View Full Version : TDS trace scans?????
Grasshopper
April 19th, 2004, 08:25 AM
Hello everyone ,
I just installed Process Guard on my system , and after the install TDS started giving me trace scan reports of what seems to me to be a list of blocked junk from one of my other programs. This list is huge and I have no idea what program it might be from . Most of this list is not on my computer and never was.
Yesterday , knowing I was getting Process Guard today , I did a complete scan of my computer with everything I have including TDS and everything came up clean.
Process Guard seems to be an awsome program , I hope it isn't the cause .
As always thanks for any help,
Frank
Pilli
April 19th, 2004, 08:39 AM
Hello Grasshopper, Can you tell us what OS you are using please?
Not sure what is going on in your PC. Are you running TDS3 as an Admin or restricted user?
To quote Gavin:
Now would be a good time to submit an ASViewer report, please enable all autostart options by pressing F2 F3 and F4 or ticking the relevant options before saving a log
http://www.diamondcs.com.au/index.php?page=asviewer
Thanks Pilli
Grasshopper
April 19th, 2004, 09:19 AM
Hi Pilli,
My OS is win XP pro .
I have never attached anything to a post , can you explain th process .
Thanks,
Frank
Grasshopper
April 19th, 2004, 09:19 AM
-{ Quote: "Hi Pilli,
My OS is win XP pro .
I have never attached anything to a post , can you explain th process .
Thanks,
Frank" }-
Never mind DUH!!!
Frank
Grasshopper
April 19th, 2004, 09:23 AM
Hi again Pilli ,
I saved the scan results from TDS if you want them.
Pilli
April 19th, 2004, 11:15 AM
-{ Quote: "Hi Pilli,
My OS is win XP pro .
I have never attached anything to a post , can you explain th process .
Thanks,
Frank" }-
Hi Frank to make it easier I will paste the contents here: I am not an expert with these so shall ask for assistance - Thanks. Pilli
DiamondCS Autostart Viewer (www.diamondcs.com.au) -
Report for Frank, 04-19-2004
g:\windows\system32\autoexec.nt
G:\WINDOWS\system32\mscdexnt.exe
G:\WINDOWS\system32\redir.exe
G:\WINDOWS\system32\dosx.exe
g:\windows\system32\config.nt
G:\WINDOWS\system32\himem.sys
g:\windows\system.ini [drivers]
timer=timer.drv
g:\windows\system.ini [boot]\shell
G:\WINDOWS\Explorer.exe
g:\windows\system.ini [boot]\scrnsave.exe
G:\WINDOWS\System32\sstext3d.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
G:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
G:\WINDOWS\System32\sstext3d.scr
HKCR\vbsfile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
G:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
G:\Program Files\Eset\nod32kui.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Outpost Firewall
G:\Program Files\Security\Outpost\Outpost Firewall\outpost.exe /waitservice
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
G:\WINDOWS\System32\CTFMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
G:\WINDOWS\system32\SHELL32.dll
G:\WINDOWS\system32\SHELL32.dll
G:\WINDOWS\System32\webcheck.dll
G:\WINDOWS\System32\stobject.dll
G:\Documents and Settings\Frank\Start Menu\Programs\Startup\Process Guard.lnk
G:\Program Files\Security\Process Guard\ProcessGuard\procguard.exe
G:\Documents and Settings\Frank\Start Menu\Programs\Startup\SpywareGuard.lnk
G:\Program Files\Security\Spyware G\SpywareGuard\sgmain.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
G:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
G:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
G:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
G:\WINDOWS\system32\imon.dll
G:\WINDOWS\System32\dcsws2.dll
G:\WINDOWS\system32\mswsock.dll
G:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
G:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
G:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
G:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
G:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection G:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection G:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
G:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
G:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
G:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AMON\
\??\G:\WINDOWS\System32\drivers\amon.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
G:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DCSUserProt\
G:\Program Files\Security\Process Guard\ProcessGuard\dcsuserprot.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
G:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\Eventlog\
G:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\NOD32krn\
G:\Program Files\Eset\nod32krn.exe
HKLM\System\CurrentControlSet\Services\OutpostFirewall\
G:\PROGRA~1\Security\Outpost\OUTPOS~1\outpost.exe /service
HKLM\System\CurrentControlSet\Services\PlugPlay\
G:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\procguard\
\??\G:\WINDOWS\System32\drivers\procguard.sys
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
G:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
G:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
G:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SENS\
G:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
G:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
G:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
G:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
G:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\winmgmt\
G:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
G:\WINDOWS\system32\svchost.exe -k netsvcs
dvk01
April 20th, 2004, 04:54 AM
I can't see anything obviously out of place
can you post a tds scandump log taken after a tds scan that might show something
Pilli
April 20th, 2004, 05:22 AM
It may be as well to try HighJackThis. The instructions are here: http://www.wilderssecurity.com/forumdisplay.php?f=24
Grasshopper
April 20th, 2004, 06:05 AM
-{ Quote: "It may be as well to try HighJackThis. The instructions are here: http://www.wilderssecurity.com/forumdisplay.php?f=24" }-
Hi Pilli ,
I don't know what you are looking for , I swear my computer is clean but if you think it will help I'll post a hijack this log .
in the mean time here is my TDS log.
