trojan downloaded data from pop3s

View previous topic View next topic Go down

Solved trojan downloaded data from pop3s

Post by vrex on Thu Dec 11, 2008 7:19 pm

Hello,
I detected a trojan by PGP which informed me that "my mail program" was using secure connection to download "mail" from pop3 server at canada. As you have noticed I'm a little bit concerned about private data, I'm using PGP for full hard disk encryption and a virtual encrypted disk, which I unmounted after the incident. Then I installed Norton Internet Security 2006 and rebooted the pc (which, I think, was a bad idea). On startup something happened to PGP, the dialog poped up like PGP is being uninstalled, but it wasn't. Antivirus has updated itself, but installation of updates looked strange because it had stopped responding several times without any cpu or disk usage. Full system scan gave no results, firewall notifications of applications trying to reach the net looked ordinary. So I checked startups and found that PGPtray startup path has changed to "windows\installer\{GUID}\Icon1234.exe". Numbers are just for example, in that dir there were more executables with names beginning with "Icon" and numbers, which had icons for excel, pdf and some other. I've deleted those. Also there was a service running with a funny name which looked like a code to get a name from resources. So it was stopped and almost all other services. Also I've disabled the network interface. So maybe it is a known issue? At the moment of writing I have no access to that pc and can't run hijackthis, but will do that after ~11 hours and post results. Thank you in advance for any help.

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Belahzur on Thu Dec 11, 2008 7:28 pm

Please read here and post a Hijack This log.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Fri Dec 12, 2008 6:24 am

The log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:18:08, on 2008.12.12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Source\Csharp\SMCems\SMCserver\bin\Release\Running\SMCserver.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CollabNet Subversion Server\svnserve.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Installs\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B314BA6-76E3-46F3-A821-E59002259D25}: NameServer = 192.168.100.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: PGPmapih.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SMCserver - SMC - D:\Source\Csharp\SMCems\SMCserver\bin\Release\Running\SMCserver.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Subversion Server (svnserve) - [You must be registered and logged in to see this link.] - C:\Program Files\CollabNet Subversion Server\svnserve.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 11587 bytes


Uninstall log:

CC_ccProxyExt
ccCommon
ccPxyCore
Compatibility Pack for the 2007 Office system
FT NavVision
HijackThis 2.0.2
LiveUpdate 3.0 (Symantec Corporation)
Microsoft Office Professional Edition 2003
MSRedist
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
Norton WMI Update
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956802)
SPBBC
Update for Windows XP (KB955839)

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Belahzur on Fri Dec 12, 2008 5:07 pm

