Freckles HJT log #1

Ripley · January 19, 2006, 09:27:49 PM

Grrrr...purity scan is back, or something is. Ewido said local settings/temp file/content/01G1W/!update-319 was cleaned, but then repeat scan with F-Secure A/V detected !update.exe, but couldn't disinfect.

Will check the AdAware log and see what was detected and try the TrendMicro online scan again after that one 016 line is fixed in HJT.

Ripley · January 20, 2006, 02:48:16 AM

More frustration here. More info might be helpful.
The user profile that AdAware & F-Secure detect purity scan is called Vanessa and is a limited user account. CCleaner was run 3 times in this profile and in all other profiles. 2 of the 4 profiles were completely removed/deleted tonight. So there are only 2 profiles. One administrator and one limited user.
AdAware saves it's logs to Documents & Settings/Application Data folder of the administrator profile. (default location I think) In that folder, are numerous AdAware logs, last date being 01-15-06, w/ nothing noted as detecting purity scan, in that log, as well as previous logs. However, numerous AdAware scans have been initiated in this limited user profile since 01-15-06, with scan summary reports detecting purity scan. In this limited user profile, is no application data folder with Lavasoft or an AdAware log folder either.
Another AdAware scan was done tonight which detected purity scan in windows/system32/t?skmr.exe and said it could not remove.
I am trying to find a log, but there is no log in application data folder of the adminstrator or limited profile that indicates what it found and where that refers to purity scan.
F-Secure A/V alerted again tonight of a trojan downloader win32 purity scan in documents & settings/Vanessa/local settings/temp/!update.exe...but couldn't disinfect. This was after CCleaner removed all temp files.
Fixed 016 object for Trend in HJT and the TrendMicro online scan was able to be started and then halfway thru the scan the computer lost connection to the internet. :gah:

Still trying to get that accomplished. Will keep trying.

Why can't I find an AdAware log that records detecting purity scan, when at least 4 AdAware scans have taken place since 01-15-06 that indicate in the summary results that purity scan is found.

Checked the F-Secure A/V logs since it was installed on 12-03-05, which detects purity scan in the system volume folder on 12--05-05, and subsequently continues to detect thru today, but not in system volume, but other locations/profiles.

I know you'll be able to figure out what of the above info is helpful and what isn't, but that's as much as I know at this point.

I think the problem with the doing the online scans is more related to a low internet connection signal being indicated on this computer thru a recently installed router. Still working on that part too.

Ripley · January 20, 2006, 11:16:47 PM

Not quite sure what happened w/ TrendMicro online scan, which started and 2 hours later when it looked like it was finishing, a prompt from IE came up concerning an error, don't know what error, and when the user selected don't send report to MS, the whole Trend page went away.
She found this log which I'm posting the beginning and end of, cuz it's way too long. It seems the scan wasn't finished, but does this log say why? Any ideas what is going on here with this computer?

Doing an online Panda scan now, I'm keeping my fingers crossed.

Here's the TrendMicro log:

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [SocketTimeout]

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [120]

---------------------------------------

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [ResumeDownload]

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [1]

---------------------------------------

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [CachePath]

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [C:\Documents and Settings\VANESSA\.housecall\Update]

---------------------------------------

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [RetryCount]

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [3]

---------------------------------------

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Start TmuGetUpdateInfo()

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Creating Temp dir [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612]

Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Downloading [http://housecall65.trendmicro.com/housecall/activeupdate
/ini_xml.zip] to [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\ini_xml.zip]...

Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
HttpConnection: Client Error: HTTP 404 Not Found

Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
TmDownloader: Connection fail when try to open resource

Error: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Downloader returns: 4

Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Download ini_xml.zip fail, try plain file.

Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Downloading [http://housecall65.trendmicro.com/housecall/activeupdate
/server.ini] to [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\server.ini]...

Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
HttpConnection: Connect to source success

Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
Start Download...

Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
Successfully wrote [11214]B

Info: Thu Jan 19 20:59:40 2006 P[404] T[3612]
TmDownloader: Download Success

Here's the very end of it:
Error: Thu Jan 19 21:00:26 2006 P[3936] T[572]
phaseIniForBackup: fetch item count failed.

Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
phaseIniForBackup: error quit.

Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
mergeBackupIni: no backup done.

Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
Writing result file (C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\AuResult.ini), status = 0

Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
AuPatch end.

Info: Thu Jan 19 21:00:26 2006 P[404] T[3612]
UpdateManager endwith 0 (0): Success

Ripley · January 22, 2006, 07:28:57 PM

Very little progress, but some.
Where AdAware detected but could not remove previously, now detected but said it successfully terminated the process. Here's the beginning of the AdAware log (found finally) and jumping to the description of the one critical object. Have the whole log if that is helpful.
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, January 20, 2006 8:32:54 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R88 20.01.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
PurityScan(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

1-20-2006 8:32:54 PM - Scan started. (Full System Scan)

#:60 [t?skmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3980
ThreadCreationTime : 1-20-2006 10:12:51 PM
BasePriority : Normal

PurityScan Object Recognized!
Type : Process
Data : t?skmgr.exe
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\

Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)

"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully

Then an F-Secure A/V scan was run and where it detected purity scan before, did not detect this time.

Ran an online Panda scan and here are the results:

Dialer:Dialer.Gen Not disinfected C:\WINDOWS\system32\Adult_Party-uninstall.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\j?vaw.exe
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\system32\MYDLL.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\m?hta.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\t?skmgr.exe

Right after Panda, went into TaskManager and terminated the process of the taskmgr.exe that had the highest mem usage.Then another online TrendMicro scan was started and before finishing the prompt/error from IE came up and couldn't be finished.

Not quite sure what to keep trying. Is there another online scan that isn't TrendMicro that does more than detect?
Ewido in safe mode again?

Of the 5 creepos that Panda points out, the first 2 are visible to the user, but the last 3 couldn't be seen.

:titanic:

Eric the Red · January 22, 2006, 11:15:06 PM

ripley,

QuoteNot quite sure what to keep trying. Is there another online scan that isn't TrendMicro that does more than detect?

I would suggest F-Secure online scan

Please note the advice on that page:

QuoteF-Secure Online Scanner is able to remove viruses but it cannot disinfect Worms, Trojans, Backdoors, etc since there is nothing to disinfect. This type of malware needs to be removed manually from the hard drive.

GR@PH;<'S · January 22, 2006, 11:28:18 PM

ripley,,
Just to add you will need to use IE5 or higher

QuoteSupported web browsers:

* Microsoft Internet Explorer 5.0 or higher.
* JavaScript needs to be enabled.
* You need to have ActiveX enabled.

You may enable ActiveX and JavaScript from
Tools->Internet Options->Security->Custom Level

Notice: If JavaScript and ActiveX were disabled for security reasons, please remember the restore your original settings after scanning.

GR@PH;<'S :breakkie:

Ripley · January 23, 2006, 12:45:10 AM

Quote from: Eric the Red on January 22, 2006, 11:15:06 PM

I would suggest F-Secure online scan

Please note the advice on that page:

QuoteF-Secure Online Scanner is able to remove viruses but it cannot disinfect Worms, Trojans, Backdoors, etc since there is nothing to disinfect. This type of malware needs to be removed manually from the hard drive.

EtR,
Light bulb with that last quote :idea: So if the scanner can't remove or disinfect, we at least have a road map to manually delete. It's just that these baddies are in the Windows and Windows32 folders and it would be easier if the scanning product would "just fix it." Makes us nervous to do anything in there.
There was some really helpful info/links on the F-Secure online scan page at the bottom concerning malware that couldn't be remove with the scanner.