Scan Control Dumped @ 08:40:04 19-04-04
File Trace: Default trojan filename: Worm.DMSetup
File: C:\mirc\bakupwrks.ini
File Trace: Default trojan filename: Worm.DMSetup
File: C:\mirc\backup0412.ini
File Trace: Default trojan filename: Worm.DMSetup
File: C:\configg.sys
File Trace: Default trojan filename: Worm.DMSetup
File: C:\logox.sys
File Trace: Default trojan filename: Worm.DMSetup
File: C:\taged.lmr
File Trace: Default trojan filename: Worm.DMSetup
File: C:\dmsetup.exe
File Trace: Default trojan filename: Worm.DMSetup
File: C:\mirc\dmsetup.exe
File Trace: Default trojan filename: Worm.DMSetup
File: C:\windoom.exe
File Trace: Default trojan filename: Worm.El Inca
File: C:\mirc\revenge.com
File Trace: Default trojan filename: Back Orifice Dropper.Worm.Khaled
File: C:\mirc\khaled.exe
File Trace: Default trojan filename: Worm.SS-3 (Day 15)
File: C:\bussed.exe
File Trace: Default trojan filename: Novell Login (Captured Passwords)
File: C:\os31337.sys
File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
File: C:\mirc\ownefnet.com
File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
File: C:\mirc\freemirc.com
File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
File: C:\unarj.com
File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
File: C:\hexedit.com
File Trace: Default trojan filename: Worm.Metak
File: C:\mirc\mirc56.com
File Trace: Default trojan filename: Worm.Metak
File: C:\mirc\download\HotChik.com
File Trace: Default trojan filename: Worm.mIRC55t
File: C:\mirc55t.exe
File Trace: Default trojan filename: mIRC.Julie16
File: C:\Julie16.jpg.com
File Trace: Default trojan filename: Worm.BC-Kipo
File: C:\mirc\HotXXX.com
File Trace: Default trojan filename: Canasson
File: C:\msie5.exe
File Trace: Default trojan filename: Canason
File: C:\00.txt
File Trace: Default trojan filename: RAT.CrazyNet
File: C:\winstart.bat
File Trace: Default trojan filename: RAT.Delta Source
File: C:\TEMPSERVER.exe
File Trace: Default trojan filename: RAT.Doly Trojan v1.1 - v1.5
File: C:\Program Files\MStesk.exe
File Trace: Default trojan filename: RAT.Doly Trojan
File: C:\Program Files\Mdm.exe
File Trace: Default trojan filename: RAT.Doly Trojan v1.1 - v1.5
File: C:\sys.lon
File Trace: Default trojan filename: RAT.Doly Trojan v1.7
File: c:\iecookie.exe
File Trace: Default trojan filename: Keylog.Fatal Network Error - Stolen Password logfile
File: C:\os32779.sys
File Trace: Default trojan filename: FTP.Goy FTP 2.07.95
File: C:\Program Files\~TEMPORARY_SETUP\Run_app_16.exe
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\mirc.ini
File Trace: Default trojan filename: RAT.EPS 1.6
File: c:\priocol.dll
File Trace: Default trojan filename: RAT.EPS 1.6
File: c:\pricol.exe
File Trace: Default trojan filename: Suspicious
File: c:\rundll.exe
File Trace: Default trojan filename: Worm.VBS_Stages.A
File: c:\recycled\dbindex.vbs
File Trace: Default trojan filename: Worm.VBS_Stages.A
File: c:\recycled\mrscycld.dat
File Trace: Default trojan filename: Worm.VBS_Stages.A
File: c:\recycled\rcycldbn.dat
File Trace: Default trojan filename: Worm.VBS_Stages.A --> Rename back to c:\win dir\regedit.exe
File: c:\recycled\recycled.vxd
File Trace: Default trojan filename: Suspicious
File: c:\command.exe
File Trace: Default trojan filename: Destruct.Buddy.1
File: c:\America Online 4.0\buddylist.exe
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\Ultra-Hardcore-Bondage.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\Ultra-Hardcore-Bondage.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\Ultra-Hardcore-Bondage.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\Christina__NUDE!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\Christina__NUDE!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\Christina__NUDE!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\CuteJany__BigTits!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\CuteJany__BigTits!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\CuteJany__BigTits!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\MyGirlfriend_NUDE!.JPF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\MyGirlfriend_NUDE!.JPF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\MyGirlfriend_NUDE!.JPF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\Aguiliera_NUDE!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\Aguiliera_NUDE!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\Aguiliera_NUDE!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\!Jany__Gets-****ed!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\!Jany__Gets-****ed!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\!Jany__Gets-****ed!.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\cute_EmmaPeel!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\cute_EmmaPeel!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\cute_EmmaPeel!!!.JPG.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\program files\mirc\Julie17__xxx.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\programme\mirc\Julie17__xxx.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fireburn.A
File: c:\mirc\Julie17__xxx.GIF.vbs
File Trace: Default trojan filename: Worm.VBS.Fool.H
File: c:\My Documents\MyPicture.bmp.vbs
File Trace: Default trojan filename: Worm.VBS.Fool.H
File: c:\MyPicture.bmp.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Gnutella Worm v1.1.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Jenna Jameson movie listing.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Pamela Anderson movie listing.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Asia Carerra movie listing.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\xxx FTP movie listing.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\ASF Compressor (No quality loss).vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\collegesex.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Gladiator.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Battlefield Earth.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Evangelion complete episodes scripts.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Scan Master checklist.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\How to eat *****.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Alicia Silverstone.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Pearl Jam.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Mp3 compressor (Half the size but same quality).vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Napster Metallica Crack.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Santana.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\NSync.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Nirvana.mp3.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Shania Twain.mp3.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Jesus loves you.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\Gnutella upgrade.vbs
File Trace: Default trojan filename: Worm.VBS.Gnutel
File: c:\program files\gnutella\OFFICIAL Gnutella Option Pack.vbs
File Trace: Default trojan filename: Suspicious
File: C:\winsys98.bat
File Trace: Default trojan filename: Worm.VBS.Reaper.A
File: C:\mirc\download\christina_aguilera_nude!.vbs.