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Sat Dec 13, 2008 2:43 pm

ComboFix 08-12-12.05 - Komp1 2008-12-13 16:25:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1257.1.1033.18.1919.1288 [GMT 2:00]
Running from: D:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\system32\Cfx32.lic
c:\windows\system32\cfx32.ocx
c:\windows\system32\itcc.dll
c:\windows\system32\vnetinst.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-12 08:38 . 2008-12-12 08:38 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 08:38 . 2008-12-12 08:38 d-------- c:\documents and settings\Komp1\Application Data\Malwarebytes
2008-12-12 08:38 . 2008-12-12 08:38 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 08:38 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 08:38 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 08:36 . 2008-12-12 08:36 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-12 08:36 . 2008-12-12 08:36 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-11 17:07 . 2008-12-11 17:07 268 --ah----- C:\sqmdata16.sqm
2008-12-11 17:07 . 2008-12-11 17:07 244 --ah----- C:\sqmnoopt16.sqm
2008-12-11 16:57 . 2008-12-11 16:57 d--h----- c:\windows\PIF
2008-12-11 13:53 . 2008-12-11 13:53 d-------- c:\program files\Free Technics BV
2008-12-11 12:46 . 2008-12-11 12:46 d-------- c:\program files\Berg
2008-12-10 09:19 . 2008-12-10 09:19 268 --ah----- C:\sqmdata15.sqm
2008-12-10 09:19 . 2008-12-10 09:19 244 --ah----- C:\sqmnoopt15.sqm
2008-12-09 14:30 . 2008-12-09 14:30 268 --ah----- C:\sqmdata14.sqm
2008-12-09 14:30 . 2008-12-09 14:30 244 --ah----- C:\sqmnoopt14.sqm
2008-12-09 13:39 . 2008-12-09 13:39 d-------- c:\documents and settings\Komp1\Application Data\Symantec
2008-12-09 13:37 . 2008-12-09 13:37 268 --ah----- C:\sqmdata13.sqm
2008-12-09 13:37 . 2008-12-09 13:37 244 --ah----- C:\sqmnoopt13.sqm
2008-12-09 13:31 . 2008-12-09 14:47 d-------- c:\program files\Norton Internet Security
2008-12-09 13:31 . 2008-12-09 13:31 10,344 --a------ c:\windows\system32\drivers\symlcbrd.sys
2008-12-09 13:30 . 2008-12-12 08:36 d-------- c:\program files\Symantec
2008-12-09 13:30 . 2008-12-13 16:28 d-------- c:\program files\Common Files\Symantec Shared
2008-12-09 13:30 . 2008-12-13 09:42 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-09 13:30 . 2008-12-12 08:36 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-09 13:30 . 2008-12-12 08:36 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-09 13:21 . 2008-12-09 13:21 268 --ah----- C:\sqmdata12.sqm
2008-12-09 13:21 . 2008-12-09 13:21 244 --ah----- C:\sqmnoopt12.sqm
2008-12-09 13:08 . 2008-12-09 13:08 268 --ah----- C:\sqmdata11.sqm
2008-12-09 13:08 . 2008-12-09 13:08 244 --ah----- C:\sqmnoopt11.sqm
2008-12-09 13:00 . 2008-12-09 13:00 268 --ah----- C:\sqmdata10.sqm
2008-12-09 13:00 . 2008-12-09 13:00 244 --ah----- C:\sqmnoopt10.sqm
2008-12-09 11:57 . 2008-12-09 11:57 d-------- c:\program files\Zone Labs
2008-12-09 11:56 . 2008-12-09 13:23 d-------- c:\windows\Internet Logs
2008-12-08 13:12 . 2008-12-08 13:12 268 --ah----- C:\sqmdata09.sqm
2008-12-08 13:12 . 2008-12-08 13:12 244 --ah----- C:\sqmnoopt09.sqm
2008-12-08 13:08 . 2008-12-08 13:08 268 --ah----- C:\sqmdata08.sqm
2008-12-08 13:08 . 2008-12-08 13:08 244 --ah----- C:\sqmnoopt08.sqm
2008-12-05 16:21 . 2008-12-05 16:21 d-------- c:\program files\Microsoft Silverlight
2008-12-05 10:09 . 2008-12-10 08:19 d-------- c:\documents and settings\Komp1\Application Data\Wireshark
2008-12-05 10:05 . 2008-12-05 10:05 d-------- c:\program files\Wireshark
2008-12-05 10:05 . 2008-12-05 10:05 d-------- c:\program files\WinPcap
2008-12-03 16:18 . 2008-12-03 16:18 268 --ah----- C:\sqmdata07.sqm
2008-12-03 16:18 . 2008-12-03 16:18 244 --ah----- C:\sqmnoopt07.sqm
2008-12-03 15:49 . 2008-12-03 16:06 d-------- c:\program files\SWiSH Max2
2008-12-03 15:49 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe
2008-12-03 13:32 . 2008-12-03 13:32 d-------- c:\windows\IIS Temporary Compressed Files
2008-12-03 13:29 . 2008-12-03 13:39 d-------- c:\windows\system32\Logfiles
2008-12-03 08:16 . 2008-12-03 08:16 268 --ah----- C:\sqmdata06.sqm
2008-12-03 08:16 . 2008-12-03 08:16 244 --ah----- C:\sqmnoopt06.sqm
2008-12-03 02:00 . 2008-12-03 08:17 d-------- c:\temp\GBP7Temp