In the meantime after futtzing with this wireless network connection, a TrendMicro WAS completed and "cleaned" a bunch and recommended scanning again, so a follow up one is happening now. This is what was found:
PAR_SE.3263
ADW_SE.10340
TRAK_SE.10419
TRAK_SE.77236
BHO_SE.57551
ADW_SE.73748
ADW_SE.73752
73753
73754
73755
73756
73757
73758
73762
55205
TRAK_SE.77235

So I have my fingers crossed this scan is able to finish and a report is produced that makes more sense than the one above. :uhm:

Quote from: GR@PH;<'S on January 22, 2006, 11:28:18 PM
ripley,,
Just to add you will need to use IE5 or higher

Thnx GR@PH;<'S, she's got IE6, and I warned her about the Active-X issues too.

Ripley · January 23, 2006, 06:46:18 PM

The second TrendMicro scan (right after the first) came back clean.
Another AdAware scan was run and this one critical object is noted:

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
PurityScan(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:52 [t?skmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 1-23-2006 1:20:02 AM
BasePriority : Normal

PurityScan Object Recognized!
Type : Process
Data : t?skmgr.exe
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\

Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)

"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully

Same entry in the AdAware log 2 days ago.

Of the 5 creepos that Panda detected, before the Trend scans, the same 2 files that were visible to the user are still there but there is no .exe at the end.

Will delete those 2 files, but still don't know if there is more to be done to make sure it's gone.

Die Hard · January 23, 2006, 07:25:00 PM

ripley :)

There seems to be something left in the system that wont be easily deleted since this Purity Scan object returns all the time.

I want you to do this for us.

1. Download "BlackLight" from F-Secure:
http://www.f-secure.com/blacklight/
Put it in a folder of its own and doubleclick the "blbeta.exe" and then "scan".
When the scan has finished a log is produced in the same folder labelled something like : "fsbl-20060123xxxxx.log" (Date and a number)
Copy that log and post it here and lets have a look.

2. Download "datFind" from here: http://virus-protect.net/bat/datFind.bat
Put it on the desktop, doubleclick the "datfind.bat" and hit any key to produce the first log. Minimize that log and hit any key again to produce the next one and repeat until four logs are created. Copy the contents (by date) from the last 2 months of each log and post it here.
Note: Should the logs not be found in the taskbar, they are stored directly under C:\ as "System.txt", "System32.txt" "Windows.txt" and "Temp.txt"

Regards

Die Hard :)

Ripley · January 23, 2006, 07:46:33 PM

Die Hard :)
Thanks for looking this over and the suggestions. :flowers:
We'll proceed as recommended.
Be back soon.

ripley

Ripley · January 24, 2006, 12:48:59 AM

Die Hard,

Deleted those 2 files that Panda detected and user could find:
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\system32\Adult_Party-uninstall
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl

Ran the datFind.bat and created 4 logs which I'm posting. You said go back 2 mos on each log...but I looked them over before posting. Man, your eyes must go batty looking at these logs. :shock:
And I noticed that 3 of the 4 files that Panda detected, but user couldn't find almost 4 mos back at the end of Sept. 2005, so I'm posting all 4 of the logs to that date, so you could see these files.
Had the user go into the Windows/system32 folder again right after, and these 3 files, according to the user, are not there.
That 4th file Panda detected:
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\system32\MYDLL.dll

I did find in the system32 log, but WAY back dated 11-01. Here's the single entry, cause there were 2109 files listed here total, according to the summary at the end.

11/20/2001 01:36 PM 1,462,353 MYDLL.dll

One more thing, the temp.txt log that was produced/posted here was not the profile that typically triggered the alerts from on board F-Secure A/V and profile that AdAware was run in when the last 2 AdAware logs where posted above.
Should we run that datFind.bat in the one other profile? If so, can we run the one that's already downloaded or dl again?

Have downloaded the F-Secure Blacklight but no time to run the scan yet. Probably tomorrow PM.