File Trace: Default trojan filename: Worm.VBS_Stages.A
File: c:\My Documents\IMPORTANT.TXT.SHS
File Trace: Default trojan filename: Suspicious
File: c:\default.ini
File Trace: Default trojan filename: Suspicious
File: c:\mirc\default.ini
File Trace: Default trojan filename: Worm.VBS.Breaker.A
File: c:\breaker.vbs
File Trace: Default trojan filename: Worm.VBS.Overbuf.A
File: c:\netmonn.hta
File Trace: Default trojan filename: Worm.VBS.Overbuf.A
File: c:\REPAIR.ZIP
File Trace: Default trojan filename: Suspicious
File: c:\REPAIR.BAT
File Trace: Default trojan filename: Worm.VBS.Runscript.A
File: c:\REPAIR.DBG
File Trace: Default trojan filename: Worm.VBS.Phone.Timofonica
File: c:\TIMOFONICA.TXT.VBS
File Trace: Default trojan filename: Worm.VBS.Phone.Timofonica
File: c:\TIMOFONICA.TXT
File Trace: Default trojan filename: Worm.VBS.Chantal
File: c:\mkv2.bat
File Trace: Default trojan filename: Suspicious
File: c:\icqpatch.exe
File Trace: Default trojan filename: Suspicious
File: c:\mirc\nuker.exe
File Trace: Default trojan filename: Suspicious
File: c:\mirc\download\mirc60.exe
File Trace: Default trojan filename: Suspicious
File: c:\mirc\logs\logging.exe
File Trace: Default trojan filename: Suspicious
File: c:\games\spider.exe
File Trace: Default trojan filename: Suspicious
File: c:\mirc\MIRC_SYS.INI
File Trace: Default trojan filename: Worm.IRC.Lucky
File: c:\mirc\lk7.ini
File Trace: Default trojan filename: Worm.IRC.Milbug
File: c:\mirc\download\milbug_a.exe
File Trace: Default trojan filename: Worm.IRC.Milbug
File: c:\mirc\download\milbug_b.exe
File Trace: Default trojan filename: Worm.MyPics
File: c:\Pics4You.exe
File Trace: Default trojan filename: Worm.MyPics
File: C:\CBIOS.COM
File Trace: Default trojan filename: Worm.MyPics.b
File: C:\Icq_Greetings.exe
File Trace: Default trojan filename: Worm.MyPics.c
File: c:\zip01.exe
File Trace: Default trojan filename: Suspicious
File: C:\KillAntiVirus.bat
File Trace: Default trojan filename: Suspicious
File: c:\icq.exe
File Trace: Default trojan filename: Worm.Jim.A
File: C:\MSDOS.DLL
File Trace: Default trojan filename: Worm.Jim.A
File: C:\CONFIG.DLL
File Trace: Default trojan filename: Antisocial.E
File: c:\ss.vbs
File Trace: Default trojan filename: Antisocial.E
File: c:\ss.bas
File Trace: Default trojan filename: Suspicious
File: C:\INSTALAR.EXE
File Trace: Default trojan filename: Babylonia
File: C:\BABYLONIA.EXE
File Trace: Default trojan filename: Chantal.A
File: C:\CB2.BAT
File Trace: Default trojan filename: Chantal.A
File: c:\mk2.bat
File Trace: Default trojan filename: Suspicious
File: c:\trojan.exe
File Trace: Default trojan filename: MSN Cookie
File: c:\msnwin.dll
File Trace: Default trojan filename: RAT.Frenzy
File: c:\program files\msgsrv36.exe
File Trace: Default trojan filename: Worm.Trilisa
File: c:\e_$.exe
File Trace: Default trojan filename: Worm.Trilisa
File: c:\MerKaVa.vbs
File Trace: Default trojan filename: RAT.Delta Source
File: c:\trojansserver.exe
File Trace: Default trojan filename: PSW.Kuang
File: C:\system.dup
File Trace: Default trojan filename: RAT.Moon Pie 1.0
File: c:\mffgwmhz.khz
File Trace: Default trojan filename: Possible trojan - this Explorer will start instead of the Explorer in the Windows directory
File: C:\explorer.exe
File Trace: Default trojan filename: RAT.SkyDance (logfile)
File: C:\skdlogfile.txt
File Trace: Default trojan filename: RAT.Click'N'Show 1.0
File: C:\sistem.exe
File Trace: Default trojan filename: RAT.The Prayer 1.2
File: C:\dlls32.exe
File Trace: Default trojan filename: RAT.Celine 3.3.3
File: C:\Celine.scr
File Trace: Default trojan filename: RAT.Sky Rat (keylog)
File: C:\offkeys.dat
File Trace: Default trojan filename: RAT.CrazyNet (logfile)
File: C:\mykeys.sys
File Trace: Default trojan filename: Pokemon
File: C:\47.VIR
File Trace: Default trojan filename: Worm.Choke
File: C:\Choke.exe
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\EXPL32.EXE
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\EXPLORER.scr
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\explorer2.exe
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\remote.ini
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\scanner.mrc
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\script1.ini
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\script2.ini
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\script3.ini
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\uncapper.exe
File Trace: Default trojan filename: DDoS.RAT.GT Bot
File: C:\Program Files\Accessories\BACKUP\SYSTEM\vsf\updater.ini
File Trace: Default trojan filename: RAT.NeuroticKat 1.1 (logfile)
File: C:\inputput.txt
File Trace: Default trojan filename: Worm.Marijuana
File: C:\Winnt\System32.exe
File Trace: Default trojan filename: Worm.SirCam
File: C:\Recycled\SirC32.exe
File Trace: Default trojan filename: Pokemon
File: C:\R28.VIR
File Trace: Default trojan filename: Worm.SirCam (payload)
File: C:\SirCam.Sys
File Trace: Default trojan filename: Worm.Code Red
File: C:\notworm
File Trace: Default trojan filename: PSW.Host Unreachable
File: C:\HostUnre.dll
File Trace: Default trojan filename: Destruct.Whistler
File: C:\WXP
File Trace: Default trojan filename: Worm.Trilisa
File: c:\$$-%1@.exe
File Trace: Default trojan filename: Worm.Trilisa
File: c:\$~.exe
File Trace: Default trojan filename: RAT.SnidX3
File: C:\Temp#01.sni
File Trace: Default trojan filename: RAT.SnidX3
File: C:\Temp$01.exe
File Trace: Default trojan filename: Pokemon
File: C:\A1.VIR
File Trace: Default trojan filename: Pokemon
File: C:\T57.VIR
File Trace: Default trojan filename: RAT.Akosch
File: C:\security.exe
File Trace: Default trojan filename: PSW.Kuang
File: C:\ll.dat
File Trace: Default trojan filename: Worm.GoDog
File: C:\Mirc\Ghostdog.exe
File Trace: Default trojan filename: Worm.Taxifolia
File: C:\Recycled\Taxifolia.exe
File Trace: Default trojan filename: Pokemon
File: C:\R55.VIR
File Trace: Default trojan filename: Pokemon
File: C:\S29.VIR
File Trace: Default trojan filename: Pokemon
File: C:\S56.VIR
File Trace: Default trojan filename: Pokemon
File: C:\T30.VIR
File Trace: Default trojan filename: Worm.MyPics.e
File: C:\Pictures.exe
File Trace: Default trojan filename: Worm.Roussarcoma.a
File: C:\RousSarc.exe