2008-12-02 18:17 . 2001-08-17 13:48 17,664 --a------ c:\windows\system32\drivers\sermouse.sys
2008-12-02 18:17 . 2001-08-17 13:48 17,664 --a--c--- c:\windows\system32\dllcache\sermouse.sys
2008-12-02 18:14 . 2008-12-02 18:14 268 --ah----- C:\sqmdata05.sqm
2008-12-02 18:14 . 2008-12-02 18:14 244 --ah----- C:\sqmnoopt05.sqm
2008-12-02 10:15 . 2008-12-02 10:15 d-------- c:\program files\MySQL
2008-12-02 10:14 . 2008-12-02 10:14 d-------- c:\program files\HeidiSQL
2008-12-02 10:14 . 2008-12-02 10:14 d-------- c:\documents and settings\All Users\Application Data\HeidiSQL
2008-12-01 14:00 . 2008-12-01 14:00 d-------- c:\documents and settings\Komp1\Application Data\Corel
2008-12-01 14:00 . 2008-12-03 10:11 2,880 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-01 14:00 . 2008-12-01 14:00 8 -r-hs---- c:\documents and settings\All Users\Application Data\C45A22F17E.sys
2008-12-01 13:58 . 2008-12-01 13:58 d-------- c:\program files\Common Files\Protexis
2008-12-01 13:58 . 2008-12-01 13:58 d-------- c:\documents and settings\All Users\Application Data\Corel
2008-12-01 13:56 . 2008-12-01 13:56 d-------- c:\program files\Common Files\Corel
2008-12-01 13:55 . 2008-12-01 13:55 d-------- c:\program files\Corel
2008-12-01 13:47 . 2008-12-01 13:47 d-------- c:\documents and settings\Komp1\Application Data\InstallShield
2008-12-01 12:49 . 2008-12-01 12:49 d-------- c:\program files\Opera
2008-12-01 11:29 . 2008-12-01 11:29 d-------- c:\program files\VSPD XP
2008-12-01 11:25 . 2008-12-01 11:25 268 --ah----- C:\sqmdata04.sqm
2008-12-01 11:25 . 2008-12-01 11:25 244 --ah----- C:\sqmnoopt04.sqm
2008-11-29 09:48 . 2008-11-29 09:48 268 --ah----- C:\sqmdata03.sqm
2008-11-29 09:48 . 2008-11-29 09:48 244 --ah----- C:\sqmnoopt03.sqm
2008-11-29 09:39 . 2008-11-29 09:39 268 --ah----- C:\sqmdata02.sqm
2008-11-29 09:39 . 2008-11-29 09:39 244 --ah----- C:\sqmnoopt02.sqm
2008-11-29 09:38 . 2008-11-29 09:48 d-------- c:\documents and settings\All Users\Application Data\NovaStor
2008-11-28 13:53 . 2008-12-01 09:53 d-------- c:\temp\New Folder
2008-11-27 14:26 . 2008-11-27 14:26 268 --ah----- C:\sqmdata01.sqm
2008-11-27 14:26 . 2008-11-27 14:26 244 --ah----- C:\sqmnoopt01.sqm
2008-11-27 09:44 . 2008-11-27 09:44 d-------- c:\documents and settings\All Users\Application Data\Genie-Soft
2008-11-27 09:39 . 2008-11-27 09:39 d-------- c:\documents and settings\Komp1\Application Data\Genie-soft
2008-11-27 09:37 . 2008-11-27 09:37 268 --ah----- C:\sqmdata00.sqm
2008-11-27 09:37 . 2008-11-27 09:37 244 --ah----- C:\sqmnoopt00.sqm
2008-11-27 09:32 . 2008-11-27 09:32 d-------- c:\program files\Genie-Soft
2008-11-27 09:09 . 2008-11-27 09:09 d-------- c:\program files\uTorrent
2008-11-27 09:09 . 2008-12-09 14:35 d-------- c:\documents and settings\Komp1\Application Data\uTorrent
2008-11-26 14:03 . 2008-11-26 14:03 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-26 10:26 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-26 09:54 . 2008-09-18 23:11 723,504 --a------ c:\windows\system32\vnetlib.dll
2008-11-26 09:54 . 2008-09-18 23:11 399,920 --a------ c:\windows\system32\vmnat.exe
2008-11-26 09:54 . 2008-09-18 23:11 326,192 --a------ c:\windows\system32\vmnetdhcp.exe
2008-11-26 09:54 . 2008-09-18 16:49 50,736 -ra------ c:\windows\system32\vmnetbridge.dll
2008-11-26 09:54 . 2008-09-18 16:49 31,280 -ra------ c:\windows\system32\drivers\vmnetbridge.sys
2008-11-26 09:54 . 2008-09-18 23:12 26,288 --a------ c:\windows\system32\drivers\vmnetuserif.sys
2008-11-26 09:54 . 2008-09-18 23:12 23,216 --a------ c:\windows\system32\drivers\VMkbd.sys
2008-11-26 09:54 . 2008-09-18 16:49 18,736 -ra------ c:\windows\system32\drivers\vmnet.sys
2008-11-26 09:54 . 2008-09-18 16:49 16,560 -ra------ c:\windows\system32\drivers\vmnetadapter.sys
2008-11-25 09:46 . 2008-12-03 13:32 d-------- C:\Inetpub
2008-11-20 11:59 . 2008-11-20 11:59 d-------- c:\program files\Common Files\Java
2008-11-19 16:51 . 2007-01-15 22:41 887 --a------ c:\windows\SourceControl.flt
2008-11-19 16:46 . 2008-11-19 16:46 d-------- c:\program files\WinMerge
2008-11-18 16:12 . 2008-05-16 00:51 30,768 -ra------ c:\windows\system32\drivers\vmusb.sys
2008-11-18 14:45 . 2008-11-18 14:45 d-------- c:\program files\MSXML 4.0
2008-11-18 13:44 . 2008-11-18 13:45 d-------- c:\program files\Windows Mobile 6 SDK