Lastly, during this process F-Secure A/V alerted user of detecting and sucessfully(???)removing purity scan. At least we are getting detections. :|

Here's the dat batty logs:

Volume in drive C has no label.
Volume Serial Number is 304E-C1B1

Directory of C:\WINDOWS

01/23/2006 04:50 PM 363 wiadebug.log
01/23/2006 03:27 PM 0 0.log
01/23/2006 03:27 PM 2,018,454 WindowsUpdate.log
01/23/2006 03:27 PM 49 wiaservc.log
01/23/2006 03:26 PM 2,048 bootstat.dat
01/22/2006 09:11 PM 54,156 QTFont.qfn
01/22/2006 03:12 PM 73,499 setupapi.log
01/22/2006 01:12 PM 32,618 SchedLgU.Txt
01/22/2006 12:37 PM 382 setupact.log
01/22/2006 11:51 AM 0 wplog.txt
01/22/2006 11:14 AM 0 setuperr.log
01/22/2006 10:51 AM 227 system.ini
01/22/2006 10:43 AM 617 win.ini
01/21/2006 07:01 PM 461 nsw.log
01/21/2006 10:09 AM 1,409 QTFont.for
01/17/2006 07:34 PM 227 system.BAK
12/26/2005 07:38 PM 602 wininit.ini
12/18/2005 09:11 AM 2,359,350 wallpaper.bmp
12/08/2005 07:01 PM 32 pavsig.txt
12/04/2005 09:40 AM 118,784 bwUnin-6.3.2.62-3528733L.exe
12/01/2005 08:32 PM 679 TSC.ini
12/01/2005 08:32 PM 4 RM_RESULT.DAT
12/01/2005 07:15 PM 170 GetServer.ini
12/01/2005 07:12 PM 1,142,784 TMUPDATE.DLL
12/01/2005 07:12 PM 69,689 UNZIP.DLL
12/01/2005 07:12 PM 208,896 PATCH.EXE
11/30/2005 01:02 PM 16,642,295 VPTNFILE.979
11/30/2005 01:02 PM 16,642,295 lpt$vpn.979
11/29/2005 09:22 PM 2,459,627 tsc.ptn
11/23/2005 05:35 PM 2,168 eReg.dat
11/16/2005 07:22 PM 30 POTATO.INI
11/16/2005 04:08 PM 588 SIERRA.INI
11/16/2005 04:06 PM 338 KA.INI
11/09/2005 12:40 AM 47,098 TMVAmain.ptn
11/09/2005 12:35 AM 181,880 TMVAINFO.xml
10/02/2005 12:12 AM 3,386,984 tmadce.ptn
09/13/2005 03:03 PM 994 hegames.ini

Volume in drive C has no label.
Volume Serial Number is 304E-C1B1

Directory of C:\

01/23/2006 05:03 PM 0 sys.txt
01/23/2006 05:03 PM 10,795 system.txt
01/23/2006 05:03 PM 3,895 systemtemp.txt
01/23/2006 05:02 PM 109,357 system32.txt
01/23/2006 03:26 PM 266,850,304 hiberfil.sys
01/23/2006 03:26 PM 402,653,184 pagefile.sys
01/17/2006 07:34 PM 211 boot.ini
08/13/2005 01:19 PM 1,213 ImgData.ini