File Trace: Default trojan filename: Worm.Roussarcoma.c
File: C:\SegaFred.exe
File Trace: Default trojan filename: Pokemon
File: C:\A37.VIR
File Trace: Default trojan filename: Pokemon
File: C:\B2.VIR
File Trace: Default trojan filename: Pokemon
File: C:\B38.VIR
File Trace: Default trojan filename: Pokemon
File: C:\C3.VIR
File Trace: Default trojan filename: Pokemon
File: C:\C39.VIR
File Trace: Default trojan filename: Pokemon
File: C:\D4.VIR
File Trace: Default trojan filename: Pokemon
File: C:\D40.VIR
File Trace: Default trojan filename: Pokemon
File: C:\E41.VIR
File Trace: Default trojan filename: Pokemon
File: C:\E5.VIR
File Trace: Default trojan filename: Pokemon
File: C:\F42.VIR
File Trace: Default trojan filename: Pokemon
File: C:\F6.VIR
File Trace: Default trojan filename: Pokemon
File: C:\G43.VIR
File Trace: Default trojan filename: Pokemon
File: C:\G7.VIR
File Trace: Default trojan filename: Pokemon
File: C:\H44.VIR
File Trace: Default trojan filename: Pokemon
File: C:\H8.VIR
File Trace: Default trojan filename: Pokemon
File: C:\I45.VIR
File Trace: Default trojan filename: Pokemon
File: C:\I9.VIR
File Trace: Default trojan filename: Pokemon
File: C:\J10.VIR
File Trace: Default trojan filename: Pokemon
File: C:\J46.VIR
File Trace: Default trojan filename: Pokemon
File: C:\K21.VIR
File Trace: Default trojan filename: Pokemon
File: C:\K48.VIR
File Trace: Default trojan filename: Pokemon
File: C:\L22.VIR
File Trace: Default trojan filename: Pokemon
File: C:\L49.VIR
File Trace: Default trojan filename: Pokemon
File: C:\M23.VIR
File Trace: Default trojan filename: Pokemon
File: C:\M50.VIR
File Trace: Default trojan filename: Pokemon
File: C:\N24.VIR
File Trace: Default trojan filename: Pokemon
File: C:\N51.VIR
File Trace: Default trojan filename: Pokemon
File: C:\O25.VIR
File Trace: Default trojan filename: Pokemon
File: C:\O52.VIR
File Trace: Default trojan filename: Pokemon
File: C:\P26.VIR
File Trace: Default trojan filename: Pokemon
File: C:\P53.VIR
File Trace: Default trojan filename: Pokemon
File: C:\Q27.VIR
File Trace: Default trojan filename: Pokemon
File: C:\Q54.VIR
File Trace: Default trojan filename: Pokemon
File: C:\U31.VIR
File Trace: Default trojan filename: Pokemon
File: C:\U58.VIR
File Trace: Default trojan filename: Pokemon
File: C:\V32.VIR
File Trace: Default trojan filename: Pokemon
File: C:\V59.VIR
File Trace: Default trojan filename: Pokemon
File: C:\W33.VIR
File Trace: Default trojan filename: Pokemon
File: C:\W60.VIR
File Trace: Default trojan filename: Pokemon
File: C:\X34.VIR
File Trace: Default trojan filename: Pokemon
File: C:\Y35.VIR
File Trace: Default trojan filename: Pokemon
File: C:\Z36.VIR
File Trace: Default trojan filename: Worm.Buffy
File: c:\BTVS.exe
File Trace: Default trojan filename: Worm.Casper
File: C:\CasperMail.vbs
File Trace: Default trojan filename: Worm.Friends
File: C:\Friends\maya.vbs
File Trace: Default trojan filename: Worm.Hydra
File: C:\Hydra.reg
File Trace: Default trojan filename: Worm.Mustard
File: C:\send.vbs
File Trace: Default trojan filename: Worm.Roussarcoma
File: C:\RousSarc.vbs
File Trace: Default trojan filename: Worm.Elspy.b
File: C:\AUT0EXE.BAT
File Trace: Default trojan filename: Worm.Dragon
File: C:\gygax.dll
File Trace: Default trojan filename: Worm.Azaco
File: C:\azaco.exe
File Trace: Default trojan filename: Destruct.Sunset
File: C:\YAMYAM.YAM\FUN!
File Trace: Default trojan filename: Destruct.Sunset
File: C:\YAMYAM.YAM\HAVE
File Trace: Default trojan filename: Destruct.Sunset
File: C:\YAMYAM.YAM\SAYS
File Trace: Default trojan filename: Destruct.Sunset
File: C:\YAMYAM.YAM\YAM
File Trace: Default trojan filename: Worm.SouthPark
File: C:\Winguard.exe
File Trace: Default trojan filename: Worm.Parrot
File: C:\parrot.scr
File Trace: Default trojan filename: Worm.Silver
File: C:\SILVER.EXE
File Trace: Default trojan filename: Worm.SouthPark
File: C:\South Park.exe
File Trace: Default trojan filename: Suspicious
File: C:\PKZIP.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\IE5FIX.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\IE5FIX.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\IE5FIX.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\NOADS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\NOADS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\NOADS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\IMAGES.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\IMAGES.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\IMAGES.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\COOLPICS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\COOLPICS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\COOLPICS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\DOCS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\DOCS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\DOCS.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\PKSETUP.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\PKSETUP.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\PKSETUP.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\SCRNSAVE.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\SCRNSAVE.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\SCRNSAVE.EXE
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\TYPEDEF.VBS
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\TYPEDEF.VBS
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\TYPEDEF.VBS
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win95\TYPEDEF.INI
File Trace: Default trojan filename: Worm.Tossed
File: C:\Win98\TYPEDEF.INI
File Trace: Default trojan filename: Worm.Tossed
File: C:\WinNT\TYPEDEF.INI
File Trace: Default trojan filename: Worm.Madcow
File: C:\Win32\Envoie.bat
File Trace: Default trojan filename: Worm.Madcow
File: C:\Win32\Envoie.vbs
File Trace: Default trojan filename: Worm.Repah
File: C:\mail.vbs
File Trace: Default trojan filename: Worm.Repah
File: C:\weather.txt.exe
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Cons1.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Deg326.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Expl32.exe
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Explorer2.exe
