Win32:Banload-ST [Trj]

Justin_22 · 2008-02-11T23:13:00.000Z

Hi, a few minutes ago i was downloading a torrent and got a pop up saying Win32:Banload-ST [trj] was found in the torrent i was downloading i immediately stopped and deleted the torrent but when i tried to move it to the chest it said action could not be completed (this was before i stopped download) because the file was in use so i then went to the file which avast said was infected and i scanned it there and it said it was clean but i deleted the file anyways i then did a HJT scan and analyzed it on another forum and it came back clean so is this thing gone? and what is it to begin with?

Thanks

polonus · 2008-02-11T23:34:40.000Z

Hi Justin_xp,

Please download DrWeb-CureIt from here: http://www.majorgeeks.com/downloadget.php?id=4783&file=10&evp=ef9669e4f16e6e75d95abcde8f88163d
& save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in “Safe Mode”.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An “Express Scan of your PC” notice will appear.
Under “Start the Express Scan Now”, Click “OK” to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the “Scan tab” and UNcheck “Heuristic analysis”
Back at the main window, click “Select drives” (a red dot will show which drives have been chosen)
Then click the “Start/Stop Scanning” button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click “Yes to all” if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select “Move incurable”.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can’t be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) and attach this to your next posting.

Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to your desktop:
Note:
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it’s finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply, attach txt file.
Note:
Do not mouseclick combofix’s window while it’s running.
That may cause the program to freeze/hang.

Also post a new Hijackthis log. Download from here: http://www.spychecker.com/download/download_hijackthis.html
Place onto your desktop, close all other programs, run a scan, and attach the logfile txt into your next posting,

polonus

Justin_22 · 2008-02-12T00:58:05.000Z

ok heres 2 of the logs i cant upload the dr.web one it says i cant with that file type

ComboFix 08-02-12.1 - Student 2008-02-11 19:38:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT -5:00]
Running from: C:\Documents and Settings\Student\Desktop\ComboFix.exe

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com

.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 19:07 . 2008-02-11 19:07 d-------- C:\Documents and Settings\Student\DoctorWeb
2008-02-11 16:56 . 2008-02-11 17:01 d-------- C:\Program Files\BitComet
2008-02-11 16:56 . 2008-02-11 17:54 d-------- C:\Downloads
2008-02-11 16:56 . 2008-02-11 16:56 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-09 16:26 . 2008-02-09 16:26 d-------- C:\WINDOWS\system32\QuickTime
2008-02-09 16:26 . 2006-06-14 21:13 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-02-09 16:25 . 2008-02-09 16:25 d-------- C:\Program Files\TechSmith
2008-02-08 23:00 . 2008-02-10 20:17 d-------- C:\Documents and Settings\Student\Application Data\uTorrent
2008-02-07 20:50 . 2008-02-08 08:36 d-------- C:\Program Files\Thoosje Sidebar V2.0
2008-02-06 17:27 . 2008-02-06 17:29 d-------- C:\Program Files\Vista Start Menu
2008-02-06 17:27 . 2008-02-06 17:29 d-------- C:\Documents and Settings\Student\Application Data\Vista Start Menu
2008-02-06 06:25 . 2008-02-06 06:25 64,342 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-02-06 06:24 . 2008-02-06 06:24 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-02-06 06:21 . 2008-02-06 06:25 6,118 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-06 06:20 . 2008-02-06 06:20 d-------- C:\WINDOWS\BricoPacks
2008-02-04 16:29 . 2008-02-04 16:29 d-------- C:\Program Files\Lavasoft
2008-02-04 16:29 . 2008-02-04 16:29 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 16:29 . 2008-02-04 16:29 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 15:13 . 2008-02-03 15:20 d-------- C:\Documents and Settings\Student\Application Data\SUPERAntiSpyware.com
2008-02-03 15:13 . 2008-02-03 15:13 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-01 22:06 . 2008-02-01 23:38 d-------- C:\WINDOWS\BDOSCAN8
2008-02-01 21:59 . 2008-02-02 23:49 462,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 21:59 . 2008-02-02 23:49 15,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 21:59 . 2008-02-02 23:49 7,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 21:59 . 2008-02-02 23:49 2,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-31 17:36 . 2008-01-29 15:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-31 17:23 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-31 17:23 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-31 17:23 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-31 17:23 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-31 17:14 . 2008-01-31 17:14 d-------- C:\Documents and Settings\Student\Application Data\Sereniti
2008-01-29 15:37 . 2008-02-01 00:19 d-------- C:\Documents and Settings\Student.housecall6.6
2008-01-26 15:38 . 2008-02-07 06:20 d-------- C:\Program Files\Google
2008-01-17 18:53 . 2008-01-17 18:53 d-------- C:\Program Files\SystemRequirementsLab
2008-01-17 18:53 . 2008-01-17 18:53 d-------- C:\Documents and Settings\Student\Application Data\SystemRequirementsLab
2008-01-14 10:54 . 2008-01-14 10:56 d-------- C:\Documents and Settings\Student\Application Data\NoteTab Light
2008-01-12 21:16 . 2008-01-12 21:22 d-------- C:\Program Files\Actual Drawing
2008-01-12 21:16 . 2008-01-12 21:16 d-------- C:\Documents and Settings\All Users\Application Data\PY_Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-08 20:45 --------- d-----w C:\Program Files\MicroType3
2008-02-05 20:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-05 20:48 --------- d-----w C:\Program Files\NDCMedisoft
2008-02-05 20:47 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-02-04 21:28 --------- d-----w C:\Documents and Settings\Student\Application Data\Lavasoft
2008-01-14 15:23 --------- d-----w C:\Documents and Settings\Student\Application Data\SiteAdvisor
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 05:32 --------- d-----w C:\Program Files\HyCam2
2008-01-01 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-28 04:32 --------- d-----w C:\Documents and Settings\Student\Application Data\Launchy
2007-12-26 03:27 --------- d-----w C:\Program Files\Java
2007-12-26 03:26 --------- d-----w C:\Program Files\Common Files\Java
2007-12-25 17:27 --------- d-----w C:\Program Files\Yahoo!
2007-12-25 14:07 --------- d-----w C:\Documents and Settings\Student\Appli

