Windows XP Trojan Question - Am I Safe Now?

audiodrome · January 4, 2009, 7:20pm

Last Tuesday, my computer (Windows XP SP3) was infected and I thought I caught it in time but it must have downloaded to my computer somehow. It disabled my Firewall and my System Restore. I tried doing a System Restore but it wouldn’t let me. Initially, Avast found a couple of files and deleted them but I negelected to write them down (I remember they were of the trojan-gen type). On Thursday night, I did another scan and it found six files in my System Restore folder all named Win32: Crypt-DGV [trj]. It said that it had successfully deleted them. I then ran some other spyware programs (Malwarebytes, Superantispyware, Ad-Aware, and a-Squared). Malwarebytes detected another bad file and deleted it. I also disabled the System Restore and did another scan to be safe and Avast found nothing.

So now it’s been over four days since I got the initial infection and there haven’t been anymore trojan files detected in my antivirus/antispyware scans - am I still vulnerable? Have there been instances of trojans hiding out for weeks or months with no symptoms or detection?

Assuming that these programs found the trojan files last week, you would think that if they came back, they would be able to find them again, correct? Or are these trojans able to mutate into files that then can’t be detected by antivirus/antispyware? I realize that the viruses “out there” on the internet can change names and configurations and it’s always possible to get infected again by clicking on questionable links and the like, but can those original trojans actually mutate into new, undetectable files later on down the line while they’re in your computer?

Thanks!

polonus · January 4, 2009, 7:43pm

Hi audiodrome,

Download hijackthis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
Be sure to download it to the desktop, and not into a temporary file. Do a full scan, and place the logfile.txt as an attached file to your next posting. Do not do anything else until told,

polonus

audiodrome · January 4, 2009, 7:57pm

Thanks!

I wasn’t sure how to attach it as a file so I copied and pasted it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.audiodrome.net/indexholder.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [DriverCD] D:\Run.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [BlazeServoTool] “C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe”
O4 - HKCU..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_0 -reboot 1
O4 - Startup: My Little Pony Registration.lnk = D:\ATR1.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229190067328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230047109531
O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

–
End of file - 8261 bytes

system · January 4, 2009, 8:57pm

Hi :

I am unable from reading your Log as to IF you have Adobe Reader or any
remnants from that program, but IF you do, I recommend you read
http://forum.avast.com/index.php?topic=38839.0 ; Alternatives would be the
FREE “Foxit Reader” or “CutePDF” .

And having Lavasoft’s Ad-Aware is not recommended, since it has an
unnecessary “Service” running that can NOT be turned OFF .

audiodrome · January 4, 2009, 9:09pm

I thought I had the latest version of Adobe Reader installed but I’ll check that out. I wasn’t aware of the Lavasoft issue. Should I uninstall it and just stick to the others? I’m not completely sold on it anyway. One other thing I have been concerned about is that I haven’t received any automatic updates from Avast since the infection and I have both iAVS Update and Program Update set to “Automatic.” I did a manual update yesterday but the fact that it wasn’t automatic could just have been a timing issue.

Does the scan look OK otherwise?

polonus · January 4, 2009, 9:39pm

Hi audiodrome,

Apparently you have no active firewall running there,
Fix this using HJT: O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe Nice utility, but it can eat CPU like anything slowing up things, reconsider,
/////////////////////////////////////
Download SAS from here: http://www.superantispyware.com/superantispywarefreevspro.html
Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me regardless of what it finds with a new HijackThis log.

polonus

audiodrome · January 4, 2009, 9:49pm

Thanks. When I check my Windows security settings, it says that the firewall is on! What’s going on there? I already have Superantispyware on my computer so I will run that again now.

audiodrome · January 4, 2009, 10:35pm

I ran the Superantispyware scan and it found 1039 “infected” files and they were all tracking cookies. I was told that you can ignore cookies because they aren’t much of a risk. The last time I deleted all my cookies, it screwed up a lot of the websites that I visit on a regular basis. It won’t let me post the whole list here because of the character limit. Do you need to see the whole thing? All of the remaining infected files are from C:\Documents and Settings\Sean\Cookies\

Needless to say, I didn’t realize that I had this many cookies, but they are all quarantined now. The weird thing is that I just checked a couple of my regular websites and they all “remembered” me. I thought that if you remove all the cookies, you had to login from scratch.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2009 at 05:22 PM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 00:21:38

Memory items scanned : 441
Memory threats detected : 0
Registry items scanned : 6582
Registry threats detected : 0
File items scanned : 24724
File threats detected : 1039