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\ins.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Mir436.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Mirc.ini
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Moo.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Mstg1.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Scan31.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Updatex1.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Win32x.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Winexp32.dll
File Trace: Default trojan filename: DDoS.RAT.Critical
File: C:\Program Files\Accessories\Backup\System\Critical\Winvar32.dll
File Trace: Default trojan filename: Worm.WTC (log)
File: c:\email.mel
File Trace: Default trojan filename: Worm.Prolin
File: C:\creative.exe
File Trace: Default trojan filename: RAT.Akosch
File: C:\Systemstart.exe
File Trace: Default trojan filename: Worm.Desire
File: C:\Desire.exe
File Trace: Default trojan filename: Worm.Zippy
File: C:\FunJokes.exe
File Trace: Default trojan filename: PSW.Getpassword
File: C:\Password.txt
File Trace: Default trojan filename: Worm.Flu
File: C:\Napster.scr
File Trace: Default trojan filename: Worm.Flu
File: C:\NewFilmMATRIX2.scr
File Trace: Default trojan filename: Worm.Flu
File: C:\PornoChat.exe
File Trace: Default trojan filename: PSW.AIM
File: C:\aLog.txt
File Trace: Default trojan filename: Worm.Eira
File: C:\Eira\Quake4Demo.exe
File Trace: Default trojan filename: RAT.Nemesis
File: C:\FONTS\Server.exe
File Trace: Default trojan filename: Worm.Backdoor
File: C:\swp.dat
File Trace: Default trojan filename: Keylog.PC Weasel
File: C:\Program Files\PC Weasel\PCWeasel.exe
File Trace: Default trojan filename: Keylog.PC Weasel
File: C:\Program Files\PC Weasel\Mode.exe
File Trace: Default trojan filename: Keylog.PC Weasel
File: C:\Program Files\PC Weasel\ijl11.dll
File Trace: Default trojan filename: Keylog.Impossible
File: C:\WIN32DLL.exe
File Trace: Default trojan filename: Keylog.Impossible (log)
File: C:\kboard.dat
File Trace: Default trojan filename: Keylog.Ghost Keylogger
File: C:\Program Files\Sync Manager\agent\syncagent.dll
File Trace: Default trojan filename: Keylog.Ghost Keylogger
File: C:\Program Files\Sync Manager\agent\syncagent.exe
File Trace: Default trojan filename: Keylog.Ghost Keylogger (Config)
File: C:\Program Files\Sync Manager\syncconfig.exe
File Trace: Default trojan filename: Keylog.Ghost Keylogger (log)
File: C:\Program Files\Sync Manager\logfile.cip
File Trace: Default trojan filename: RAT.Fraggle Rock Lite (keylog)
File: C:\system.dll
File Trace: Default trojan filename: RAT.SpyAnywhere
File: C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
File Trace: Default trojan filename: RAT.AlexMessoMalex
File: C:\Msdos.exe
File Trace: Default trojan filename: Worm.Redesi
File: c:\rede.exe
File Trace: Default trojan filename: Worm.Redesi
File: c:\disk.exe
File Trace: Default trojan filename: Worm.MyParty
File: c:\regctrl.exe
File Trace: Default trojan filename: Worm.MyParty
File: c:\recycled\regctrl.exe
File Trace: Default trojan filename: RAT.NetAdmin
File: C:\Program Files\NetAdmin\NetAdminServer.exe
File Trace: Default trojan filename: Worm.Lentin
File: c:\Recycled\msscra.exe
File Trace: Default trojan filename: Worm.Lentin
File: c:\Recycled\msmdm.exe
File Trace: Default trojan filename: Worm.GOPWorm
File: C:\Recycled\Notdelw.i.n.v.e.r.y.i.f.y.exe
File Trace: Default trojan filename: Worm.Petik.b
File: C:\Twin.vbs
File Trace: Default trojan filename: PSW.Dummylock
File: C:\dummyset.DAT
File Trace: Default trojan filename: PSW.Dummylock (log)
File: C:\passwords.dat
File Trace: Default trojan filename: Keylog.Logger
File: C:\Program Files\Win32\Win32.exe
File Trace: Default trojan filename: Monitor.Chat Watch
File: C:\Program Files\Chat Watch\ChatWatch.exe
File Trace: Default trojan filename: Monitor.CyberVizion
File: C:\Program Files\Moonlight Software\CyberVizion\netctrl.exe
File Trace: Default trojan filename: Monitor.CyberVizion
File: C:\Program Files\Moonlight Software\CyberVizion\tasksyn.exe
File Trace: Default trojan filename: Monitor.FamilyCam
File: C:\Program Files\FamilyCAM 3.0\fmcm.exe
File Trace: Default trojan filename: Monitor.System Spy
File: C:\Program Files\SS\SS.exe
File Trace: Default trojan filename: Keylog.SilentLog (log)
File: C:\SilentLog.txt
File Trace: Default trojan filename: Keylog.SilentLog (log)
File: C:\KeepSilent.log
File Trace: Default trojan filename: Keylog.JanNet
File: C:\keylogger.exe
File Trace: Default trojan filename: Monitor.SafeNet
File: C:\Program Files\SafeNet\Wbasesys.exe
File Trace: Default trojan filename: Worm.Taz
File: C:\Wally.exe
File Trace: Default trojan filename: Worm.Taz
File: C:\XXX.exe
File Trace: Default trojan filename: I-Worm.Orkiz
File: C:\system32 - Veronica la mejor!!!.exe
File Trace: Default trojan filename: I-Worm.Orkiz
File: C:\eurovision.vbs
File Trace: Default trojan filename: I-Worm.Orkiz
File: C:\Command.com.vbs
File Trace: Default trojan filename: I-Worm.Orkiz
File: C:\x.vbs
File Trace: Default trojan filename: I-Worm.Orkiz
File: C:\OperacionTriunfo.scr
File Trace: Default trojan filename: Trojan.Win32.Sith
File: C:\winsys.exe
File Trace: Default trojan filename: RAT.OMPN Magic
File: C:\run32.exe
File Trace: Default trojan filename: RAT.Avone 2 Beta
File: C:\Program Files\Mg\mg.exe
File Trace: Default trojan filename: Worm.Alcaul
File: c:\v.vbs
File Trace: Default trojan filename: Worm.Alcaul
File: c:\syra.scr
File Trace: Default trojan filename: Worm.Alcaul
File: c:\SexSound.exe
File Trace: Default trojan filename: Worm.Alcaul
File: C:\autorun.com
File Trace: Default trojan filename: Worm.Alcaul
File: C:\www.EcstasyRUs.com
File Trace: Default trojan filename: Worm.Alcaul
File: C:\alcopaul.html
File Trace: Default trojan filename: Worm.Alcaul
File: C:\dnserror1.html
File Trace: Default trojan filename: Worm.Alcaul
File: C:\free2joints.zip
File Trace: Default trojan filename: Trojan.Virri
File: c:\rgvmdv.exe
File Trace: Default trojan filename: Worm.SecUpd
File: C:\load.exe
File Trace: Default trojan filename: Worm.Trillisa
File: c:\shakira.scr
File Trace: Default trojan filename: Worm.Trillisa
File: c:\Bush_you_are_guilty!!!.scr
File Trace: Default trojan filename: Worm.Trilisa
File: c:\ .vbs
File Trace: Default trojan filename: Worm.Trilisa
File: c:\ .exe