Volume in drive C has no label.
Volume Serial Number is 304E-C1B1

Directory of C:\WINDOWS\system32

01/22/2006 01:40 PM 6,675 jupdate-1.5.0_06-b05.log
01/22/2006 11:05 AM 369,688 FNTCACHE.DAT
01/22/2006 07:38 AM 2,550 Uninstall.ico
01/22/2006 07:38 AM 1,406 Help.ico
01/22/2006 07:38 AM 30,590 pavas.ico
01/21/2006 06:54 PM 311,934 perfh009.dat
01/21/2006 06:54 PM 40,196 perfc009.dat
01/21/2006 06:54 PM 355,944 PerfStringBackup.INI
01/16/2006 08:04 PM 0 Biport
01/12/2006 08:12 PM 1,158 wpa.dbl
01/08/2006 11:28 AM 2,577 CONFIG.NT
01/04/2006 09:41 PM 2,827,616 MRT.exe
12/28/2005 08:54 PM 280,064 gdi32.dll
12/28/2005 06:16 PM 1,155,072 winsflt.dll
12/20/2005 06:21 AM 481,280 aswBoot.exe
12/02/2005 07:12 PM 1,718 Open.ico
12/02/2005 07:12 PM 5,350 IE.ico
12/02/2005 07:12 PM 1,718 Quick.ico
12/02/2005 07:24 AM 90,112 AVASTSS.scr
12/01/2005 08:41 PM 0 asfiles.txt
11/30/2005 09:59 PM 1,492,480 shdocvw.dll
11/23/2005 07:06 PM 3,015,680 mshtml.dll
11/23/2005 07:06 PM 1,022,464 browseui.dll
11/10/2005 01:03 PM 127,078 javaws.exe
11/10/2005 01:03 PM 49,265 jpicpl32.cpl
11/10/2005 11:27 AM 49,250 javaw.exe
11/10/2005 11:27 AM 49,248 java.exe
11/04/2005 09:16 PM 609,280 urlmon.dll
11/04/2005 09:16 PM 1,054,208 danim.dll
10/20/2005 09:39 PM 658,432 wininet.dll
10/20/2005 09:39 PM 473,600 shlwapi.dll
10/20/2005 09:39 PM 39,424 pngfilt.dll
10/20/2005 09:39 PM 530,944 mstime.dll
10/20/2005 09:39 PM 448,512 mshtmled.dll
10/20/2005 09:39 PM 146,432 msrating.dll
10/20/2005 09:39 PM 251,392 iepeers.dll
10/20/2005 09:39 PM 96,256 inseng.dll
10/20/2005 09:39 PM 205,312 dxtrans.dll
10/20/2005 09:39 PM 55,808 extmgr.dll
10/20/2005 09:39 PM 151,040 cdfview.dll
10/20/2005 04:20 PM 1,082,368 esent.dll
10/17/2005 03:14 PM 118,272 t2embed.dll
10/17/2005 03:14 PM 80,896 fontsub.dll
10/12/2005 05:12 PM 14,048 spmsg.dll
10/05/2005 06:05 PM 1,839,488 win32k.sys
09/29/2005 07:33 AM 401,408 t?skmgr.exe
09/29/2005 07:29 AM 401,408 j?vaw.exe
09/29/2005 07:29 AM 401,408 m?hta.exe
09/22/2005 09:05 PM 8,450,560 shell32.dll

