Author Topic: A froggy friend in need of help.... (Read 7269 times)

Goatie · « **Reply #15 on:** August 24, 2005, 05:49:35 PM »

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.1

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.2

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.3

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.4

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.5

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.6

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : LU3.7

Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\WINDOWS\etb

Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Casino & Carrers

Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Finances & Business

Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Health & Insurance

Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Homelife & Travel

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : .key

Virtumonde Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : SysUpd

Other Object Recognized!
Type : File
Data : POKAPOKA63.EXE-054F8AE4.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 29
Objects found so far: 87

10:44:13 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:34.327
Objects scanned:190601
Objects identified:75
Objects ignored:0
New critical objects:75

mitch · « **Reply #16 on:** August 24, 2005, 11:43:51 PM »

she finally got the HJT log !!!!

it is posted here

http://www.landzdown.com/index.php/topic,1374.0/topicseen.html

Corrine · « **Reply #17 on:** August 24, 2005, 11:51:51 PM »

Considering how deeply buried in the system Elitum is, it would be much safer to use Miekiemoes fix. Please download http://users.telenet.be/bluepatchy/miekiem...tools/LQfix.exe (new version, safe mode not needed) and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Note: The download of the LQfix batch file is so quick (a 1K ZIP file), that you may only see a quick flash which could lead to thinking that nothing got downloaded. If in doubt, check the target 'save to' location for your downloaded file.

After the restart, please do a WebUpdate and run Ad-Aware SE again, removing any critical objects found.
Do yet another shutdown/restart, a new scan and post the results as a reply.

Thanks!

Corrine · « **Reply #18 on:** August 24, 2005, 11:52:48 PM »

Let's hold off on the HJT log until we see the results of running Miekiemoes fix. That would have been needed regardless as HJT wouldn't be able to clean it either.

If you want, you can post a fresh HJT log AFTER running Miekiemoes fix and cleaning with Ad-Aware.

Thanks!

Goatie · « **Reply #19 on:** August 25, 2005, 09:37:10 AM »

Thanks a bunch CORRINE...

Message translated and sent to him this very minute...

( I hope the prompts generated within the fix won't be too complicated to understand or lead him to push wrong buttons again... eheh!)
HOPE! FAITH! again... (it'll be nice to go back to water and green grass for food some day!!!)

Goatie · « **Reply #20 on:** August 25, 2005, 08:28:46 PM »

After Miekiemoes fix.........

Ad-Aware SE Build 1.06r1
Logfile Created on:25 août, 2005 17:17:05
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

2005-08-25 17:17:05 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 2005-08-25 21:15:13
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 192
ThreadCreationTime : 2005-08-25 21:15:27
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 2005-08-25 21:15:30
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 2005-08-25 21:15:34
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 272
ThreadCreationTime : 2005-08-25 21:15:34
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 432
ThreadCreationTime : 2005-08-25 21:15:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 456
ThreadCreationTime : 2005-08-25 21:15:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 700
ThreadCreationTime : 2005-08-25 21:15:54
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE

#:9 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 756
ThreadCreationTime : 2005-08-25 21:16:00
BasePriority : Normal

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 868
ThreadCreationTime : 2005-08-25 21:16:19
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 0

17:34:42 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:36.750
Objects scanned:176607
Objects identified:0
Objects ignored:0
New critical objects:0

Corrine · « **Reply #21 on:** August 25, 2005, 10:28:20 PM »

That AAW scan was from safemode but that #9, I am positive, is most nasty and there's lots of junk showing in the HJT log. Please tell your friend to stay offline until getting that firewall & A/V software installed and not to click on anything! I do believe you need to give him a most serious lecture.

I didn't see it but could have missed it. Does he have a SpyBot or a hosts file program running on his machine? If not, please be sure to tell the HJT Analyst. Based on normal mode Ad-Aware scans, after completing the cleanup, he will also need to clear system restore and set a new restore point. Otherwise, he takes the chance of reinfection if he selects a bad restore point.

Goatie · « **Reply #22 on:** August 26, 2005, 09:16:02 AM »

Thanks Corrine, I translated your message for him with lots of BOLD and underlined and I think he got it. He almost thought he was in the clear by now because his computer has now taken back a lot of speed and he does'nt get a bunch of pop-ups offering false AV's that he was buying and paying for. Yes, he did PAY to get infected (bought AlertSpy from a pop-up). He won't be so naive from now on.... (I hope)

Now here is his last Ad Aware scan done in normal mode:

Ad-Aware SE Build 1.06r1
Logfile Created on:25 août, 2005 20:49:52
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
istbar(TAC index:7):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

2005-08-25 20:49:52 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 448
ThreadCreationTime : 2005-08-25 21:44:26
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 2005-08-25 21:44:31
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 780
ThreadCreationTime : 2005-08-25 21:44:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 832
ThreadCreationTime : 2005-08-25 21:44:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 2005-08-25 21:44:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 940
ThreadCreationTime : 2005-08-25 21:44:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1128
ThreadCreationTime : 2005-08-25 21:44:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1256
ThreadCreationTime : 2005-08-25 21:44:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1340
ThreadCreationTime : 2005-08-25 21:44:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 232
ThreadCreationTime : 2005-08-25 21:45:28
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE

#:14 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 424
ThreadCreationTime : 2005-08-25 21:45:33
BasePriority : Normal

#:15 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 484
ThreadCreationTime : 2005-08-25 21:45:36
BasePriority : Normal
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright (c) Hewlett-Packard Company 1999-2001

#:16 [lvcoms.exe]
FilePath : C:\Program Files\Fichiers communs\Logitech\QCDriver3\
ProcessID : 496
ThreadCreationTime : 2005-08-25 21:45:37
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LVComS.exe

#:17 [spool.exe]
FilePath : C:\Program Files\spool\
ProcessID : 500
ThreadCreationTime : 2005-08-25 21:45:37
BasePriority : Normal

#:18 [ikeymain.exe]
FilePath : C:\PROGRA~1\Keyboard\
ProcessID : 512
ThreadCreationTime : 2005-08-25 21:45:39
BasePriority : Normal

#:19 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 596
ThreadCreationTime : 2005-08-25 21:45:39
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:20 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 716
ThreadCreationTime : 2005-08-25 21:45:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:21 [gestionnaire antidote.exe]
FilePath : C:\PROGRA~1\Druide\Antidote\Antidote\
ProcessID : 1940
ThreadCreationTime : 2005-08-25 21:46:35
BasePriority : Normal
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 5, 0, 0
ProductName : Gestionnaire Antidote
CompanyName : Druide informatique inc.
FileDescription : Gestionnaire Antidote
InternalName : Gestionnaire Antidote
LegalCopyright : © 1993-2002, Druide informatique inc.
OriginalFilename : Gestionnaire Antidote.exe

#:22 [skype.exe]
FilePath : C:\Program Files\Skype\Phone\
ProcessID : 2032
ThreadCreationTime : 2005-08-25 21:46:39
BasePriority : Normal

#:23 [olfsnt40.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1036\
ProcessID : 288
ThreadCreationTime : 2005-08-25 21:46:47
BasePriority : Normal
FileVersion : 9.0.98.0105
ProductVersion : 9.0.98.0105
ProductName : Symantec Fax Starter Edition Printer Driver
CompanyName : Microsoft Corporation
FileDescription : Symantec Fax Starter Edition Port Launcher
InternalName : OLFSNT40.DLL
LegalCopyright : Copyright (C) Symantec Corp. 1990-1998
OriginalFilename : OLFSNT40.DLL

#:24 [magickey.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Keyboard\
ProcessID : 952
ThreadCreationTime : 2005-08-25 21:46:58
BasePriority : Normal