2008-11-18 11:10 . 2008-11-18 11:10 d-------- c:\temp\evc4sp4
2008-11-18 11:09 . 2008-11-18 11:09 d-------- c:\program files\Windows CE Tools
2008-11-18 11:08 . 2008-11-18 11:08 d-------- C:\Windows CE Tools
2008-11-18 11:08 . 2008-11-18 11:11 d-------- c:\program files\Microsoft eMbedded C++ 4.0
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\WCE
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\Setup
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\SDK
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\PlatMan
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\OS
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\MSXML3
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\EVC
2008-11-18 11:05 . 2008-11-18 11:05 d-------- c:\temp\COMMON
2008-11-18 11:05 . 2008-12-13 02:00 d-------- C:\Temp
2008-11-18 09:52 . 2008-11-18 09:52 d-------- c:\windows\system32\URTTEMP
2008-11-17 16:00 . 2008-11-18 09:54 d-------- c:\program files\.NET Compact Framework Samples
2008-11-15 10:17 . 2008-11-15 10:17 d-------- c:\program files\Rampant Logic Postscript Viewer
2008-11-15 10:16 . 2008-11-15 10:17 d-------- c:\program files\Ghostgum
2008-11-14 12:59 . 2008-11-14 12:59 0 --a------ c:\windows\COMPANIONAPP.INI
2008-11-14 12:54 . 2008-11-14 12:54 d-------- c:\windows\Downloaded Installations
2008-11-14 12:53 . 2008-11-14 12:53 d-------- c:\program files\HP
2008-11-14 12:51 . 2006-11-06 18:04 28,672 --a------ c:\windows\system32\drivers\wceusbsh.sys
2008-11-14 12:51 . 2006-11-06 18:04 28,672 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Sat Dec 13, 2008 2:45 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-13 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-13 14:28 8,741,408 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-13 14:28 71,468 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-13 14:28 679,968 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-13 14:28 5,500 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-12 22:01 --------- d-----w c:\program files\LogMeIn
2008-12-12 13:55 --------- d-----w c:\documents and settings\Komp1\Application Data\VMware
2008-12-12 11:01 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-11 15:07 --------- d-----w c:\documents and settings\Komp1\Application Data\Orbit
2008-12-11 14:28 --------- d-----w c:\documents and settings\Komp1\Application Data\Skype
2008-12-10 07:23 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2008-12-05 14:20 --------- d-----w c:\program files\Microsoft SDKs
2008-12-05 14:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 14:19 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-12-02 14:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-27 17:09 --------- d-----w c:\program files\Fotonija
2008-11-26 08:44 --------- d-----w c:\program files\Orbitdownloader
2008-11-26 08:26 --------- d-----w c:\program files\Java
2008-11-26 07:53 --------- d-----w c:\program files\VMware
2008-11-18 10:58 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-12 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-11-11 13:05 --------- d-----w c:\program files\Winamp
2008-11-10 07:38 --------- d-----w c:\program files\Messenger Plus! Live
2008-11-07 14:39 --------- d-----w c:\program files\Windows Live
2008-11-07 14:31 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-07 13:17 --------- d-----w c:\program files\EMS
2008-11-07 13:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-07 13:00 --------- d-----w c:\program files\Track+
2008-11-07 12:54 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-11-07 12:26 --------- d-----w c:\program files\Firebird
2008-11-07 12:26 --------- d-----w c:\program files\Apache Software Foundation
2008-11-07 12:25 --------- d-----w c:\program files\Sun
2008-11-07 12:25 --------- d-----w c:\program files\ATT
2008-11-07 11:47 --------- d-----w c:\program files\Task Manager
2008-11-06 07:36 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-06 07:25 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-06 07:25 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 07:24 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-05 14:25 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-11-04 09:11 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-31 15:29 --------- d-----w c:\documents and settings\Komp1\Application Data\SSH
