Find your solution!

jo50 · 11:37 AM

In my Event Viewer->Security I find the following entries:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/4/2008
Time: 9:10:47 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-LAPTOP
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: GATEWAY-DESKTOP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GATEWAY-DESKTOP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I find these type of entries every three or four seconds. Can someone tell me if this is a dictionary attack? If so, how do I stop it?

The Owner account is my administrator account.

I am running SP Home SP2 with upto date patches. My firewall is Agnitum Outpost Security Suite (OSS).

jo50

jo50 · 05-Jan-2008, 08:09 PM #2

Additional information. Panda Activescan Pro produces the following report:

Incident Status Location

Spyware:Cookie/PointRoll Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Advertising Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.did-it.com/]
Spyware:Cookie/QuestionMarket Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.tribalfusion.com/]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\LapMyDoc\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\LapMyDoc\Safe Init\ComboFix.exe[nircmd.cfexe]

Yet the attack continues:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/5/2008
Time: 6:06:18 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-LAPTOP
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: GATEWAY-DESKTOP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GATEWAY-DESKTOP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I urgently need help. Can someone please help?

jo50

lunarlander · 02:33 PM

I think it does look like a brute force / dictionary attack. Since Logon Type = 3 which I think is comming through the network, try blocking ports TCP and UDP 135 - 139 , TCP 445 , and see if it stops.

jo50 · 06-Jan-2008, 07:43 PM #4

Dear wk2000,

I have a Motorola Surfboard Cable Modem and it has a standby switch that removes my lan from the ISP, thus stopping all communications. When I have the modem in standby, the attack continues, because I still get the entries. Also I know the switch works because when it is in standby mode and I try to access a page with either IE 7 or Firefox I get a message saying IE 7 cannot display the page or Firefox cannot access the server.

Therefore I have concluded that this attack is due to a piece of code left on my machine. Interestingly, I have just changed the pw to the owner account.

BTW, could the attack be coming from my desktop machine? My lan is a desktop and a laptop hardwired(ethernet) through a wireless router. Since both computers are hardwired, I have disabled the wireless part of my router. And I only allow two IP addresses to be generated by the DHCP part of the router.

jo50

lunarlander · 06-Jan-2008, 09:55 PM #5

Yes, it could be comming from your other machine. Logon type 3 is comming from the network.

jo50 · 07-Jan-2008, 12:16 AM #6

Dear wk2000,

Well now the logon attempts to Owner have stopped, but well before I had a chance to apply the fixes you supplied. Now I am getting the following pairs of events:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 1/6/2008
Time: 9:21:09 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOUR-LAPTOP
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x35CEF52)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: GATEWAY-DESKTOP
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 1/6/2008
Time: 9:21:19 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOUR-LAPTOP
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x35CEF52)
Logon Type: 3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

These are happening about every 30 to 40 minutes.

jo50

jo50 · 06:16 PM

Further progress. I once more changed the password to the Owner account.

Then I looked at the event viewer and the Dictionary Attack resumed. I then decided to try one thing - I disconnected the Desktop machine from the router and went back to Event Viewer -> System. The attacks had stopped. I waited for six minutes but no attacks. Then I connected the Desktop system to the router and the attacks resumed instantaneously.

Then I tried another thing. I went to my Desktop firewall and declared net bios to be blocked. The attacks stopped instantaneously. Thus it appears that a piece of code on my Desktop computer was trying to gain access to my laptop's Owner account. Here are the results from a scan done by Panda Pro:

Incident Status Location

Adware:adware/cws Disinfected C:\Documents and Settings\Owner\Favorites\Insurance
Spyware:Cookie/Com.com No disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Disinfected C:\Documents and Settings\Limited Owner\Application Data\Mozilla\Firefox\Profiles\9hubc13z.default\cookies.txt[]
Spyware:Cookie/Go Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\WINDOWS\NirCmd.exe
Hacktool:Rootkit/Banker.KAS Disinfected C:\WINDOWS\system32\Partizan.exe
Potentially unwanted tool:Application/NirCmd.A No disinfected D:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected D:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\mydocs\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\mydocs\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]

Therefore I want to know, should this thread be moved to the HiJackThis thread?

jo50

lunarlander · 08-Jan-2008, 09:36 PM #8

I would do a hijackthis on your desktop machine and post the results here.

jo50 · 08-Jan-2008, 10:38 PM #9

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:54 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\stttsm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [\\YOUR-LAPTOP\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P40 "\\YOUR-LAPTOP\EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump

s_startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [\\YOUR-LAPTOP\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P40 "\\YOUR-LAPTOP\EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/consumer/cabs/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1191704449687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191523266625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/actives.../asproinst.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe

--
End of file - 11190 bytes

Additionally I did a combofix and here is that log:

