one or more, sometime all, run entries.

Confirmed compromised filenames and locations:
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\program files\McAfee.com\Agent\mcagent.exe
C:\program files\McAfee.com\Agent\mcupdate.exe
C:\program files\McAfee.com\Personal Firewall\MPFTray.exe
C:\program files\McAfee.com\VSO\mcmnhdlr.exe
C:\program files\McAfee.com\VSO\mcvsshld.exe
C:\program files\McAfee.com\VSO\oasclnt.exe
C:\program files\Microsoft Money\System\Activation.exe
C:\program files\Microsoft Works\WksSb.exe
C:\program files\Microsoft Works\wkfud.exe
C:\program files\QuickTime\qttask.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
:\Program Files\Colorjinn Calibrize\CalibrizeLoader.exe
C:\Program Files\Colorjinn Calibrize\CalibrizeResume.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
C:\WINDOWS\system\wcdvtray.exe
C:\Program Files\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Norton AntiVirus\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
C:\WINDOWS\system32\LVCOMS.EXE

This thread is different in that avast! detects Win32:Trojan-gen. {UPX!}, not Win32:Agent-BVS, which the avast! detection of agent.AWF, which is why I’d like to see a confirmation at VirusTotal that this is agent.AWF or a new variant or Trojan with the same behaviour.

Please not that the file size is critical. It will probably be very different to the genuine file, although not necessarily 21504- 37388 has also been observed:

http://forum.avast.com/index.php?topic=27121.msg221978#msg221978

If this is Trojan.Zonebac/agent.AWF, it will be a question of restoring the backups of files in the chest which are infected ‘cuckoos’ which displaced the original files.

17

OK, thanks for the VirusTotal scan: it obviously is agent.AWF or similar.

Here are instructions for restoring backups:

5. To restore the backup file

Using the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

find all files referenced in entries that have the folder bak in the path e.g. “1” = “%System%\bak\notepad.exe”. For these files, move/copy them up to the same level in the directory tree as the bak folder and then delete the bak folder. For instance, the file %System%\bak\notepad.exe should be moved to: %System%\notepad.exe.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=3

18

Frank,

I think that list of “Confirmed compromised filenames and locations:” is a couple months old. I wouldn’t rely on it exclusively.

There’s an alternative, but if you use this method back up the registry first.

19
I think that list of "Confirmed compromised filenames and locations:" is a couple months old. I wouldn't rely on it exclusively.

This list is only the confirmed list at the date the article was written. In an infection we might expect to see some of the same programs, or indeed some different ones, as you say. The registry keys are critical, not the program names.

It has been suggested that it's "targetting" every file running from HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun or HKCU - RunServices - main startup and Global startup.
20

Cheers guys, you rule!

right, i exported the whole registry, then went to track down those files. all I found was these guys:

http://www.billysalisbury.com/other_files/registry.png

(that should be “FIREBOX control.exe” … it got cut off!)

located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” there is only one entry: “(Predeterminado)”

I mean, I can restore the usurped files just using explorer, but I’m guessing we’re in the regedit for a reason. So what should I do? And how will I know there’s not more lurking around? And also, what exactly is the point of this virus? It hasn’t done any major damage, even though it had the chance, so why does it bother? :slight_smile:

cheers!

Billy.