2008-10-31 15:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 15:08 --------- d-----w c:\program files\SSH Communications Security
2008-10-31 14:21 --------- d-----w c:\program files\sancho
2008-10-31 12:00 --------- d-----w c:\program files\Skype
2008-10-30 16:16 --------- d-----w c:\program files\MSXML 6.0
2008-10-30 15:53 --------- d-----w c:\program files\Microsoft Works
2008-10-29 16:59 --------- d-----w c:\program files\FuH
2008-10-29 13:22 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-29 12:20 --------- d-----w c:\program files\Bonjour
2008-10-29 12:15 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-29 08:27 --------- d-----w c:\program files\MaxComponents
2008-10-28 09:21 --------- d-----w c:\program files\Microsoft Virtual PC
2008-10-28 08:30 --------- d-----w c:\program files\MSECache
2008-10-28 08:29 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-28 06:52 --------- d-----w c:\program files\TortoiseSVN
2008-10-28 06:52 --------- d-----w c:\program files\Common Files\TortoiseOverlays
2008-10-28 06:36 --------- d-----w c:\program files\EXTRADEV
2008-10-28 06:36 --------- d-----w c:\program files\EXTRA
2008-10-28 06:36 --------- d-----w c:\program files\EurekaLog 4
2008-10-27 08:05 --------- d-----w c:\program files\Aladdin
2008-10-27 07:58 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-27 07:26 --------- d-----w c:\documents and settings\Komp1\Application Data\TortoiseSVN
2008-10-27 07:02 --------- d-----w c:\documents and settings\Komp1\Application Data\skypePM
2008-10-26 17:43 --------- d-----w c:\program files\OO Software
2008-10-26 17:00 --------- d-----w c:\program files\Borland
2008-10-26 16:40 --------- d-----w c:\program files\Common Files\Borland Shared
2008-10-26 14:15 --------- d-----w c:\program files\Developer Express Inc.NET.2005
2008-10-26 14:15 --------- d-----w c:\program files\Common Files\DevExpress
2008-10-26 14:13 --------- d-----w c:\program files\Advantech
2008-10-26 14:07 --------- d-----w c:\program files\Nevron Software
2008-10-26 13:07 --------- d-----w c:\program files\Common Files\Skype
2008-10-26 13:07 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-26 12:55 --------- d-----w c:\program files\Notepad++
2008-10-26 12:55 --------- d-----w c:\documents and settings\Komp1\Application Data\Notepad++
2008-10-26 12:25 --------- d-----w c:\program files\CollabNet Subversion Server
2008-10-26 12:11 --------- d-----w c:\documents and settings\Komp1\Application Data\Subversion
2008-10-26 11:32 --------- d-----w c:\documents and settings\Komp1\Application Data\GrabPro
2008-10-26 11:08 --------- d-----w c:\program files\MSDN
2008-10-26 10:12 --------- d-----w c:\program files\Business Objects
2008-10-26 10:11 --------- d-----w c:\program files\Windows Mobile 5.0 SDK R2
2008-10-26 10:11 --------- d-----w c:\program files\Microsoft Device Emulator
2008-10-26 10:10 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-10-26 10:10 --------- d-----w c:\program files\Microsoft Synchronization Services
2008-10-26 10:03 --------- d-----w c:\program files\Microsoft Web Designer Tools
2008-10-26 10:01 --------- d-----w c:\program files\Reference Assemblies
2008-10-26 09:55 --------- d-----w c:\program files\DAEMON Tools Lite
2008-10-26 09:52 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-26 09:52 --------- d-----w c:\documents and settings\Komp1\Application Data\DAEMON Tools
2008-10-26 09:49 --------- d-----w c:\program files\Microsoft DirectX SDK (February 2007)
2008-10-26 09:49 --------- d-----w c:\program files\Common Files\aliaswavefront shared
2008-10-26 09:49 --------- d-----w c:\program files\Common Files\Alias Shared
2008-10-26 09:37 --------- d-----w c:\program files\Microsoft Visual SourceSafe
2008-10-26 09:28 --------- d-----w c:\program files\Microsoft WSE
2008-10-26 09:27 --------- d-----w c:\program files\Microsoft ASP.NET
2008-10-26 08:53 --------- d-----w c:\program files\Microsoft SQL Server 2005 Mobile Edition
2008-10-26 08:46 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-10-26 08:44 --------- d-----w c:\program files\HTML Help Workshop
2008-10-26 08:42 --------- d-----w c:\program files\MSBuild
.