File Trace: Default trojan filename: RAT.KrAIMer
File: c:\AOL70.exe
File Trace: Default trojan filename: Worm.Sharp
File: c:\Ms02-010.exe
File Trace: Default trojan filename: RAT.NokNok
File: C:\Program Files\WinSecurity\securpatch.exe
File Trace: Default trojan filename: RAT.AntiYahoo
File: C:\KcGame\kcgame.exe
File Trace: Default trojan filename: RAT.Habibti
File: c:\msn2003.exe
File Trace: Default trojan filename: Dialer.a
File: C:\Program Files\Webdialer\sddlr.exe
File Trace: Default trojan filename: RAT.TheefLE
File: c:\Lib32.exe
File Trace: Default trojan filename: Worm.Duni
File: c:\zero.exe
File Trace: Default trojan filename: Keylog.Daniel (log)
File: c:\Klgf.txt
File Trace: Default trojan filename: RAT.Insider
File: c:\MDIOCTL.EXE
File Trace: Default trojan filename: Worm.Kitro
File: c:\system32.exe
File Trace: Default trojan filename: Worm.Kitro
File: c:\archiv~1\psycho.scr
File Trace: Default trojan filename: Worm.Kitro
File: c:\zonavirus.Dll
File Trace: Default trojan filename: Worm.Kitro
File: c:\Bn.exe
File Trace: Default trojan filename: Destruct.Main
File: c:\antlvirii.exe
File Trace: Default trojan filename: Destruct.Main
File: c:\BIOSConfig\BiosFix.exe
File Trace: Default trojan filename: RAT.Cabronator
File: c:\MSWSIGX.DLL
File Trace: Default trojan filename: Worm.Remat
File: c:\dat0.exe
File Trace: Default trojan filename: Worm.Remat
File: c:\VQ.exe
File Trace: Default trojan filename: Worm.Shorm
File: c:\WORM.EXE
File Trace: Default trojan filename: Worm.Southpak
File: c:\Blade
File Trace: Default trojan filename: Worm.Southpak
File: c:\Pk.fuk
File Trace: Default trojan filename: DDoS.CrackerBox
File: C:\Program Files\CrackerBox\CrackerBox.exe
File Trace: Default trojan filename: TrojanClicker.Win32.Setrix
File: c:\My Documents\Command.exe
File Trace: Default trojan filename: Trojan.Win32.Loveadot
File: C:\Sysgo.bat
File Trace: Default trojan filename: RAT.Cabronator Dropper
File: C:\CheckSystem\Britney_spears_nude.exe
File Trace: Default trojan filename: RAT.Cabronator Dropper
File: C:\CheckSystem\CRACK_WINDOWS_XP.EXE
File Trace: Default trojan filename: RAT.Cabronator Dropper
File: C:\CheckSystem\GTA3_CRACK.EXE
File Trace: Default trojan filename: Worm.Duksten
File: C:\Netskudo.exe
File Trace: Default trojan filename: PSW.FakeAOL
File: c:\aolpass.txt
File Trace: Default trojan filename: RAT.Brouser
File: c:\winupt.dat
File Trace: Default trojan filename: RAT.Retribution
File: c:\autoexec.exe
File Trace: Default trojan filename: Worm.Opasoft
File: c:\ScrSin.dat
File Trace: Default trojan filename: Worm.Opasoft
File: c:\ScrSout.dat
File Trace: Default trojan filename: Worm.Pelic
File: C:\Program Files\KaZaA\My Shared Folder\Sex-free.exe.vbs
File Trace: Default trojan filename: Worm.Pelic
File: C:\Program Files\KaZaA\My Shared Folder\Mix-brazil.mp3.vbs
File Trace: Default trojan filename: RAT.CiscoScan
File: c:\Drivers\wserver.exe
File Trace: Default trojan filename: Worm.Fleming
File: c:\Update35784.exe
File Trace: Default trojan filename: Worm.Fleming
File: c:\Hehe2397824.exe
File Trace: Default trojan filename: RAT.T.O.D
File: C:\Program Files\Common Files\System\Explorer.exe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Zephyr Song.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Fire.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\ReignoFire.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\HULK.mpg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\TheTuxedo.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Reign of Fire.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Pentium 5.doc.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Pentium 5.rtf.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\How to make viruses.txt.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Playboy 9.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Setup.exe.EXe
File Trace: Default trojan filename: Worm.Wonna
File: C:\Cool_File.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\MSN Crack.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\MSN Hack.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\ICQ Password
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\HotMail
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\SpiderMan-PC-Game-v2 FullDownloader.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\ICQ Hack.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\KaZaA\My Shared Folder\Windows (All Versions) KeyGen.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\Program Files\KaZaA\My Shared Folder\MSN Crack.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\Program Files\KaZaA\My Shared Folder\MSN Hack.exe
File Trace: Default trojan filename: Worm.Wonna
File: C:\Program Files\KaZaA\My Shared Folder\ICQ Password
File Trace: Default trojan filename: Worm.Wonna
File: C:\Program Files\KaZaA\My Shared Folder\HotMail
And this is only half of it.
Thanks .
Pilli
April 20th, 2004, 06:28 AM
OK Frank, I'll have a nother guesss:)
Download the latest radius file from here: http://tds.diamondcs.com.au/index.php?page=update
Disconnect from the internet, modem whatever.
Please uninstall TDS3 delete all the files in your TDS3 folder except for your keyfile.
Re-boot and ensure that not other programmes are running including your AV,
Re-install TDS3 copy the downloaded radius file to your TDS folder.
Re-run the scans.
I am hoping that you just have a corrupt installation so I want to make sure that it is corrected in the safest manner.
Cheers. Pilli
Grasshopper
April 20th, 2004, 07:35 AM
Back again!!!!
Pilli , I did as you asked ,
Downloaded TDS install and update done manually after cleaning everything out . No problems with the scans this time but I really don't think it was a corrupt installation , it didn't start acting up until I installed Process Guard .
Anyway we'll see what happens , hopefully you were right and no more problems . If there is I know where to go .
Thanks for the help,
Frank
Pilli
April 20th, 2004, 08:22 AM
Grasshopper, Your problem was unique regarding TDS3 as far as I know so I am pretty sure it was a corrupt install, hopefully all will be well now. Run a full scan with all options just to make sure. :)
Please ask whatever questions you want, the unasked ones are the more dangerous.