Adware.Tracking Cookie
C:\Documents and Settings\Sean\Cookies\sean@media.adrevolver[4].txt
C:\Documents and Settings\Sean\Cookies\sean@tribalfusion[3].txt
C:\Documents and Settings\Sean\Cookies\sean@advertising[4].txt
C:\Documents and Settings\Sean\Cookies\sean@doubleclick[3].txt
C:\Documents and Settings\Sean\Cookies\sean@tacoda[4].txt
C:\Documents and Settings\Sean\Cookies\sean@www.googleadservices[2].txt
C:\Documents and Settings\Sean\Cookies\sean@kontera[4].txt
C:\Documents and Settings\Sean\Cookies\sean@questionmarket[4].txt
C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager[5].txt
C:\Documents and Settings\Sean\Cookies\sean@at.atwola[3].txt
C:\Documents and Settings\Sean\Cookies\sean@microsoftwindows.112.2o7[2].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.sun[2].txt
C:\Documents and Settings\Sean\Cookies\sean@apmebf[2].txt
C:\Documents and Settings\Sean\Cookies\sean@zedo[3].txt
C:\Documents and Settings\Sean\Cookies\sean@adrevolver[5].txt
C:\Documents and Settings\Sean\Cookies\sean@xiti[1].txt
C:\Documents and Settings\Sean\Cookies\sean@rambler[3].txt
C:\Documents and Settings\Sean\Cookies\sean@ad.yieldmanager[3].txt
C:\Documents and Settings\Sean\Cookies\sean@revsci[3].txt
C:\Documents and Settings\Sean\Cookies\sean@adlegend[3].txt
C:\Documents and Settings\Sean\Cookies\sean@atdmt[4].txt
C:\Documents and Settings\Sean\Cookies\sean@adserver.adtechus[1].txt
C:\Documents and Settings\Sean\Cookies\sean@CAWCH2I8.txt
C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager[4].txt
C:\Documents and Settings\Sean\Cookies\sean@casalemedia[1].txt
C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager.edgesuite[2].txt
C:\Documents and Settings\Sean\Cookies\sean@statse.webtrendslive[3].txt
C:\Documents and Settings\Sean\Cookies\sean@media6degrees[3].txt
C:\Documents and Settings\Sean\Cookies\sean@statcounter[4].txt
C:\Documents and Settings\Sean\Cookies\sean@overture[3].txt
C:\Documents and Settings\Sean\Cookies\sean@mediaplex[4].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@ads.monster[2].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@ontrack[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@www.ontrack[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@toplist[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@mediamgr.ugo[2].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@ads.specificclick[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@insightfirst[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@metareward[1].txt
C:\Documents and Settings\Recording Studio\Cookies\recording studio@www.soundclick[1].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.heias[2].txt
C:\Documents and Settings\Sean\Cookies\sean@nebuad.adjuggler[2].txt
C:\Documents and Settings\Sean\Cookies\sean@mediamatters[1].txt
C:\Documents and Settings\Sean\Cookies\sean@kontera[3].txt
C:\Documents and Settings\Sean\Cookies\sean@www.soundtrackcollector[2].txt
C:\Documents and Settings\Sean\Cookies\sean@www.soundtrackcollector[1].txt
C:\Documents and Settings\Sean\Cookies\sean@kontera[2].txt
C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[3].txt
C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[1].txt
C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[2].txt
C:\Documents and Settings\Sean\Cookies\sean@overture[1].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjkokmazchp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@casalemedia[3].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.hitsquad[3].txt
C:\Documents and Settings\Sean\Cookies\sean@soundtrack[1].txt
C:\Documents and Settings\Sean\Cookies\sean@stats.cdrinfo[1].txt
C:\Documents and Settings\Sean\Cookies\sean@www.1freecounter[1].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjmyapc5ado.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@servedby.advertising[1].txt
C:\Documents and Settings\Sean\Cookies\sean@adserve.podaddies[1].txt
C:\Documents and Settings\Sean\Cookies\sean@008.free-counter.co[2].txt
C:\Documents and Settings\Sean\Cookies\sean@app.insightgrit[1].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.vidsense[1].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4uodzwcp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@overture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@mycounter.tinycounter[2].txt
C:\Documents and Settings\Sean\Cookies\sean@soundtrack[2].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wgmiwid5wlp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@aj.ientry[1].txt
C:\Documents and Settings\Sean\Cookies\sean@questionmarket[3].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4wncjscp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.usercash[3].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wfkiggczwlp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@keywordmax[1].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wcl4smajmkq.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@005.free-counter.co[1].txt
C:\Documents and Settings\Sean\Cookies\sean@streamit.hardwarezone[1].txt
C:\Documents and Settings\Sean\Cookies\sean@ads4.blastro[2].txt
C:\Documents and Settings\Sean\Cookies\sean@adlegend[2].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4wlcjmlp.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@scan.malwarecrush[1].txt
C:\Documents and Settings\Sean\Cookies\sean@stats.paypal[2].txt
C:\Documents and Settings\Sean\Cookies\sean@atdmt[3].txt
C:\Documents and Settings\Sean\Cookies\sean@mobileentertainment.directtrack[2].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.pubmatic[2].txt
C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wfkygncjmkq.stats.esomniture[2].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.tripod.spray[1].txt
C:\Documents and Settings\Sean\Cookies\sean@www.adtrak[1].txt
C:\Documents and Settings\Sean\Cookies\sean@elitetabs[2].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.adbrite[1].txt
C:\Documents and Settings\Sean\Cookies\sean@ads4.blastro[3].txt
C:\Documents and Settings\Sean\Cookies\sean@ads.hitsquad[2].txt