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Sat Dec 13, 2008 2:46 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-02-26 14:29 380472 --a------ c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
backup=c:\windows\pss\PGPtray.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-22 22:19 52840 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 14:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
--a------ 2008-07-28 10:05 189056 c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-07-24 18:46 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 c:\windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-23 14:17 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
--a------ 2008-09-18 23:11 84528 c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSPDXP]
--a------ 2003-11-13 15:19 974848 c:\program files\VSPD XP\vspdconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2008-04-07 15:06 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2008-04-07 15:06 16859136 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Browser"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"comHost"=3 (0x3)
"CryptSvc"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"EapHost"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"idsvc"=3 (0x3)
"InterServer"=3 (0x3)
"MDM"=2 (0x2)
"mnmsrvc"=3 (0x3)
"MSDTC"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"napagent"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ose"=3 (0x3)
"PGPserv"=2 (0x2)
"PSI_SVC_2"=2 (0x2)
"rpcapd"=3 (0x3)
"VMAuthdService"=2 (0x2)
"usnjsvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"LiveUpdate"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Sat Dec 13, 2008 2:47 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pgpfs;PGP File Sharing;c:\windows\system32\Drivers\PGPfsfd.sys [2008-02-26 115768]
R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2008-02-26 204856]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-05 47640]
R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2008-02-26 245816]
R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\Drivers\PGPsdk.sys [2008-02-26 40504]
R2 SMCserver;SMCserver;"d:\source\Csharp\SMCems\SMCserver\bin\Release\Running\SMCserver.exe" [2008-11-06 28672]
R2 svnserve;Subversion Server;"c:\program files\CollabNet Subversion Server\svnserve.exe" --service -r "D:\SVN" --listen-port "3690" []
R2 vmci;VMware vmci;\??\c:\windows\system32\Drivers\vmci.sys [2008-09-18 54960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-09 99376]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S1 efbDisk;efbDisk; []
S2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\DRIVERS\VPCAppSv.sys [2004-05-17 10374]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 VSPerfDrv;Performance Tools Driver;\??\c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2007-04-03 48128]
S3 xpvcom;XPVCOM Port;c:\windows\system32\DRIVERS\XPVCOM.sys [2007-03-23 30032]
S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s []
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s []
S4 InterServer;InterBase InterClient Server;c:\program files\Borland\InterBase\InterClient\bin\interserver.exe [2008-10-26 114176]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2007-04-03 2805000]
S4 Tomcat5;Apache Tomcat;"c:\program files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 [2004-08-29 94208]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\GBM - Source Backup-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-11-27 09:24]