Volume in drive C has no label.
Volume Serial Number is 304E-C1B1

Directory of C:\DOCUME~1\PAM\LOCALS~1\Temp

01/23/2006 05:00 PM 351 jusched.log
01/23/2006 04:51 PM 32,768 ~DF3AFD.tmp
01/23/2006 04:51 PM 16,384 ~DFC7BF.tmp
01/23/2006 04:50 PM 49,152 ~DF7E99.tmp
01/22/2006 03:47 PM 2,460 java_install_reg.log
01/22/2006 01:40 PM 23,568 java_install.log
01/22/2006 01:36 PM 884 jinstall.cfg
01/22/2006 01:17 PM 32,768 ~DFC528.tmp
01/22/2006 01:16 PM 16,384 ~DFFA4D.tmp
01/22/2006 01:15 PM 49,152 ~DFB09C.tmp
01/22/2006 01:14 PM 32,768 ~DF8CB1.tmp
01/22/2006 01:14 PM 16,384 ~DF6C9E.tmp
01/22/2006 11:35 AM 32,768 ~DF9874.tmp
01/22/2006 11:35 AM 16,384 ~DF2495.tmp
01/22/2006 11:33 AM 49,152 ~DFD901.tmp
01/22/2006 11:31 AM 32,768 ~DF9714.tmp
01/22/2006 11:31 AM 16,384 ~DFAC75.tmp
01/22/2006 11:25 AM 32,768 ~DF6608.tmp
01/22/2006 11:25 AM 16,384 ~DFB277.tmp
01/22/2006 11:23 AM 49,152 ~DF4D1A.tmp
01/22/2006 11:22 AM 32,768 ~DFBD36.tmp
01/22/2006 11:22 AM 16,384 ~DFA897.tmp
01/22/2006 11:12 AM 32,768 ~DF3D76.tmp
01/22/2006 11:10 AM 16,384 ~DF9C9D.tmp
01/22/2006 11:09 AM 49,152 ~DF163B.tmp
01/22/2006 11:07 AM 32,768 ~DF7EC3.tmp
01/22/2006 11:06 AM 16,384 ~DF18BA.tmp
01/21/2006 06:32 PM 32,768 ~DF1029.tmp
01/21/2006 06:30 PM 16,384 ~DFB112.tmp
01/21/2006 06:29 PM 49,152 ~DF6640.tmp
01/21/2006 06:14 PM 32,768 ~DF776.tmp
01/21/2006 06:13 PM 16,384 ~DFC715.tmp
01/21/2006 06:12 PM 49,152 ~DFE40.tmp
01/21/2006 05:58 PM 32,768 ~DF14F5.tmp
01/21/2006 05:57 PM 16,384 ~DF8506.tmp
01/21/2006 05:56 PM 49,152 ~DF2AA4.tmp
01/20/2006 04:06 PM 32,768 ~DF8399.tmp
01/20/2006 04:05 PM 16,384 ~DF73C7.tmp
01/20/2006 04:05 PM 49,152 ~DF1119.tmp
01/19/2006 07:26 PM 32,768 ~DFE64D.tmp
01/19/2006 07:25 PM 16,384 ~DF4708.tmp
01/19/2006 07:25 PM 49,152 ~DFCA32.tmp
01/19/2006 05:05 PM 16,384 ~DFF4AF.tmp
01/19/2006 05:02 PM 49,152 ~DF8F3E.tmp
01/17/2006 06:23 PM 49,152 ~DF1CDD.tmp
01/17/2006 06:22 PM 32,768 ~DFA3D1.tmp
01/17/2006 06:21 PM 16,384 ~DF6BED.tmp
01/17/2006 04:55 PM 49,152 ~DF4865.tmp
01/17/2006 04:53 PM 32,768 ~DF59A4.tmp
01/17/2006 04:53 PM 16,384 ~DF3E3C.tmp
12/27/2005 04:58 PM 24,576 IadHide4.dll
12/01/2005 08:24 PM 8,928 hcScan.html
10/11/2005 05:24 PM 559,784 gtb2k1033.exe
09/12/2005 01:52 PM 381,480 msgr7us.exe

Thanks so much for taking the time on this!

ripley :)

Die Hard · January 24, 2006, 09:21:56 AM

ripley :)

QuoteShould we run that datFind.bat in the one other profile? If so, can we run the one that's already downloaded or dl again?

It´s such a small file, the simpliest way is to dl it again from the account you want to scan.

Here are three files you need to remove. Note the question-mark, it´s a "wildcard" so if you make a search for the files you will get a hit for files with a letter where the "?" is, for instance , searching for m?hta.exe will bring up hits for mshta.exe. Be careful and check the length of the files, they are all 401,408 bytes.

09/29/2005 07:33 AM 401,408 C:\WINDOWS\system32\t?skmgr.exe
09/29/2005 07:29 AM 401,408 C:\WINDOWS\system32\j?vaw.exe
09/29/2005 07:29 AM 401,408 C:\WINDOWS\system32\m?hta.exe

Also look for the files Panda detected and remove them as well at the same time.

About being paranoid, you are completely entitled being it. When hit by rootkits the authoroties in the field (the ones I listen to unconditionally :) ) say; "if you store or share delicate information on the system , the only safe way to clean it is a reformat and reinstall."
The nature of the rootkits are that they should be hidden and their tasks are also designed to be hidden.

