sequence65

After the Panda Active Scan I posted the log from HijackThis... Sorry for not posting the HijackThis log separately into a new topic.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:49:00 PM, on 10/25/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSSystem32Ati2evxx.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:Program FilesVerizonVerizon Internet Security SuiteFws.exe C:WINDOWSsystem32spoolsv.exe C:Program FilesCAPPRTbinITMRTSVC.exe C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE C:Program FilesRaxcoPerfectDiskPDAgent.exe C:WINDOWSSystem32svchost.exe C:Program FilesRaxcoPerfectDiskPDEngine.exe C:WINDOWSsystem32Ati2evxx.exe C:WINDOWSExplorer.EXE C:WINDOWSSystem32WgaTray.exe C:Program FilesVerizonVSPVerizonServicepoint.exe C:Program FilesVerizonVerizon Internet Security SuiteRps.exe C:WINDOWSSystem32ctfmon.exe C:WINDOWSSystem32devldr32.exe C:Program FilesVerizonVerizon Internet Security SuiterpsupdaterR.exe C:WINDOWSSystem32wuauclt.exe C:Program FilesInternet Exploreriexplore.exe C:Program FilesInternet Exploreriexplore.exe C:Program FilesInternet Exploreriexplore.exe C:Program FilesCommon FilesAuthentiumAntiVirusdvpapi.exe C:Program FilesTrend MicroHijackThisHijackThis.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:Program FilesVerizonVerizon Internet Security SuitepkR.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar3.dll O3 - Toolbar:

Here it is... ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-10-25 18:36:46 PROTECTIONS: 0 MALWARE: 45 SUSPECTS: 2 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00034347 dialer.su Dialers No 0 Yes No hkey_local_machinesoftwaremicrosoftwindowscurrentversionuninstallswitch 00040007 adware/cws.yexe Adware No 0 Yes No hkey_classes_rootreplace.hbo 00040007 adware/cws.yexe Adware No 0 Yes No hkey_classes_rootreplace.hbo.1 00040007 adware/cws.yexe Adware No 0 Yes No hkey_local_machinesoftwareclassesreplace.hbo 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@trafficmp[1].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@trafficmp[2].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@casalemedia[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@atdmt[2].txt 00145386 Cookie/XXXtoolbar TrackingCookie No 0 Yes No C:Documents and SettingsgrakoCookiesgrako@xxxtoolbar[1].txt 00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@targetnet[1].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@fastclick[2].txt 00145466 Cookie/Advertising TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@servedby.advertising[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@tribalfusion[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@tribalfusion[1].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@mediaplex[1].txt 00145770 Cookie/CentrPort TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@centrport[1].txt 00146967 Cookie/PayCounter TrackingCookie No 0 Yes No D:Documents and SettingsGuestCookiesguest@paycounter[1].txt 00157556 Adware/Look2Me Adware No 0 Yes No C:System Volume Information_restore{77C4D0CD-9489-41EA-9FBA-4B6F94353AEF}RP16A0000143.dll 00157556 Adware/Look2Me Adware No 0 Yes No C:System Volume Information_restore{77C4D0CD-9489-41EA-9FBA-4B6F94353AEF}RP16A0000149.dll 00159564 Cookie/WUpd TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@revenue[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@com[1].txt 00167733 Cookie/Adserver TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@z1.adserver[1].txt 00168048 Cookie/Overture TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@perf.overture[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@ad.yieldmanager[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@ad.yieldmanager[2].txt 00168058 Cookie/Sextracker TrackingCookie No 0 Yes No D:Documents and SettingsGuestCookiesguest@counter4.sextracker[1].txt 00168076 Cookie/BurstNet TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@burstnet[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@serving-sys[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@serving-sys[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@bs.serving-sys[1].txt 00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@www.burstbeacon[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@server.iad.liveperson[2].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@server.iad.liveperson[2].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@advertising[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@advertising[1].txt 00169286 Cookie/Sextracker TrackingCookie No 0 Yes No D:Documents and SettingsGuestCookiesguest@sextracker[1].txt 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@adrevolver[2].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@statse.webtrendslive[1].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@ads.pointroll[1].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@ads.pointroll[2].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@realmedia[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@realmedia[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@questionmarket[1].txt 00172221 Cookie/Zedo TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@zedo[1].txt 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@bluestreak[1].txt 00182104 Cookie/Hitbox TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@phg.hitbox[2].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@adrevolver[1].txt 00186561 Cookie/Banner TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@banner[1].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@adultfriendfinder[2].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:Documents and SettingsGuestCookiesguest@adultfriendfinder[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@go[2].txt 00207862 Cookie/did-it TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@did-it[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@atwola[2].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@atwola[1].txt 00286739 Cookie/Hitbox TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@ehg-dig.hitbox[2].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No D:Documents and SettingsgrakoCookiesgrako@ads.addynamix[1].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:Documents and Settingsrich.GRAKOCookiesrich@ads.addynamix[1].txt 02937621 Application/Srvany.A HackTools No 0 Yes No D:RESETRESET5SETUP.EXE ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location 3X s5 ;=============================================================================== ================================================================================ = =================== No C:RECYCLERS-1-5-21-1343024091-920026266-682003330-1003Dc7.exe 3X s5 No C:RECYCLERS-1-5-21-1343024091-920026266-682003330-1003Dc8.exe 3X s5 ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description 3X s5 ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = ===================

I received errors, which were codes 724 and 731. I ran the full scan 3 times (twice I aborted under 35 minutes) and quick scan once (log not included). The scans found infections so I stopped them in order to quarantine and delete the malware right away. Malwarebytes' Anti-Malware 1.30 Database version: 1316 Windows 5.1.2600 Service Pack 1 10/24/2008 6:59:14 PM mbam-log-2008-10-24 (18-59-14).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 1512 Time elapsed: 1 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\hadl.dll (Trojan.Agent) -> Delete on reboot. Malwarebytes' Anti-Malware 1.30 Database version: 1316 Windows 5.1.2600 Service Pack 1 10/24/2008 7:58:46 PM mbam-log-2008-10-24 (19-58-46).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 18164 Time elapsed: 29 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\hadl.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\systemmanager (Trojan.Dropper) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\hadl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\comstl.exe (Trojan.Dropper) -> Delete on reboot. Malwarebytes' Anti-Malware 1.30 Database version: 1316 Windows 5.1.2600 Service Pack 1 10/25/2008 6:37:15 AM mbam-log-2008-10-25 (06-37-15).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 171944 Time elapsed: 10 hour(s), 12 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 6 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Screensavers.com\Installer (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Installer\bin (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Installer\Ready (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Installer\temp (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Installer\Upload (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Wallpaper\American Flag.jpg (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe (Adware.Comet) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll (Trojan.Sinowal) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll (Trojan.Sinowal) -> Quarantined and deleted successfully.