2008-12-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Komp1.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\PGPlsp.dll
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {9B314BA6-76E3-46F3-A821-E59002259D25} = 212.59.0.1
FF - ProfilePath - c:\documents and settings\Komp1\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Komp1\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-13 16:30:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1912)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\hasplms.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\CollabNet Subversion Server\svnserve.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2008-12-13 16:34:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 14:33:13

Pre-Run: 4.806.201.344 bytes free
Post-Run: 5,536,169,984 bytes free

508 --- E O F --- 2008-12-11 06:12:03

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Belahzur on Sat Dec 13, 2008 3:01 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\sqmdata*.sqm
    C:\sqmnoopt*.sqm

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Sun Dec 14, 2008 11:16 am

Here it is

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmdata04.sqm moved successfully.
C:\sqmdata05.sqm moved successfully.
C:\sqmdata06.sqm moved successfully.
C:\sqmdata07.sqm moved successfully.
C:\sqmdata08.sqm moved successfully.
C:\sqmdata09.sqm moved successfully.
C:\sqmdata10.sqm moved successfully.
C:\sqmdata11.sqm moved successfully.
C:\sqmdata12.sqm moved successfully.
C:\sqmdata13.sqm moved successfully.
C:\sqmdata14.sqm moved successfully.
C:\sqmdata15.sqm moved successfully.
C:\sqmdata16.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\sqmnoopt04.sqm moved successfully.
C:\sqmnoopt05.sqm moved successfully.
C:\sqmnoopt06.sqm moved successfully.
C:\sqmnoopt07.sqm moved successfully.
C:\sqmnoopt08.sqm moved successfully.
C:\sqmnoopt09.sqm moved successfully.
C:\sqmnoopt10.sqm moved successfully.
C:\sqmnoopt11.sqm moved successfully.
C:\sqmnoopt12.sqm moved successfully.
C:\sqmnoopt13.sqm moved successfully.
C:\sqmnoopt14.sqm moved successfully.
C:\sqmnoopt15.sqm moved successfully.
C:\sqmnoopt16.sqm moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Komp1\LOCALS~1\Temp\etilqs_KBTTYoG8A5IqDqV35JEK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12142008_130931

Files moved on Reboot...
File C:\DOCUME~1\Komp1\LOCALS~1\Temp\etilqs_KBTTYoG8A5IqDqV35JEK not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Komp1\Local Settings\Application Data\Mozilla\Firefox\Profiles\h5gawoct.default\XUL.mfl moved successfully.

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Belahzur on Sun Dec 14, 2008 1:31 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Mon Dec 15, 2008 8:14 am

The files in installer dir, to which PGP links were pointing at the beginning of the problem, are back.

c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058161.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon6560581611.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon6560581612.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon6560581613.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058163.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058167.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058168.exe
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon6560581610.rtf
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058165.rtf
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058166.pdf
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}\Icon656058169.pdf

I've archived those in case it be needed and deleted the folder. Is it normal? Or the problem still exists?

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Belahzur on Mon Dec 15, 2008 2:08 pm

Hello.
No threat, the stuff inside the installer folder is just installation stuff from Windows Updates, you can just delete the folder:
c:\windows\Installer\{B92076A1-8457-48F1-82E0-3B899404AEE3}

It will be regenerated when Windows Updates happen again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by vrex on Wed Dec 17, 2008 11:58 am

OK, thanks.

vrex
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29170
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan downloaded data from pop3s

Post by Doctor Inferno on Sat Jan 17, 2009 10:44 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum