Help - Search - Members - Calendar
Full Version: Modul32
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Adius
Jul 3 2006, 02:39 AM
Hi,

For some time now, i have had an program in temp folder that has been duplicating and renaming itself for about 2-3 weeks now. Each time it has tried to contact the internet, my firewall has stopped it., then i delete it from the temp folder. At the minute this program is called "60ex3.modul32". Although it hasent caused any severe problems, it is an inconvience that it often tries to contact the internet, which forces whatever program i am running at the time to be minimised. As for this program, i have tried many different anti-virus softwares, and none are recognising this as a threat.

Logfile of HijackThis v1.99.1
Scan saved at 03:37:32, on 03/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Aston\aston.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Andy Stiles\My Documents\mplayerc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 300NC PC Camera
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

Thanks for your time,

Adius.
LoPhatPhuud
Jul 3 2006, 04:58 AM
First:
Download and install Trojan Hunter trial from here: http://www.misec.net/trojanhunter/

Be sure to update the definitions first followng the instructions for manual updating at the bottom of hte aboive web page.

Once installed and updated, do a full system scan and remove all that is found.


Second:
Download the latest version of Ewido.

http://www.ewido.net/en/download/

Install it and reboot your computer.

Open Ewido.

1. Click the Update Now line.
2. After the update is completed click the "Scanner" button on the top line.
3. Click the "Complete System Scan" line to begin the scan.
4. When the scan is complete, click the "Save Report" button to save the report.
5. Click the "Scanner" button on the top to return to the results.
6. Click the "Set All Elements to" Recommended Action.
7. Click the "Apply all actions" button.
8. Click on the "Reports" Icon at the top.
9. Click on the report that was generated today to see the results on the right side.
10. Highlight the results on the right side and copy and paste them into your reply.


Last:
Run HiJackTHis again and post a new log in this thread.
Adius
Jul 3 2006, 07:29 PM
Hi,

Ok, i here is the report from Ewido , and the new hijackthis log...

Created at: 15:13:03 03/07/2006

+ Scan result:



HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc42.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc43.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc46.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc47.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc50.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc52.exe -> Proxy.Horst.be : No action taken.
C:\RECYCLER\S-1-5-21-520344267-1837775230-3314694505-1006\Dc53.exe -> Proxy.Horst.be : No action taken.
:mozilla.6:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
:mozilla.20:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.21:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@e-2dj6wgkoqldjafp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@e-2dj6wjmisiajmbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@as-eu.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
:mozilla.56:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.57:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.58:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.59:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@ads1.revenue[1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
:mozilla.61:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.62:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.63:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.64:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.73:C:\Documents and Settings\Andy Stiles\Application Data\Mozilla\Firefox\Profiles\5ou91fys.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Andy Stiles\Cookies\andy_stiles@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\mscw32.exe -> Trojan.Delf.DM : No action taken.
C:\WINDOWS\system\smss.exe -> Trojan.Small : No action taken.
[616] VM_00400000 -> Trojan.Small : No action taken.


::Report end

And the hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 20:28:57, on 03/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Aston\aston.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 300NC PC Camera
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

Thanks,

Adius
LoPhatPhuud
Jul 3 2006, 10:01 PM
OK, Trojan Hunter should have caught the module32 file. Also, Ewido should have removed the items it found but it looks like it just scanned. Did you bypass removal?


Now for the remaining items that need attention.


First:
Messenger Plus! 3 (and it predecessors) are a source of malware and will eventually compromise your system, if it has not already.

I strongly suggest that you remove Messenger Plus. Here's a page with instructions for proper removal of Messenger plus and it's sponsor.

http://chooseknowledge.com/How-to-uninstal...senger-Plus.htm



Second:
You have three anti virus programs providing real time protection. Pick one to keep and remove the others. Running more than one AV with real time protection will lead to system slowdown and possible corruption. If you prefer, you can disable the real time element in two and just leave one active.
Adius
Jul 3 2006, 11:01 PM
Hi,

Ok, i have uninstalled Messenger plus 3, and i have updated Trojanhunter again, it said it was already up to date, so i scanned the individual file and heres what i got;

>Scanning file C:\Documents and Settings\User\Local Settings\Temp\85ex3.modul32.exe
No trojan files found

So it looks like this thing is here to stay. And about Ewido, I had it do the reccommended actions, some were deleted where as others were quarantined.

Thanks for the help, ill just have to live with it from now on, or reformat me Harddrive.

Thanks,

Adius.
LoPhatPhuud
Jul 3 2006, 11:35 PM
Not if it can be helped!!!

