Trojan horse BackDoor.Agent.BA

okay

i did a few things

1. ran spybot nothing found(new version)

2. ran hijack log after rebot and remvoal of plma.dll
(i posted it on the directory BADSANTA)
for all you anti peeps who need to examine it

ok here is the hijack log after fresh reboot

Logfile of HijackThis v1.98.0
Scan saved at 11:59:18 AM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000



i will be posting more things that come up , i am running port explorer now and nothing out of the ordinary has come up


well avg seems to have found the same backdoor items...

 

the file is original and zipped nothing was prefromed on it it is on my directory if needed you can download it there but i will also email it to the formentioned addys www.emfclan.com/BADSANTA directory

 

well i seem to have rid myslef of the plma dll but i still get a warning from avg and its alert

i uncheck exe files and i dont get pop up from avg but thats no solution

i will continute on my quest to rid myself of this criminal file yes i said criminal


this isnt affecting my pc from what i see, its rather a nusiance then anything but i want to get to the bottom of it

i ran all the progs but still unable to find this back door bandit but HOOOYAAA we will overcome....lol


im not sure where to begin now but i will start shortly on starting the basic items in windows managment and go from there and see if it is indeed imbeded in some file that has yet to be identified

 

what i dont understand is why did not norton discover these items

i deleted the norton av for one reason the ccApp file was using HUGE RESOURSES on my pc so thats wh i deleted it i assumed it was under the spell of our little dll friend


in my view there are 3 things a person needs

1. TDS-3
2.AVG
3.hijackthis


then any other items cant hurt as well

well PLEASE correect anything i may have missed or misdiscovered

 

Your HJT log is very short again!
If you see the AVG popups, to which path and file are they pointing now?
As there is really nothing in those few HJT lines now.
If you continue to make them that short you end with only the kernel32.dll and maybe systray.exe running and nothing else


I don't agree with all your list of needed software; yesterday we discussed some options in another thread here, at least start with a firewall HW or SW, TDS / Process Guard / Port Explorer to hammer your system as tight as can be, add Wormguard, and then the AV like KAV , NOD32, AVG (or all of them - but only one at a time resident)
then all that anti-spy/adware like spybotS&D / Adaware
and somewhere between the JavaCool tools
CryptoSuite for your data protection (encryption) of course and encrypted messaging between your own system and somebody else you invite on your own system
and some more tools and toys for detection, monitoring, testing, etc.
With the named tools you have the good stuff to start with.

Now give the guys a nice long HiJackThislog with everything in it and did you look at the AutoStartViewer already? Very nice logs if you check for all options.


The file most probably renamed itself with the reboot?

Maybe Norton's revenge for deleting (hope you mean uninstalling) it.

 

Well it seems hijack this found the dll and im going to check and delete it and see what happens here is the log as well as a pic i posted on info of the item

Logfile of HijackThis v1.98.0
Scan saved at 1:08:38 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnl.dll



i will post this also in my directory described above

 

here is hijack pic of the wdmnl that was not able to be found untill i deleted the other file ...

http://www.emfclan.com/BADSANTA/hijack%20this%20found%20dll.JPG

 

Did you zip and submit that last file too? It's in your HJT backups (same folder) if you fixed it. Might have had to check in the task manager if the file/process was not running to close it, and if not possible to fix / delete it it would be possible in safe mode.
Then i hope you closed the system restore so all that stuff was not back after the reboot!

 

well well well

it seems that this is a new type of nasty that masked itself with another item

im not savay in any way and i consdermyslef self reliant and i like to do things myslef rather than with help in the dictionary its called bullheaded..


well i cant say enough good things about this forum after i took my head out of my arse and with nice advice like from jooske i have seem to have beat a few things that i could have never done with out these forums

i am sure i am not toally rid of these "NASTYS" but i am well on my way

with all the progs i have seen used in these forums it was a clear help but what worries me is the people who have no idea that these exist and then cry foul when they take down thier performance of ther epc ie. brower hijacks and such

these people should be punished to a full extent of the law...


i have spent countless days tackling this prob myslef and then frustration set in and with the help of jooske i beat what i seem to be the first of many battle im sure that will come


So untill my next hijack i want to thank JOOSKE personaly

THANX HOTTIE

(hope your a gal..hahah)


i have rebooted 25 times and havent seen the nastys pop but i am yet convinced

from a amatuers view it was hidden with a key logger, then masked with a trojan then hideen in the dll i am a noob and this is a guess but i have sent all the info to the i hope proper people ...



ty jooske

 

1.i dont use system restore

2. i have sent all the emails to the required people u stated

 

It does sound rather good then till now. Since you don't use system restore those nasties are off, think your determination sounds valid.
There were two possible keyloggers, they had different names (a 4... and a 14....) maybe both part of the same program. Good that you submitted all the stuff. Hope you can keep up the site a little longer so the Australian guys (developer and Gavin) can have a look and look deeper.
Since you love logging so much, you might like to post a log created with this as well, it should really show you everything and Gavin is the expert to examen it.
http://www.diamondcs.com.au/index.php?page=asviewer

I'm glad you didn't tell in advance you did not use system restore as a few wrong advices and your system was empty!
Is the performance better now too?
And exept for rebooting, did you use all different browsers, including Internet explorer, nothing wrong there either?

I'm happy you like the forum, as much as we love to help here and learn from the questions ourselves too of course.
You are very skilled yourself so know what you're doing and if something sounds right or not, and you had the right tools at hand at the moment, i think, unless the experts want you do do some more deep testing and know what to look for further!
I must thank you too for the experience of step by step cleansing out a system and most of all saving it from the nasties on internet!

 

BTW: what does TDS call that file wdmnl.dll ?


Edit, yes, she's a girl.

 

nice little progs u recommend jooske they are fun to say the least

but yes pc running smooth, this is one of 12 i have , i have a problem my wife says , i like building pc's and then not selling them

i am a horspower nut , my new one the vapochill is around 3.95 gigs at moment all the good stuff blah blah b;ah

recently like 3 mnths ago purcchased 4 74gig raptors for some of my pcs and putte in a raid , im a gamer so i need all i can get

for you peeps who lieke lookin at logs and such feel free to browse my folders

www.emfclan.com/raptor for the 3.4 gig extreme machine yes all inel chipsets

www.emfclan.com/h20 this is my watercooled ventures


ATI all the way


but HEY FOR ALL YOU SPEED GEEGKS DO NOT OVER CLOCK RAPTORS IN RAID0

IT DONT LIKE IT


all is well for now but im not totally convinced yet but i will post anything that comes up

and yes i have started using IE to see if it pops it NASTY head...

and again thank you jooske

 

um tds did not discover this even after a reboot and a quarentine,

the dll wasnt showing itself becsue i think it had some activity that masked its existance but kudos to avg for alerting me , i have seen other people that have this back door but yet to have identified it

i think me sending it in will help for future catches or at least i hope it does, i get teary eyed that maybei have made a difference in a program to stop these criminals

o by the way my handle is EMF_VIRUS on my website ...lol..ironic isnt it

 

We all like to submit samples and i happened to have some catches with TDS which even the KAV online checker didn't recognise yet, and then i felt wonderful!
You will love Port Explorer, with the ability to spy on sockets and packets coming in; this is how i discovered (among others) suspicious stuff coming in.
One gets a nose for it little by little i guess.
TDS has a spy option too more or less with the Port Listen which you can put on some port and look at the stuff coming in.
Used that a few years ago to see CodeRed coming in and the new versions, to name a few. (only the few first bytes of course)

I think with the stuff you sniped out this time and submitted it, especially that last AppInit_dlls thing you did a good job!
See some info about it:
http://support.microsoft.com/defaul...port/kb/articles/Q197/5/71.asp&NoWebContent=1
The AppInit_DLLs value is found in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All of the DLLs specified in this value are loaded by each Windows-based application running within the current logon session.
MORE INFORMATION
The AppInit DLLs are loaded via LoadLibrary() during the DLL_PROCESS_ATTACH of User32.dll. As a result, executables that don't link with User32.dll will not load the AppInit DLLs. There are very few executables that don't link with User32.dll.

Because of their early loading, only API functions exported from Kernel32.dll are safe to use within the initialization of the AppInit DLLs.

The AppInit_DLLs value has type REG_SZ. This value should specify a NULL- terminated string of DLLs, which is delimited by spaces or commas. Because spaces are used as delimiters, no long file names should be used. The system does not recognize semicolons as delimiters for these DLLs.

Only the first 32 characters of the AppInit_DLLs value are picked up by the system. Because of this 32-character limit, all of the AppInit DLLs should be located within the SYSTEM32 directory. This eliminates the need to include a path, thus allowing multiple DLLs to be specified.

Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLLs value.

Can't explain, but i feel it fits with the story and i wonder what more to look for.
This is a very dangerous kind of nasty, that's why i think your find is really important, also for others!

Your site is interesting, how did you come to that handle for yourself? and what stands EMF for?

 

Just remembering something:
did you also scan the files online at KAV? www.kaspersky.com/remoteviruschk.html
upload the file and in a few seconds you have a second opinion about the files.
this to avoid you removing possible legal files because of false positives by for instance AVG. Also your possible keyloggers might be innocent but contain some suspicious code, reason why i never delete files without first submitting them to the DCS lab for advice on them. Till that confirmation i zip them or rename the extension to something un-executable.

You did have lots of the nasty apearances i saw in other HijackThis logs, so there was a lot the matter, that for sure.
Could you do me a favor and look in this thread [thread]15913[/thread] about the HJT log and other possible steps? Especially with this backdoor.agent i have seen in a few trheads some very professional tools were used to get the people really clean and secure again. But those tools are for the experts there, i don't know them.
But Gavin will love to dig out your complete autoStartViewer.log i guess!

