I think I may have been infected with Spyware, but I am not certain. My wife visited a website and our McAfee Enterprise 7.0 brought up an alert indicating that Vary Lince and AII-Downloader had been detected in her local settings\temp internet folder. It indicated that move failed and the clean failed and promptly shut down IE. I ran a complete McAfee Virus scan, MS Antispyware, Spybot, and Adaware SE in both safe mode and regular mode and found nothing. However, I found some strange records in the log:
7/30/2005 1:19:33 PM Deleted C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\BGILW1H9\stats2[1].htm\00000023.js Exploit-MhtRedir.gen
7/30/2005 1:19:49 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\3599C7L5\ActiveX[1].ocx VeryLince
7/30/2005 1:27:42 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
7/30/2005 1:27:43 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
7/30/2005 1:27:44 PM Move failed (Clean failed) DIMENSION\Tami Levinson C:\Documents and Settings\Tami Levinson\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
7/30/2005 1:27:45 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
7/30/2005 1:27:46 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
7/30/2005 1:27:47 PM Move failed (Clean failed) C:\Documents and Settings\Tami\Local Settings\Temporary Internet Files\Content.IE5\33TF7HSW\pcs_0003[1].exe\PCS_0003[1].EXE Downloader-AAI
The machine seems to be ok, but I'm concerned that I am infected and just don't know it yet. Can you please take a look at my HJT log and tell me if you see anything suspicious?
Logfile of HijackThis v1.99.1
Scan saved at 10:44:57 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\TAMILE~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthisv99.1.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/cci/home?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118948631109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Any adivice you can give would be appreciated. Thanks.
Full Version: AII-Downloader and Very Lince
It looks like it's ok and if spotted, wasn't allowed to go any further to install.
Download and run Cleanup.
http://home.comcast.net/~sgould4567/softwa...p/download.html
Learn how to use Cleanup:
http://home.comcast.net/~sgould4567/softwa...up/running.html
You are running hijackthis from the zip. That will cause you to lose the backups it creates. Do not do that. Open the zip and right click on hijackthis.exe Select copy from the menu.
Create a new folder in My Documents, for example and then paste hijackthis.exe into it. Right click on an empty spot in that new folder and click paste on the menu.
Are you having any problems?
Download and run Cleanup.
http://home.comcast.net/~sgould4567/softwa...p/download.html
Learn how to use Cleanup:
http://home.comcast.net/~sgould4567/softwa...up/running.html
You are running hijackthis from the zip. That will cause you to lose the backups it creates. Do not do that. Open the zip and right click on hijackthis.exe Select copy from the menu.
Create a new folder in My Documents, for example and then paste hijackthis.exe into it. Right click on an empty spot in that new folder and click paste on the menu.
Are you having any problems?
QUOTE (Mosaic1 @ Jul 31 2005, 06:49 PM)
It looks like it's ok and if spotted, wasn't allowed to go any further to install.
Download and run Cleanup.
http://home.comcast.net/~sgould4567/softwa...p/download.html
Learn how to use Cleanup:
http://home.comcast.net/~sgould4567/softwa...up/running.html
You are running hijackthis from the zip. That will cause you to lose the backups it creates. Do not do that. Open the zip and right click on hijackthis.exe Select copy from the menu.
Create a new folder in My Documents, for example and then paste hijackthis.exe into it. Right click on an empty spot in that new folder and click paste on the menu.
Are you having any problems?
Download and run Cleanup.
http://home.comcast.net/~sgould4567/softwa...p/download.html
Learn how to use Cleanup:
http://home.comcast.net/~sgould4567/softwa...up/running.html
You are running hijackthis from the zip. That will cause you to lose the backups it creates. Do not do that. Open the zip and right click on hijackthis.exe Select copy from the menu.
Create a new folder in My Documents, for example and then paste hijackthis.exe into it. Right click on an empty spot in that new folder and click paste on the menu.
Are you having any problems?
Thank you for looking at the log. I'm not having any visible issues, but the alert from McAfee freaked me out when it indicated that the files could not be moved or cleaned. I went to the McAfee web site and looked at the bulletins for these two issues. McAfee publishes the registry key edits that you should look for to determine if you are infected. I searched the registry and did not find the suspect values so hopefully McAfee kept me safe. Thanks again for checking my log. I also took your advice on HJT and cleanup. You can never be too safe with this stuff.
You're welcome. I agree. The internet is not a friendly place. Have a look at this article for a few more security tips.
http://www.computercops.biz/postt7736.html
http://www.computercops.biz/postt7736.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.