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
Adius
Jul 4 2006, 12:02 AM
Hi,

Heres the report;

HKLM\S-1-5-21-520344267-1837775230-3314694505-1006\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\MinPos1024x768(1).x 28/06/2006 23:21 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-520344267-1837775230-3314694505-1006\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\MinPos1024x768(1).y 28/06/2006 23:21 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 13/12/2005 22:33 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 04/07/2006 00:44 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\OfflineDetectionPending 04/07/2006 00:44 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 17/05/2006 20:28 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1 17/05/2006 20:28 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2 17/05/2006 20:28 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0 17/05/2006 20:28 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0 17/05/2006 20:28 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 17/05/2006 20:30 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\be0.864B923001C69EFA.history\00000000.bak 04/07/2006 00:47 7.70 MB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\2006_06-June_28[1].jpg 04/07/2006 00:49 122.66 KB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\670[1].htm 04/07/2006 00:49 2.11 KB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_1504[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_205[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_219[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_240[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_913[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_916[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\8XMRGJ3P\AppID_919[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_1001[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_1210[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_220[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_2510[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_908[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_914[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_918[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\AppID_920[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\R57RGOIZ\storefront[1].css 04/07/2006 00:49 5.79 KB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\AppID_1003[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\AppID_1502[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\AppID_211[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\AppID_2500[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\AppID_912[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\dash[1].gif 04/07/2006 00:49 95 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\JagdColmar[1].jpg 04/07/2006 00:49 22.96 KB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\message[1].css 04/07/2006 00:49 922 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\RJOHE3NX\v2[1].htm 04/07/2006 00:49 2.54 KB Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_1002[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_1200[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_1220[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_1500[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_210[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_909[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_915[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\AppID_917[1].txt 04/07/2006 00:49 0 bytes Hidden from Windows API.
C:\Documents and Settings\Andy Stiles\Local Settings\Temporary Internet Files\Content.IE5\SCU4ELAL\background[1].gif 04/07/2006 00:49 2.32 KB Hidden from Windows API.
C:\Program Files\McAfee.com\Personal Firewall\data\hwcache.xdb 03/07/2006 22:41 3.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon9.bmp 04/07/2006 00:50 822 bytes Hidden from Windows API.
C:\Program Files\Valve\Steam\config\dialogconfig.vdf 04/07/2006 00:48 21 bytes Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148190.dll 03/07/2006 23:15 1.04 MB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148191.dll 03/07/2006 23:15 1.27 MB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148192.ini 03/07/2006 15:09 583 bytes Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148193.ini 03/07/2006 19:23 1.79 KB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148194.ini 03/07/2006 22:41 125 bytes Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP288\A0148195.ini 03/07/2006 15:09 237 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\MVTX.EXE-1EBD6941.pf 04/07/2006 00:50 41.47 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\STEAM.EXE-0099A331.pf 04/07/2006 00:49 51.00 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb001D8.log 04/07/2006 00:24 128.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb001D9.log 04/07/2006 00:49 128.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~3a4ace195cd8.htp 04/07/2006 00:57 8.00 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\cch~3a4ace5a45e8.htp 04/07/2006 00:57 8.00 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\cch~3aa25b0c6118.htp 04/07/2006 00:59 8.00 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\cch~3aa25b3af5a8.htp 04/07/2006 00:59 8.00 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\PR3B2.tmp 04/07/2006 00:53 0 bytes Visible in Windows API, but not in MFT or directory index.
LoPhatPhuud
Jul 4 2006, 12:03 AM
YOu may be interested in this post at the TH forum. It concerns the bug you have.

http://forum.misec.net/board/Trojans/1145813094
LoPhatPhuud
Jul 4 2006, 12:11 AM
Also, try an online scan at Kaspersky, I know it can detect it and hepofully will pick up the other file(s)

http://usa.kaspersky.com/services/free-virus-scanner.php


EDIT: I fogot you have Kaspersky installed! Boot into safe mode and so a ful system scan with KAV6. Use default values for the Computer Scan.
Adius
Jul 4 2006, 01:57 AM
Hi,

What program are they using to detect them? They mention Trojanhunter, but from the date on the posts, i should of got the updated version when i did update it, and it still isnt detecting the file as a threat.

Adius
LoPhatPhuud
Jul 4 2006, 02:01 AM
Try updating the TH definitions and run it again. I was puzzled too when I saw that thread. But is it possible the def's packaged with the downlaod are not the most recent.
Adius
Jul 4 2006, 01:36 PM
Hi,

I updated TH again, But i had recently deleted the Modul32 files from the Temp folder, and so far they havent reappeared. But if and when they do, i shall scan them with TH, and post the findings.

Adius
LoPhatPhuud
Jul 4 2006, 10:14 PM
OK, I'll leave this thread open, but consider the issue closed for the time.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.