Pilli
Grasshopper
April 20th, 2004, 09:16 AM
-{ Quote: "Grasshopper, Your problem was unique regarding TDS3 as far as I know so I am pretty sure it was a corrupt install, hopefully all will be well now. Run a full scan with all options just to make sure. :)
Please ask whatever questions you want, the unasked ones are the more dangerous.
Pilli" }-
Hello again ,
My problem is back and it seems to be intermitant .
sometimes when I boot up everything works fine other times TDS finds the files as shown in the log I posted , also now Outpost is booting up with an error ( sometimes ).
All seems to point to Process Guard , non of this was happening before PGs install.
Regards ,
Frank
Grasshopper
April 20th, 2004, 09:18 AM
Sorry Pilli ,
I did run that full scan again and found nothing.
Thanks Again ,
Frank
FanJ
April 20th, 2004, 09:42 AM
Hi,
I really don't understand it......
Are you really sure that you're not heavily infected?
I see strange files, for example:
File: c:\e_$.exe
File: C:\Setup.exe.EXe
File: C:\Playboy 9.mpeg.EXe
File: C:\How to make viruses.txt.EXe
File: C:\KaZaA\My Shared Folder\MSN Crack.exe
etc etc etc
??? ??? ???
FanJ
April 20th, 2004, 09:53 AM
Let's have a look at this:
quote
File Trace: Default trojan filename: Worm.Veedna
File: C:\Zephyr Song.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Fire.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\ReignoFire.mp3.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\HULK.mpg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\TheTuxedo.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Reign of Fire.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Pentium 5.doc.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Pentium 5.rtf.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\How to make viruses.txt.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Playboy 9.mpeg.EXe
File Trace: Default trojan filename: Worm.Veedna
File: C:\Setup.exe.EXe
end quote
Now look at this Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.veedna.c.html
quote
When W32.HLLW.Veedna.C runs, it does the following:
Copies itself as the following files:
C:\Tuxedo.mp3.scr
C:\XMen 2.scr
C:\Xmen 2.mp3.scr
C:\ZephyrSong.mp3.scr
C:\XFiles.mp3.scr
C:\Matrix.avi.scr
C:\Matrix.mpeg.scr
C:\Matrix.scr
C:\Matrix 2.mpeg.scr
C:\Fire.mp3.scr
C:\Reign of Fire.mp3.scr
C:\XFiles.mpg.scr
C:\The Tuxedo.mpeg.scr
C:\Small Ville.scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Small Ville .scr
C:\Tuxedo.mpg .scr
C:\Small Ville .scr
C:\Reignof Fire.mpeg.scr
C:\Pentium5.doc.scr
C:\Pentium5.rtf.scr
C:\Howtomakeviruses.txt.scr
C:\Playboy10.mpeg.scr
C:\Setup.exe.scr
A:\TheIncredible Hulk.scr
D:\TheRock.scr
C:\vandEEd0.scr
C:\Windows\start.scr
C:\Windows\start.exe
C:\WinNT\start.scr
C:\WinNT\start.exe
end quote
A lot of those files mentioned at the Symantec site describing the Veedna worm I see also on your list.
And you say "I swear my computer is clean".
Sorry, I don't understand it!
In my humble opinion your computer is heavily infected, or I must be making a real bad mistake...
FanJ
April 20th, 2004, 10:04 AM
Well, looking again at that Veedna worm, there are surely differences.
For example:
you have: C:\Pentium 5.doc.EXe
Symantec speaks of: C:\Pentium5.doc.scr
And that goes for more of these files.
You have them ended as EXe, Symantec says scr
But any file ending with the double extension .doc.exe should ring ALL alarm bells !!!
Do you really have such a file on your system; please check it !
And it is only one example...
Pilli
April 20th, 2004, 10:23 AM
Frank, If you can find any of those listed files, please copy them to a folder, zip them up and send them to submit@diamondcs.com.au for analysis.
As Fanj says there sure appears to be something amiss.
I am almost certain that PG is not responsible as nothing has ever been reported like your problem.
Thanks. Pilli
FanJ
April 20th, 2004, 11:11 AM
Very good suggestion, Pilli !
Frank,
Do you have ExecutionProtection enabled in TDS-3 ?
Do you see a line like this in your TDS-3 console:
17:06:16 [Init] • Exec Protection : OK. Installed
If not, then in TDS-3 go to TDS > Execution Protection > Install
Look indeed if you have such files with those double extensions on your system.
May I suggest, after you have send such file(s) to DiamondCS, this:
Make sure you have the latest Radius-file for TDS-3.
Uninstall ProcessGuard.
Disconnect from the net.
Disable NOD32 temporarily.
Do a full system scan with TDS-3, with every scan-option enabled.
What does TDS-3 tell you then?
Jooske
April 20th, 2004, 12:26 PM
Do you run TDS as an admin or user or power user?
FanJ
April 20th, 2004, 12:46 PM
thumbs up for you Jooske !
There is indeed a problem, that may cause those false alarms with respect to "file traces", if you don't run TDS-3 with Admin privileges !
To quote Gavin:
"The trace scanner can have problems if and only if you dont have Admin privileges - and if TDS has no access to read files...."
Right click the TDS shortcut and select properties, go to the advanced tab & run as admin.
Frank,
Does that solve your problem?
Please let us know.
Thanks !
Regards, Jan.
Grasshopper
April 20th, 2004, 12:55 PM
Hi all,
first of all I have already uninstalled PG and tested , everything worked fine , after the reinstall I'm back to problems .
Second , I can't find any of the files TDS alerted on because they are on C:drive and my C: drive is a flash card reader , my OS and everything else is on G: drive
Third , If all that crap was on my computer ( remember I only posted half of it ) I really don't think it would be running very well and believe me it is running well other than the little glitches with TDS and Outpost.
I still think it is a list of blocked garbage from another program that TDS is mistakenly alerting on.
I also tried with and without exec protection with no difference.
I try very hard to keep a clean computer and I would know if it was infected especially with that much junk .
I'll try a little more testing and see what I can come up with .
Thanks again all ,
Frank
Jooske
April 20th, 2004, 12:58 PM
Gavin indicated in another thread there are users thinking they are running as an admin but in reality as a poweruser, which can give such problems too. So make sure you run as an admin and in any other case to "run as" like described above.
And make sure your hijackthis log is posted so the experts can look at it too!