Justin_22 · 2008-02-12T00:58:41.000Z

cation Data\Thunderbird
2007-12-24 04:29 --------- d-----w C:\Program Files\Alwil Software
2007-12-23 22:42 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-23 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-23 22:41 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-23 22:38 --------- d–h–r C:\Documents and Settings\Student\Application Data\yahoo!
2007-12-23 04:12 --------- d-----w C:\Program Files\Trend Micro
2007-12-22 21:01 --------- d-----w C:\Program Files\CCleaner
2007-12-21 17:59 --------- d-----w C:\Program Files\File Shredder
2007-12-21 16:41 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-21 15:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-21 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 00:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-21 00:36 --------- d-----w C:\Documents and Settings\Student\Application Data\acccore
2007-12-21 00:19 --------- d-----w C:\Program Files\AOL Search
2007-12-21 00:19 --------- d-----w C:\Program Files\AIM6
2007-12-21 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-21 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-21 00:18 --------- d-----w C:\Program Files\Common Files\AOL
.

<pre>
----a-w           524,288 2007-06-19 13:24:53  C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]
“Aim6”=“”
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TrackPointSrv”=“tp4mon.exe” [2004-08-03 19:56 82432 C:\WINDOWS\system32\tp4mon.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“vptray”=“C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe” [2003-05-21 00:21 90112]
“NWTRAY”=“NWTRAY.EXE” [2002-03-12 09:37 28672 C:\WINDOWS\system32\nwtray.exe]
“TPHOTKEY”=“C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe” [2006-05-10 14:03 94208]
“Airlink101 WLAN Monitor”=“C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe” [2006-10-12 18:38 958464]
“ANIWZCS2Service”=“C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe” [2006-06-29 16:34 49152]
“SiteAdvisor”=“C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [2007-12-04 16:03 36640]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]

C:\Documents and Settings\Student\Start Menu\Programs\Startup
Thoosje Sidebar .lnk - C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe [2007-06-19 08:24:52 524288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“CompatibleRUPSecurity”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoWelcomeScreen”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoStartMenuMyMusic”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-05 22:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R1 nipplpt;Novell iCapture Lpt Redirector;C:\WINDOWS\system32\drivers\nipplpt.sys [2003-02-24 16:10]
R3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys [2002-09-23 18:16]
S3 CWEN5;Xircom Wireless Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\CWEN5.sys [2001-01-26 05:34]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-08-17 08:28]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\N5SG.sys [2006-11-03 14:30]
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2004-08-03 21:06]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS [2004-04-29 00:45]

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 19:43:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
→ C:\WINDOWS\system32\tphklock.dll
→ C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
.

.
Completion time: 2008-02-11 19:47:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 00:46:42

Justin_22 · 2008-02-12T00:59:25.000Z

and heres the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:01 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 176.1.201.236:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM..\Run: [trackPointSrv] tp4mon.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Thoosje Sidebar .lnk = C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mvctc.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201818121562
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

–
End of file - 7721 bytes

Justin_22 · 2008-02-12T12:26:28.000Z

So is this thing gone?

Justin_22 · 2008-02-12T16:08:20.000Z

Ok this is a bit off topic but right now im running Kaspersky free online scanner and it says

Number of Viruses found: 1
Number of Infected Objects: 2

so my question is what do i do after the online scan is done?

polonus · 2008-02-12T19:14:27.000Z

Hi Justin_xp,

What were the names of the viruses Kaspersky online scanner found. Your hjt log seems more or less OK, the comboscript log will be analyzed shortly,

polonus

Justin_22 · 2008-02-12T20:16:39.000Z

The kasperky came up clean the 2 files were just the Eicar test file that i accidentally left in my system somewhere and besides that i believe im clean ive scanned with avast today as well as spybot, ad-aware 2007 and SUPERantispyware as well as the online scanner and all besides the online scan came up clean

polonus · 2008-02-12T20:25:05.000Z

Hi Justin-xp,

Your logfile seems OK,

pol

Justin_22 · 2008-02-12T20:38:05.000Z

Thanks for the help

if you guys dont mind id like to stick around because if i could go as far and say that computer security is kind of a hobby minus bittorrents and such i read all the security journals that i can and have been reading on here for a few weeks prior to now about some slightly different cleaning techniques that what i already know

thanks

polonus · 2008-02-12T21:13:21.000Z

Hi Justin_xp,

The combofix turned up the following malware executable to be cleansed:
The executable is hidden in renv

----a-w           524,288 2007-06-19 13:24:53  C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe

Note the space between the file name and the .exe

You need to run cfscript

Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:



Renv::
<pre>
----a-w           524,288 2007-06-19 13:24:53  C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe
</pre>

Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. See picture below how to perform this.
After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.

polonus

Justin_22 · 2008-02-12T21:44:05.000Z

ComboFix 08-02-13.1 - Student 2008-02-12 16:28:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\Student\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Student\Desktop\CFScript.txt