audiodrome · January 4, 2009, 10:49pm

Also, how do I fix the firewall problem with HijackThis? I’ve never used it before. I checked the box next to that line and hit “fix” and the window went blank. It didn’t say “fixed” or anything like that. I then did another scan and it still said “no file.” However, when I checked my security settings, it said that the firewall was on. How can it be that the HijackThis log says I have no active firewall but my Windows Security Center says that it’s on? Now I’m starting to get worried. I’m afraid that I deleted the firewall key from my registry. Either that or something really strange is going on!

polonus · January 4, 2009, 11:26pm

Hi audiodrome,

Don’t worry, we only did not detect an active software firewall, if you have the Windows fw running, no problem. The fix is for a file that has disappeared already, for the rest you are doing fine, so absolutely no reason to panic,

polonus

audiodrome · January 4, 2009, 11:38pm

So I didn’t change anything by fixing that line and everything else looks good? That’s a relief - thanks!

How is it that those websites remembered me and I didn’t have to log-in if I removed all the cookies? Or did it only quarantine the “bad” cookies?

system · January 5, 2009, 1:58am

Do a spybot S&D scan too

audiodrome · January 5, 2009, 3:11am

Thanks - Spybot looks like another good program. I ran the scan and all it found was 6 tracking cookies. It looks like I’m good for now!

So that just leaves one concern. I haven’t received any automatic updates from Avast since the infection and I have both iAVS Update and Program Update set to “Automatic.” I did a manual update yesterday but maybe it would have been done automatically if I had waited a little longer. Has there only been one update since New Year’s Day?

This is what I currently have for Avast versions:

iAVS Version : 090104-0
Program Version: 4.8.1296

Lastly, is it worth doing an online scan?

system · January 5, 2009, 7:10am

Hi :

Sometimes malware can “hide” from a HijackThis scan UNLESS you “rename”
“HijackThis.exe” to something else, like “humble.exe”, then run another scan
to see IF anything “different” appears in the Scan results !?

And I always recommend “tracking/adware” cookies be immediately
“deleted”; there is no need to “quarantine” cookies . Any safe site you visit on
a regular basis should NOT be using “tracking” cookies, only the “regular” kind.
With your cookie “problem”, you should seriously consider installing the FREE
“SpywareBlaster” from www.javacoolsoftware.com/spywareblaster.html ;
there is a “Tutorial” on this program at
www.bleepingcomputer.com/tutorials/tutorial49.html .

audiodrome · January 5, 2009, 3:49pm

Thanks for the info. I’ll try that and see what I get. One more question: is it necessary to have Java installed? I don’t seemed to have it on my system - only the early Microsoft Java.

polonus · January 5, 2009, 5:14pm

Hi audiodrome,

Yes sometimes you need Java to display certain content, if Java is there it should be the latest version.
This is for every third party software on your OS, a good tool to check this and keep everything up to date and fully patched is Secunia PSI, download it from here: http://secunia.com/PSISetup.exe
If you just to do an online scan to see what should be updated, then go here and scan: http://secunia.com/vulnerability_scanning/online/
This is the best advice I can give you, stay free of malware and secure,

polonus

audiodrome · January 5, 2009, 5:35pm

Thanks! That’s the main reason I asked about it. I went to the Secunia site to do the check but it wouldn’t work without Java installed.

polonus · January 5, 2009, 6:53pm

Hi audiodrome,

There you got your instant reply about the necessity of java, did you fix this with HJT?:
Fix this using HJT: O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)
You must have had a Smidfraud-like infection, these are traces of that, you can run the SmidfraudFix from here: http://siri.geekstogo.com/SmitfraudFix.php

and

vundofix from here:
http://vundofix.atribune.org/

Download both install them and run them.
See on their pages how to use them,

polonus

system · January 5, 2009, 8:15pm

Hi :

Since you say you have the “old” Microsoft “Java”, you should seriously
consider following the Info at www.bleepingcomputer.com/tutorials/tutorial97.html .

audiodrome · January 5, 2009, 8:51pm

I did install the latest version Java and did the Secunia scan. I also ran SmitfraudFix and VundoFix. VundoFix found nothing, but I couldn’t figure out ghow to read the SmitfraudFix log (below).

SmitFraudFix v2.388

Scan done at 15:47:39.76, Sun 01/04/2009
Run from C:\Documents and Settings\Sean\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sean\My Documents\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sean

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sean\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sean\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sean\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=“C:\WINDOWS\system32\userinit.exe,”
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.64.146

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip..{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip..{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip..{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip..{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip..{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip..{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS2\Services\Tcpip..{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip..{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip..{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS3\Services\Tcpip..{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip..{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip..{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Windows XP Trojan Question - Am I Safe Now?

Announcements