ComboFix 08-01-07.5 - Owner 2008-01-07 23:28:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000228_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-05 10:04 . 2008-01-05 10:04 80,921,599 --a------ C:\WINDOWS\pav.sig
2008-01-05 09:56 . 2008-01-05 10:45 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-05 09:56 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-05 09:56 . 2008-01-05 10:07 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-05 09:56 . 2008-01-05 10:07 3,377 --a------ C:\WINDOWS\system32\.ico
2008-01-05 09:56 . 2008-01-05 10:07 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-05 09:56 . 2008-01-05 10:07 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-03 21:31 . 2008-01-03 21:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-30 13:45 . 2007-12-30 13:45 <DIR> d-------- C:\PerfLogs
2007-12-28 17:02 . 2004-04-29 18:07 122,880 --a------ C:\WINDOWS\system32\SAgent4.exe
2007-12-28 17:02 . 2004-02-18 18:03 65,536 --a------ C:\WINDOWS\system32\E_S00RP1.EXE
2007-12-08 15:03 . 2007-10-10 16:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-08 15:03 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-08 15:03 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-08 15:03 . 2007-10-10 16:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-08 15:03 . 2007-10-10 16:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-08 15:03 . 2007-10-10 16:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-08 15:03 . 2007-10-10 16:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-08 15:03 . 2007-10-10 16:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-08 07:41 . 2007-12-08 07:42 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-05 17:31 --------- d-----w C:\Program Files\UPHClean
2008-01-05 17:30 --------- d-----w C:\Program Files\SecCopy
2008-01-05 17:30 --------- d-----w C:\Program Files\Say the Time
2008-01-05 17:27 --------- d-----w C:\Program Files\iTunes
2008-01-05 17:22 --------- d-----w C:\Program Files\a-squared Free
2008-01-01 17:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\GoodSync
2007-12-22 18:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-12-21 00:47 443,424 ----a-w C:\WINDOWS\system32\drivers\SandBox.sys
2007-12-12 21:55 200,464 ----a-w C:\WINDOWS\system32\drivers\afw.sys
2007-12-09 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2007-12-08 14:56 --------- d-----w C:\Program Files\Google
2007-12-07 23:11 --------- d-----w C:\Documents and Settings\Guest\Application Data\PKWARE
2007-12-07 22:45 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2007-12-07 22:44 --------- d-----w C:\Documents and Settings\Guest\Application Data\GoodSync
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\Guest\Application Data\Agnitum
2007-12-07 05:36 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-06 17:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2007-12-06 17:50 --------- d-----w C:\Program Files\epson
2007-12-04 05:48 --------- d-----w C:\Program Files\Britannica 8.0
2007-12-03 20:07 --------- d-----w C:\Program Files\iPod
2007-12-03 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-03 20:05 --------- d-----w C:\Program Files\QuickTime
2007-12-03 20:02 --------- d-----w C:\Program Files\Apple Software Update
2007-12-03 20:01 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-03 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-01 18:33 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-11-29 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-28 21:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-28 21:26 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-28 21:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-11-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-28 21:18 --------- d-----w C:\Program Files\ACW
2007-11-28 04:05 --------- d-----w C:\Program Files\Siber Systems
2007-11-27 21:20 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\PKWARE
2007-11-23 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\PKWARE
2007-11-23 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\PKWARE
2007-11-22 23:59 --------- d-----w C:\Program Files\PKWARE
2007-11-22 23:59 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-11-22 11:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrueCrypt
2007-11-21 18:55 --------- d-----w C:\Program Files\TrueCrypt
2007-11-19 03:04 --------- d-----w C:\Program Files\Common Files\BitDefender
2007-11-18 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-18 21:56 --------- d-----w C:\Program Files\HD Tune
2007-11-18 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 18:25 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\Talkback
2007-11-13 18:20 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\Agnitum
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 05:03 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 04:11 --------- d-----w C:\Program Files\Broderbund
2007-11-12 22:24 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-12 20:43 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-11-12 20:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-12 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-11 07:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-11 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-11 05:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 22:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-08 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-08 00:46 --------- d-----w C:\Program Files\Java
2007-10-08 22:23 692 ----a-w C:\register.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 20:13 68856]
"Second Copy"="C:\PROGRA~1\SecCopy\SecCopy.exe" [2007-10-17 08:42 2425856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-08 14:47 160592]
"\\YOUR-LAPTOP\EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"1A:Stardock TrayMonitor"="" []
"CTHelper"="CTHELPER.EXE" [2007-10-04 10:47 28672 C:\WINDOWS\system32\cthelper.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"\\YOUR-LAPTOP\EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]
"Say the Time"="" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2006-02-28 05:00 388608]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 17:50 939008]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" [2007-12-19 13:44 405504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2007-10-04 10:47 49152 C:\WINDOWS\mididef.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2007-10-04 10:47 49152 C:\WINDOWS\mididef.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 05:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-17 21:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoSimpleStartMenu"= 0 (0x0)
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install

R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2007-12-20 17:47]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2007-12-12 14:55]
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2007-12-20 17:48]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\DRIVERS\VBEngNT.sys [2007-10-05 16:41]
R3 VBFilt;VBFilt;C:\WINDOWS\system32\Filt\VBFilt.dll [2007-12-20 17:48]
S2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2007-12-19 13:42]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-11-04 10:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 23:28:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-07 19:31:31 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:35:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\OP_CACHE.ATR 24 bytes
C:\WINDOWS\system32\OP_CACHE.IDX 12 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P40 \"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P40 \"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series\" /M \"Stylus CX4800\" /EF \"HKCU\""
.
Completion time: 2008-01-07 23:38:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 06:37:30
ComboFix2.txt 2007-11-13 05:50:28
.
2007-12-10 17:05:58 --- E O F ---

lunarlander · 12-Jan-2008, 01:31 PM **#10**

bump

Tag Cloud
access audio blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel excel 2003 firefox hard drive hardware internet keyboard laptop malware monitor motherboard network networking outlook problem processor ram recovery router safe mode screen slow sound spyware tdlwsp.dll trojan upgrade video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)