FanJ
April 20th, 2004, 01:00 PM
Hi Frank,
I apologize for all the confusion !
There have indeed been other reports about alerts for "file traces".
This is caused if TDS-3 does not run as admin.
(Problem for me is that I have only W 98 SE; I need someone here with experience on XP and TDS-3).
Sorry !!!!!!!!!!!
Regards, Jan.
Grasshopper
April 20th, 2004, 01:30 PM
-{ Quote: "Hi Frank,
I apologize for all the confusion !
Regards, Jan." }-
No apologies are needed , I appreciate your help .
It's just a little frustrating not being able to understand what is going on .
This system is set up for only one user and I assume that would make that one user the administrator , I don't think I would know how to set it up as a power user whatever that is.
thanks and Cheers ,
Frank
FanJ
April 20th, 2004, 01:57 PM
Thanks Frank ! :)
I have just asked the DiamondCS-guys for some help.
Given the different time-zones it could take a little while ;)
Cheers, Jan.
Jooske
April 20th, 2004, 02:02 PM
Neither would i; maybe you can try the properties and run as anyway to see if that makes any difference.
Pilli
April 20th, 2004, 02:23 PM
If you only have one account it is Admin by default :)
I think a HiJackThis listing may be of some help now, so can you post one please Grasshopper.
As far as I know Process Guard could not cause these errors as it does not scan anything as such.
It may also be interesting to attach a copy of your PG log if you have not deleted it, may give us another clue :)
Grasshopper
April 20th, 2004, 09:17 PM
Hello all ,
I have uninstalled Process Guard again and this time TDS still gives me the trace alerts in c:, Very confusing but I'm not ruling out PG yet .
Here is my Hijack this log
Logfile of HijackThis v1.97.7
Scan saved at 10:09:30 PM, on 20/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Eset\nod32krn.exe
G:\PROGRA~1\Security\Outpost\OUTPOS~1\outpost.exe
G:\Program Files\Eset\nod32kui.exe
G:\Program Files\Security\Spyware G\SpywareGuard\sgmain.exe
G:\Program Files\Security\Spyware G\SpywareGuard\sgbhp.exe
G:\PROGRA~1\INCRED~1\bin\IMApp.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\Frank\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.105.136.160:80
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\Security\Spyware G\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [nod32kui] "G:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] G:\PROGRA~1\Security\Outpost\OUTPOS~1\outpost.exe /waitservice
O4 - Startup: SpywareGuard.lnk = G:\Program Files\Security\Spyware G\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - G:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38088.2726388889
I am definitely not an expert at this but nothing here seems out of the ordinary.
I'm sure we will come up with something .
regards
Frank
FanJ
April 20th, 2004, 09:57 PM
Hi Frank,
For other issues I hope others will jump in, however:
With respect to this:
-{ Quote: "
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
" }-
The right line in your Hosts file is this:
64.91.255.87 www.dcsresearch.com
Please (!) delete this line in your Hosts file:
203.161.127.141 www.dcsresearch.com
See also:
http://www.wilderssecurity.com/showthread.php?t=25715
http://www.wilderssecurity.com/showthread.php?t=26720
Gavin - DiamondCS
April 23rd, 2004, 12:08 AM
Hi everyone,
Until recently I wasn't aware of machines having a NON hard drive as C: which is the problem, the TRACE scanner was never designed with this in mind and there are many hard-coded worm names listed.
I would suggest you avoid using the trace scanner at all - since you have no traces coming up apart from those erroneous ones. If you do run the trace scanner you should be able to save the scandump and just ignore those alarms which refer to C:\ hard coded paths - anything else is a realistic trace alarm and should be investigated as normal. Of course feel free to email me if you have questions on any of the detections :)
Grasshopper
April 23rd, 2004, 08:09 AM
Hi all,
I'm back up and running after a reformat and putting my hard drive as C: again , I came to the same conclusion as Gavin as far as the HD designation was concerned and reformated yesterday , not that I understand TDS well enough to realize what exactly it was doing but because from my point of view it was the only thing that made any sense . I knew my computer was clean and the trace targets were all in C: so the HD designation was pretty much the only other thing it could be .
I haven't reinstalled Outpost or Process Guard yet and so far TDS is back to normal, hopefully all will work as they should .
Thanks everyone for your help and I will let you know how all goes in the next day or so.
Thanks again,
Frank
Pilli
April 23rd, 2004, 08:33 AM
Your welcome Grashopper, I think we have all probably learnt a bit more :)
Enjoy your weekend - Pilli
Grasshopper
April 25th, 2004, 06:42 AM
Greetings one and all,
I reinstalled Process Guard and Outpost yesterday and all programs seem to be playing well with each other so far. ;D
TDS is running fine now with my HD as C: "phew" ;)
Outpost still has small glitches in it but I think these are Small problems with The new 2.1 version and hopefully not related to Process Guard .
When those of us (the average people)who are not so bright operating computers run into problems , we tend to place blame on the first thing that makes sense to us , in my case it was PG , since I had just installed it , It seemed to me to be the most likely culprit , this was not the case and I apologize to the creators for jumping to that conclusion.
Thanks again for all your help and patience dealing with us, the average people.
Frank
Pilli
April 25th, 2004, 03:50 PM
Hi Grasshopper, No problem, that's what these forums are for, we all try to help each. ;D
Any furthe problems please do not be afraid to ask.
Cheers - Pilli
Grasshopper
April 26th, 2004, 09:34 AM
Hi all ,
Just to satisfy my own curiosity , can anyone from Diamond tell me what TDS was giving me trace alerts on??? was it a list of nasties TDS has in its own database ???
Just wondering ,
thanks
Frank
FanJ
April 26th, 2004, 10:31 AM
-{ Quote: "Hi all ,
Just to satisfy my own curiosity , can anyone from Diamond tell me what TDS was giving me trace alerts on??? was it a list of nasties TDS has in its own database ???
" }-
(not being an employee of DCS)
Yep, that's right.
File traces are far from the only ways TDS-3 is able to detect a Trojan.
But, according to the TDS-3 Help-file, some Trojans install a nasty file in a "default" location. If it is the only Trojan that puts always a certain file in such a place, then DCS adds such a file-trace for it.
I hope that helps ;)
Grasshopper
April 27th, 2004, 03:36 PM
-{ Quote: "I hope that helps ;)" }-
Yep it does and thank you .
I hope we never stop learning , it's kind of fun at times.
Frank
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums