LandzDown Forum

This issue was started in another thread...Firewall forum and will be continuing here.

Background info is here, started in Firewall forum:
http://www.landzdown.com/index.php?topic=3377.

This person did a thorough Avast scan w/ nothing detected, but numerous 00005 errors listed in error log.  These are Denied Access Errors, right? (log below).
Full Ewido scan detected and cleaned 3 cookies. (log as well).

Die Hard, read info on the 2 links and starting w/ RootkitRevealer tonight.  Read the scanning instructions at their forum, but there are 2 configuration options not clear to me.

Here's what it says:
To scan a system launch it on the system and press the Scan button. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. The options you can configure:

Hide NTFS Metadata Files: this option is on by default and has RootkitRevealer not show standard NTFS metadata files, which are hidden from the Windows API.
Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not perform a Registry scan.

My pee brain says leave these defaults as is, or do we unhide the NTFS Metadata Files, whatever they are?

Mitch, thnx for the links/tutorial on ZoneAlarm.  I am unfamiliar w/ it and cable broadband, but can read soooo, if we can figure out the Firewall terminlogy, we should be good to go.  Plan is to dl and save the results of RootkitRevealer first, then move on to ZoneAlarm.
Online vendor who had the bogus order will be contacted for more info, like IP address, time, etc.
Only know this computer is scheduled to get auto MS updates, but will have her verify that she is getting them.

3 logs in next post of Avast errors, Ewido scan, and HJT from last night & this AM.

Here is the Avast error log (edited due to waaay many of the same errors) and Ewido scan results, referred to in the above post:

11/27/2005 8:42:17 AM 1133102537 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll failed, 00000005. 
11/27/2005 8:42:17 AM 1133102537 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll failed, 00000005. 
11/27/2005 8:42:17 AM 1133102537 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx failed, 00000005. 
11/27/2005 8:42:17 AM 1133102537 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll failed, 00000005. 
11/27/2005 8:42:35 AM 1133102555 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ828026$\wmp.dll failed, 00000005. 
11/28/2005 4:10:21 AM 1133172621 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{03AAA1D8-D4CF-48BD-9C66-78B41D80DF06}\setup.ilg failed, 00000005. 
11/28/2005 4:10:26 AM 1133172626 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{179CD024-E5B3-48CF-97C0-26481CC281D5}\setup.ilg failed, 00000005. 
11/28/2005 4:10:26 AM 1133172626 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{38FBBBD4-1D2A-4037-A71C-57093B4BA889}\setup.ilg failed, 00000005. 
11/28/2005 4:10:26 AM 1133172626 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}\Setup.ilg failed, 00000005. 
11/28/2005 4:10:27 AM 1133172627 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{3F695596-85E6-4224-BC70-538F9036797A}\setup.ilg failed, 00000005. 
11/28/2005 4:10:27 AM 1133172627 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\InstallShield Installation Information\{44A537A5-859C-43A6-8285-C0668142A090}\Setup.ilg failed, 00000005. 
11/28/2005 4:10:27 AM 1133172627 VANESSA 1488 AAVM - scanning error:
x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\NetLingo.x32 failed, 00000005. 
11/28/2005 4:27:08 AM 1133173628 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\Shockwave 3d Asset.x32 failed, 00000005. 
11/28/2005 4:27:08 AM 1133173628 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\Speech.x32 failed, 00000005. 
11/28/2005 4:27:48 AM 1133173668 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\twain_32\BrMfSc03\MF210CU\brTwdFe.dsx failed, 00000005. 
11/28/2005 5:25:21 PM 1133220321 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll failed, 00000005. 
11/28/2005 5:25:21 PM 1133220321 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll failed, 00000005. 
11/28/2005 5:25:22 PM 1133220322 VANESSA 1488 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\$NtUninstallQ309521

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:   6:52:27 AM, 11/29/2005
+ Report-Checksum:  A748E33E

+ Scan result:

C:\Documents and Settings\PAM\Cookies\pam@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\PAM\Cookies\pam@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\PAM\Cookies\pam@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup


::Report End

Here's an updated HJT log too:

Logfile of HijackThis v1.99.1
Scan saved at 7:00:37 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {B527A16B-FB12-4049-96E0-C3ABF799D9F6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

ripley :)

You´re  right about this:
Leave the settings in the Rootkit Revealer on default.


Die Hard :)

Die Hard,
Did the RootkitRevealer dl and scan with a big fat 0on the number of discrepencies!!!   :D
But from my reading I suppose we can't completely rule it out?  So should we keep hunting?  :Win73:
In other words, do you recommend we also do a Blacklight scan?
Wasn't excited about the info that the stand-alone was a beta version, and the Blacklight scanner in the Secutiry Pkg is $60.
Is there anything malicious in the logs above?  Those cookies Ewido found were wierd...especially that one with "live person" at the end.
Mitch,
Ran outta time for the ZoneAlarm install, but she's still disconnected from the internet.  Plan to do that tomorrow.  Also looking into a hardware firewall...if that's installed, it will work compatibly w/ ZoneAlarm, or is that overkill?
She checked her MS High Priority updates and is current on them.  :)
Spoke to the Management of the online co. and confirmed the Identity Theft rep. is a legit employee there, but no other info could be obtained like IP Address.  He did fax a copy of the order, so date and time of order are known.
Strange though, she got an email confirming her initial (real end-user) order previously and now she says there is another email associated with the second bogus order and it doesn't look like it came from the same place.  It has attachments or embedded graphics, so I have advised her not to open it.  Is there potentially any useful info in this email that might reveal who did this?  If so, would there be a way to safely open it?

Still working on getting ZoneAlarm installed/configured.
Is there any other way now to know if this is/was a keylogger?
If it was a keylogger, is he/she still there?
Doing an Ewido scan in safe mode?
Doing an online scan some where since there are Avast errors?
Using another scanner..she has Spybot, Counterspy, SpywareBlaster, and AdAware.

The bogus order that was placed and advised as cancelled actually did hit her bank account yesterday and the funds were w/drawn.   :sos:  Re-contact to the online company says the physical shipment of the order was stopped, but the electronic transfer of funds wasn't.  They are now saying a credit will be issued.  Hope that happens.   :?

Quote from: ripley on December 01, 2005, 01:14:59 PM
Doing an Ewido scan in safe mode?
Doing an online scan some where since there are Avast errors?

Both of those wouldn't hurt at all.

Some online scans:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/activescan.asp?Language=2&Country=63&Partner=1&Ref=EN-PR-AS-107

If there were any keyloggers present still, a scan with Avast + Ewido + these online scans would certainly say so.

Let us know the results - post the logs from each.

Thnx SpyDie.
On to do more scans... :Win73:
Will post the results.

3 more scans were completed.
Panda online scan....nothing detected.
TrendMicro online scan...nothing detected.
Full Ewido scan in safe mode...nothing detected.

And if RootkitRevealer found no discrepencies...then what happened here????

In SpyDie's last post, he said "if a keylogger is still there," does that mean that keyloggers get in the computer and then out again?

If nothing is noted in previous HJT log, then the possiblities for the bogus order are:
#1 Keylogger came in..and is gone?
#2 Someone physically came into the home and generated the order...not possible...security system on the house.
#3 Personal info was stolen from the online vendor at their end...don't even know if that's possible.
#4 Or any other ideas????

Plan to install ZoneAlarm is aborted and instead installing firewall pkg from cable internet service.

Any feedback on what might have generated this bogus order would be great.

Quote from: ripley on December 04, 2005, 03:32:29 PM
And if RootkitRevealer found no discrepencies...then what happened here????

I'm kind of thinking about that myself.

With the scans that have been done, and finding nothing mean we can rule out keylogger and rootkit?

Quote from: ripley on December 04, 2005, 03:49:52 PM
With the scans that have been done, and finding nothing mean we can rule out keylogger and rootkit?

I would say so, although nothing is ever 100% at detecting either one.

This is soooo unsettling!  :x

Then other than adding a better firewall, continuing to scan w/ onboard scanners, changing all passwords, changing bank account numbers, putting credit card cos. on notice...just wait to see if anymore identity theft takes place....grrrrrrrr!

I wish there was a way to find out how this happened.