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 09:49 . 2008-02-12 09:49 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-12 09:49 . 2008-02-12 09:49 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-12 08:21 . 2008-02-12 11:37 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-11 19:07 . 2008-02-11 19:07 d-------- C:\Documents and Settings\Student\DoctorWeb
2008-02-11 16:56 . 2008-02-11 21:09 d-------- C:\Program Files\BitComet
2008-02-11 16:56 . 2008-02-11 17:54 d-------- C:\Downloads
2008-02-09 16:26 . 2008-02-09 16:26 d-------- C:\WINDOWS\system32\QuickTime
2008-02-09 16:26 . 2006-06-14 21:13 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-02-09 16:25 . 2008-02-09 16:25 d-------- C:\Program Files\TechSmith
2008-02-07 20:50 . 2008-02-13 16:34 d-------- C:\Program Files\Thoosje Sidebar V2.0
2008-02-06 17:27 . 2008-02-06 17:29 d-------- C:\Program Files\Vista Start Menu
2008-02-06 06:25 . 2008-02-06 06:25 64,342 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-02-06 06:24 . 2008-02-06 06:24 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-02-06 06:21 . 2008-02-06 06:25 6,118 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-06 06:20 . 2008-02-06 06:20 d-------- C:\WINDOWS\BricoPacks
2008-02-04 16:29 . 2008-02-04 16:29 d-------- C:\Program Files\Lavasoft
2008-02-04 16:29 . 2008-02-12 11:37 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 16:29 . 2008-02-04 16:29 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 15:13 . 2008-02-03 15:13 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-01 22:06 . 2008-02-01 23:38 d-------- C:\WINDOWS\BDOSCAN8
2008-02-01 21:59 . 2008-02-13 16:32 577,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 21:59 . 2008-02-13 16:32 19,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 21:59 . 2008-02-13 16:32 8,888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 21:59 . 2008-02-13 16:32 2,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-31 17:36 . 2008-01-29 15:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-31 17:23 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-31 17:23 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-31 17:23 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-31 17:23 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-31 17:14 . 2008-01-31 17:14 d-------- C:\Documents and Settings\Student\Application Data\Sereniti
2008-01-29 15:37 . 2008-02-01 00:19 d-------- C:\Documents and Settings\Student.housecall6.6
2008-01-26 15:38 . 2008-02-07 06:20 d-------- C:\Program Files\Google
2008-01-17 18:53 . 2008-01-17 18:53 d-------- C:\Program Files\SystemRequirementsLab
2008-01-17 18:53 . 2008-01-17 18:53 d-------- C:\Documents and Settings\Student\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-08 20:45 --------- d-----w C:\Program Files\MicroType3
2008-02-05 20:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-05 20:48 --------- d-----w C:\Program Files\NDCMedisoft
2008-02-05 20:47 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-02-04 21:28 --------- d-----w C:\Documents and Settings\Student\Application Data\Lavasoft
2008-01-14 15:23 --------- d-----w C:\Documents and Settings\Student\Application Data\SiteAdvisor
2008-01-13 02:22 --------- d-----w C:\Program Files\Actual Drawing
2008-01-13 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PY_Software
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 05:32 --------- d-----w C:\Program Files\HyCam2
2008-01-01 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-26 03:27 --------- d-----w C:\Program Files\Java
2007-12-26 03:26 --------- d-----w C:\Program Files\Common Files\Java
2007-12-25 17:27 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 04:29 --------- d-----w C:\Program Files\Alwil Software
2007-12-23 22:42 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-23 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-23 22:41 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-23 22:38 --------- d–h–r C:\Documents and Settings\Student\Application Data\yahoo!
2007-12-23 04:12 --------- d-----w C:\Program Files\Trend Micro
2007-12-22 21:01 --------- d-----w C:\Program Files\CCleaner
2007-12-21 17:59 --------- d-----w C:\Program Files\File Shredder
2007-12-21 16:41 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-21 15:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-21 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 00:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-21 00:36 --------- d-----w C:\Documents and Settings\Student\Application Data\acccore
2007-12-21 00:19 --------- d-----w C:\Program Files\AOL Search
2007-12-21 00:19 --------- d-----w C:\Program Files\AIM6
2007-12-21 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-21 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-21 00:18 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]
“Aim6”=“”
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TrackPointSrv”=“tp4mon.exe” [2004-08-03 19:56 82432 C:\WINDOWS\system32\tp4mon.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“vptray”=“C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe” [2003-05-21 00:21 90112]
“NWTRAY”=“NWTRAY.EXE” [2002-03-12 09:37 28672 C:\WINDOWS\system32\nwtray.exe]
“TPHOTKEY”=“C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe” [2006-05-10 14:03 94208]
“Airlink101 WLAN Monitor”=“C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe” [2006-10-12 18:38 958464]
“ANIWZCS2Service”=“C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe” [2006-06-29 16:34 49152]
“SiteAdvisor”=“C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [2007-12-04 16:03 36640]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]

C:\Documents and Settings\Student\Start Menu\Programs\Startup
Thoosje Sidebar .lnk - C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar.exe [2007-06-19 08:24:52 524288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“CompatibleRUPSecurity”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoWelcomeScreen”= 1 (0x1)

Justin_22 · 2008-02-12T21:45:49.000Z

that was the new combofix log but thoosje sidebar wich i downloaded after running through virus total only a few suspicious things showed up on virus total though but the sidebar is still there and here is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:46 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

–
End of file - 7408 bytes

essexboy · 2008-02-12T21:49:24.000Z

Hi the toolbar itself was not the problem but the fact that it had been replaced by a vundo file

if you guys dont mind id like to stick around because if i could go as far and say that computer security is kind of a hobby *minus bittorrents and such* i read all the security journals that i can and have been reading on here for a few weeks prior to now about some slightly different cleaning techniques that what i already know

Please do as there is a lot more to this forum than that ;D

polonus · 2008-02-12T21:58:35.000Z

Hi boys,

Sorry for the booboo here, corrected it, and I agree safe practices first, then the files, then the folders, then the services, then the drives, the LSP Hijackers, and then the registry findings,

Damian

Justin_22 · 2008-02-12T22:06:20.000Z

alright i didnt realize that thank you very much so is it a safe toolbar to have/use now?
and thanks for allowing me to stay

Justin_22 · 2008-02-12T22:06:53.000Z

alright i didnt realize that thank you very much so is it a safe toolbar to have/use now?
and thanks for allowing me to stay

oldman960 · 2008-02-14T05:55:15.000Z

Justin_xp post:18:

alright i didnt realize that thank you very much so is it a safe toolbar to have/use now?
and thanks for allowing me to stay

Yes, combofix replaced the file with a backup that vundo had stashed away.

Welcome to the forum.

Justin_22 · 2008-02-14T18:39:44.000Z

Alright thank you btw the sidebar is just something to make the vista transformation pack on my pc look more like vista by adding the sidebar

Announcements