#:25 [mouseap.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Mouse\
ProcessID : 864
ThreadCreationTime : 2005-08-25 21:46:59
BasePriority : Normal

#:26 [osd.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Keyboard\
ProcessID : 1324
ThreadCreationTime : 2005-08-25 21:47:02
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : WAYTECH OSD
CompanyName : WayTech Development, Inc.
FileDescription : OSD
InternalName : OSD
LegalCopyright : (C)1998-2000 WayTech Development, Inc.
OriginalFilename : OSD.exe

#:27 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1788
ThreadCreationTime : 2005-08-25 21:47:21
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Mises à jour automatiques
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : wuauclt.exe

#:28 [netscp.exe]
FilePath : C:\PROGRA~1\Netscape\Netscape\
ProcessID : 2540
ThreadCreationTime : 2005-08-25 23:06:04
BasePriority : Normal

#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3860
ThreadCreationTime : 2005-08-26 00:49:09
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "disp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion
Value : disp

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 1

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

21:06:15 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:22.613
Objects scanned:192008
Objects identified:1
Objects ignored:0
New critical objects:1

Goatie · « **Reply #23 on:** August 26, 2005, 12:36:15 PM »

Sorry Corrine... I rushed to HJT to tell them he does'nt have Spybot or Host File or if he does... he does'nt know he has it. Here is what we found in his add/remove programs:

A d Aware De Personal 3,20

Adobe Photoshop 6.0 92,16

Autocad 2005 341.

Autocad 2005 expresse tools 5,53

Autodesk DWF Viewer

C. Dilla Licence Management System

Correctif Window XP kb 823559

Correctif Window XP kb 828741

Correctif Window XP kb 833987

Correctif Window XP kb 835732

Correctif Window XP kb 840987

Correctif Window XP kb 841356

Correctif Window XP kb 841533

Correctif Window XP kb 842773

Correctif Window XP kb 873376

Correctif Window XP kb 885523

Correctif Window XP kb 887822

Date Manager ,76

Div x4 Window codex 4,0 alpha 50

hp photosmart serie printer (supprimer uniquement) 13,74

Keywork 6,12

Java Wedstart 1,84

Logiteck Desktop Messenger 1,39

Logiteck M VideoCompagnion 1,39

Memory Blaster 2,3

Microsoph.net Framework 1,1 37,4

Microteck Scan Wizard 1,11

Nero Burning Rom

Netscape 7,02

Package correctif Windows XP

Précision time

Quick time 2,29

Shokwave

Real Player 8,68Spool ,08

Suppress plus 3,2

Top Five Search.com Search Assistant

Trace Blaster 3.02

View Point Media Player 2,62

Weather Cash 0,14

Windows XP Application Q 309521

Windows XP Hotfix spi 329048

Windows XP Hotfix spi 329390

Windows XP Hotfix spi 329441

Windows XP Hotfix spi 329834

Windows XP spi Q 329196

Windows XP 810577

Windows XP 817606

Wireless Keyboord 1,43

He is willing to remove any programs as long as he can keep his Photoshop and AutoCad... He had already removed a whole bunch before typing this list.

Corrine · « **Reply #24 on:** August 26, 2005, 02:01:17 PM »

Based on the little I know about HJT, I think it is safest to have one of the HJT analysts take over with that log there. I believe there are still a couple of nasties on that PC that he will have to deal with.

LandzDown Forum

News:

Author Topic: A froggy friend in need of help.... (Read 7269 times)

Goatie

Re: A froggy friend in need of help....

mitch

Re: A froggy friend in need of help....

Corrine

Re: A froggy friend in need of help....

Corrine

Re: A froggy friend in need of help....

Goatie

Re: A froggy friend in need of help....

Goatie

Re: A froggy friend in need of help....

Corrine

Re: A froggy friend in need of help....

Goatie

Re: A froggy friend in need of help....

Goatie

Re: A froggy friend in need of help....

Corrine

Re: A froggy friend in need of help....