Let´s see what the Blacklight scan shows .

Die Hard :)

Ripley · January 24, 2006, 11:32:01 AM

OK, searching for Panda detection files :Win73: and getting that Blacklight scan done.
Fingers crossed there isn't a rootkit here.

ripley

Ripley · January 24, 2006, 11:59:19 PM

Die Hard :)

Before anything, Freckles ran CCleaner in both of the 2 profiles. Then re-booted.

She then did a search on the 4 remaining files that Panda detected.
She searched in "files & folders"
using the file name and .exe at the end.

Multiple instances of these files were found, but none of them had the corresponding bytes as recorded w/ datFind log...so none were deleted.

Here they are individually.

m?hta.exe

Found here:
29 KB c/windows/system32
24 KB c/windows/$NTservicepackuninstaller$
29 KB c/windows/servicepackfiles/i386
30 KB c/program files/compact/works 6.0/redist/IE5/Iemil_2.cab
30 KB c/program files/compact/works 6.0/redist/IE5/Iew2k_1.cab
(Since we are looking for an instance of 401,408 bytes, didn't in system32, we left alone.)

t?skmgr.exe

Found here:
126 KB c/windows/$NTservicepackuninstall$
133 KB c/windows/system32
133 KB c/windows/servicepackfiles/i386
(Since we are looking for 401,408 bytes in system32, we left it alone)

j?vaw.exe

Found here:
49 KB c/windows/system32
49 KB c/programfiles/java/jre.1.5.0_06/bin
49 KB bin (no pathway given)
(Once again no 401,408 so it's still there)

MYDLL.dll

Found here only:
1,429 KB c/windows/system32
(Looking for one with 1,462,353...once again left there.

Ran the Blacklight scan in both profiles and it indicated no hidden files.
Here's the logs of both:

01/24/06 16:51:06 [Info]: BlackLight Engine 1.0.30 initialized
01/24/06 16:51:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/24/06 16:51:07 [Note]: 7019 4
01/24/06 16:51:07 [Note]: 7005 0
01/24/06 16:51:44 [Note]: 7006 0
01/24/06 16:51:44 [Note]: 7011 368
01/24/06 16:51:45 [Note]: FSRAW library version 1.7.1014
01/24/06 16:54:03 [Note]: 7007 0

01/24/06 17:03:38 [Info]: BlackLight Engine 1.0.30 initialized
01/24/06 17:03:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/24/06 17:03:39 [Note]: 7019 4
01/24/06 17:03:39 [Note]: 7005 0
01/24/06 17:03:46 [Note]: 7006 0
01/24/06 17:03:46 [Note]: 7011 2352
01/24/06 17:03:50 [Note]: FSRAW library version 1.7.1014
01/24/06 17:05:36 [Note]: 7007 0

Maybe 45 minutes since running CCleaner & re-bootingand starting this whole process, and F-Secure A/V alerts purityscan detected in temp internet files/!update.
Went there and there was also a clickspring one.
Ran CCleaner again.

Doing another Ewido scan in safe mode right now. Were there any of those 4 files above that we can safely delete?

So if Blacklight says no hidden files then we can't we find the same named files with the same number of bytes that datFind does? Or did we, and we just interpreted the numbers incorrectly.

Anyone need a good boat anchor???!!!

I know you'll come up with a reasonable path here. Should we try the F-Secure online scan or just take the computer out back to the lake?

Ripley · January 25, 2006, 01:16:54 AM

Another added note after the last post 1 hour ago or so, Ewido in safe mode came back clean. We haven't deleted anything or done anything different.
AdAware in safe mode came back clean. And we still haven't deleted anything or done anything different.
Trying AdAware in normal mode now.
Arghhhh. For some reason, I just think it's still there.
Maybe this user needs a fox... :firefox:
Or heading out to the lake...or the auction... :beg:

We'll take any suggestions.