 

Got confirmation you really have one of the newer CWS variants, which really needs special cleansing and even more advanced cleansing tools and special order, like for instance kukuku's thread, which ended successfull, to show you the real necessary steps.
https://www.wilderssecurity.com/showthread.php?t=39754
At least post your complete AutoStartViewer log.
I would feel much more comfortable if you please would post your complete HJT log and eventual ASViewer log in the HJT forum [thread]15913[/thread] to know you really clean.
But during the process of cleansing please keep AVG disabled completely so all files can be seen by every other cleaner / scanner.
Maybe your Norton did not see it because of AVG, just like TDS did not see it with AVG active. That is how AVG works unfortunately.

Please let me know your next steps and how it goes!

 

Also i did not run 2 instances of anti virus i have learned thats a no no in the past so before i installed avg i unistallled norton completely, reg entries etc, i have come to find out thru ecperiance while norton is good it a huge resourse hog as well as havin some exploits that are taken advantage of by these NASTYS


here is the complete auto start viewer log services, drivers and active componets

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for robbie@ROBBIE-8ZD25U0T, 07-08-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\robbie\LOCALS~1\Temp\bdl14025.exe
c:\windows\system.ini [drivers]
timer=timer.
drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Update Detection
C:\Program Files\Microsoft Works\WkDetect.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\AvgServ\
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DCFS2K\
C:\WINDOWS\system32\drivers\dcfs2k.sys
HKLM\System\CurrentControlSet\Services\DgiVecp\
C:\WINDOWS\System32\Drivers\DgiVecp.sys
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SMTPSVC\
C:\WINDOWS\System32\inetsrv\inetinfo.exe
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\SpPortEx\
C:\WINDOWS\System32\Drivers\SpPortEx.sys
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs

 

also i have as of late after messing with my registry i get this mesage while running a hijack log

this happend welll before i discovered and at the moment contained my nasty worm and located the dll,

i am sure this error is due to some values i dleted inj the reg to stop the spread, well dont ask me what i did lol but at moment it was right thing to do in my mind, not to helpfull but i dont have the nastys at moment

i did some of my own registry changing to try and prevent the re infection of the nast and have seem to get this error from hijack this , while hijack still works when ever i hit scan i get this error

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=win.ini, sSection=windows, sValue=run)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfoforum.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.0

 

Those rotten bastards


i had another evil dll pop up..grrrrrr this being after i ran the three test asked by gavin

well , sighhhhhhhhhhhhhhhhhhhhhhhhhhhhh


looks as if another day wasted away with this crap


postings soon to follow

 

here is the adware scae as in order of the post u made to me


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, July 08, 2004 10:28:03 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R330 07.07.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


7-8-2004 10:28:03 AM - Scan started. (Custom mode)

Tracking Cookie Object recognized!
Type : File
Data : robbie@atdmt[2].txt
Object : C:\Documents and Settings\robbie\Cookies\

Created on : 6/30/2004 6:31:57 PM
Last accessed : 6/30/2004 6:31:57 PM
Last modified : 6/30/2004 6:31:57 PM



Tracking Cookie Object recognized!
Type : File
Data : robbie@qksrv[2].txt
Object : C:\Documents and Settings\robbie\Cookies\

Created on : 7/2/2004 4:28:32 PM
Last accessed : 7/2/2004 4:28:32 PM
Last modified : 7/2/2004 4:28:32 PM



Tracking Cookie Object recognized!
Type : File
Data : robbie@server.iad.liveperson[2].txt
Object : C:\Documents and Settings\robbie\Cookies\

Created on : 6/30/2004 9:36:42 PM
Last accessed : 6/30/2004 9:39:45 PM
Last modified : 6/30/2004 9:39:45 PM



New.Net Object recognized!
Type : File
Data : ndnuninstall5_48.exe
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 11/12/2003 6:35:42 PM
Last accessed : 11/12/2003 6:35:42 PM
Last modified : 11/12/2003 6:35:42 PM



New.Net Object recognized!
Type : File
Data : ndnuninstall6_22.exe
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 3/31/2004 8:57:29 PM
Last accessed : 3/31/2004 8:57:29 PM
Last modified : 3/31/2004 8:57:29 PM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 5

10:50:35 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:22:31:734
Objects scanned :202569
Objects identified :5
Objects ignored :0
New objects :5

 

well ill send in the dll once i find it as it is not present now,

lol i can sense a back up and a format then i will be truly like the lady in the titanic movie

able to stand on computer chair with arms extended and looking to the monitor..lol

 

Just wipe ur system and start over! You have wasted enough time already!

 

Of course in the mean time i asked experts advice and they told me about some new tools, they have available to help you with as you are infected with oneof the newer CWS things; i don't know them and not how and what to do with them, so they asked you to post also the HJT log in that other HJT forum to help you with cleansing out and avoiding reformat. Only have to register as a member of this forum to post there, but it's worth to try that help! [thread]15913[/thread]
I'm sure Gavin will look at your logs here too since he asked those.
But the tools mentioned are really needed to regain your clean freedom.

 

i went to post some help in the other forums but it tells me i do not have authorization to make a post ?

https://www.wilderssecurity.com/showthread.php?t=40124

just wanted to tell the guy to disable the avg before using tds-3