Dictionary Attack?

jo50 · 11:37 AM

In my Event Viewer->Security I find the following entries:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/4/2008
Time: 9:10:47 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-LAPTOP
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: GATEWAY-DESKTOP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GATEWAY-DESKTOP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I find these type of entries every three or four seconds. Can someone tell me if this is a dictionary attack? If so, how do I stop it?

The Owner account is my administrator account.

I am running SP Home SP2 with upto date patches. My firewall is Agnitum Outpost Security Suite (OSS).

jo50

jo50 · 05-Jan-2008, 08:09 PM #2

Additional information. Panda Activescan Pro produces the following report:

Incident Status Location

Spyware:Cookie/PointRoll Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Advertising Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.did-it.com/]
Spyware:Cookie/QuestionMarket Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hgihfnyq.default\cookies.txt[.tribalfusion.com/]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\LapMyDoc\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\LapMyDoc\Safe Init\ComboFix.exe[nircmd.cfexe]

Yet the attack continues:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/5/2008
Time: 6:06:18 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-LAPTOP
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: GATEWAY-DESKTOP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GATEWAY-DESKTOP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I urgently need help. Can someone please help?

jo50

lunarlander · 02:33 PM

I think it does look like a brute force / dictionary attack. Since Logon Type = 3 which I think is comming through the network, try blocking ports TCP and UDP 135 - 139 , TCP 445 , and see if it stops.

jo50 · 06-Jan-2008, 07:43 PM #4

Dear wk2000,

I have a Motorola Surfboard Cable Modem and it has a standby switch that removes my lan from the ISP, thus stopping all communications. When I have the modem in standby, the attack continues, because I still get the entries. Also I know the switch works because when it is in standby mode and I try to access a page with either IE 7 or Firefox I get a message saying IE 7 cannot display the page or Firefox cannot access the server.

Therefore I have concluded that this attack is due to a piece of code left on my machine. Interestingly, I have just changed the pw to the owner account.

BTW, could the attack be coming from my desktop machine? My lan is a desktop and a laptop hardwired(ethernet) through a wireless router. Since both computers are hardwired, I have disabled the wireless part of my router. And I only allow two IP addresses to be generated by the DHCP part of the router.

jo50

lunarlander · 06-Jan-2008, 09:55 PM #5

Yes, it could be comming from your other machine. Logon type 3 is comming from the network.

jo50 · 07-Jan-2008, 12:16 AM #6

Dear wk2000,

Well now the logon attempts to Owner have stopped, but well before I had a chance to apply the fixes you supplied. Now I am getting the following pairs of events:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 1/6/2008
Time: 9:21:09 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOUR-LAPTOP
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x35CEF52)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: GATEWAY-DESKTOP
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 1/6/2008
Time: 9:21:19 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOUR-LAPTOP
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x35CEF52)
Logon Type: 3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

These are happening about every 30 to 40 minutes.

jo50

jo50 · 06:16 PM

Further progress. I once more changed the password to the Owner account.

Then I looked at the event viewer and the Dictionary Attack resumed. I then decided to try one thing - I disconnected the Desktop machine from the router and went back to Event Viewer -> System. The attacks had stopped. I waited for six minutes but no attacks. Then I connected the Desktop system to the router and the attacks resumed instantaneously.

Then I tried another thing. I went to my Desktop firewall and declared net bios to be blocked. The attacks stopped instantaneously. Thus it appears that a piece of code on my Desktop computer was trying to gain access to my laptop's Owner account. Here are the results from a scan done by Panda Pro:

Incident Status Location

Adware:adware/cws Disinfected C:\Documents and Settings\Owner\Favorites\Insurance
Spyware:Cookie/Com.com No disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Disinfected C:\Documents and Settings\Limited Owner\Application Data\Mozilla\Firefox\Profiles\9hubc13z.default\cookies.txt[]
Spyware:Cookie/Go Disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lemnjnfp.default\cookies.txt[]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected C:\WINDOWS\NirCmd.exe
Hacktool:Rootkit/Banker.KAS Disinfected C:\WINDOWS\system32\Partizan.exe
Potentially unwanted tool:Application/NirCmd.A No disinfected D:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected D:\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\mydocs\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A No disinfected G:\mydocs\Documents and Settings\Owner\My Documents\Safe Init\ComboFix.exe[nircmd.cfexe]

Therefore I want to know, should this thread be moved to the HiJackThis thread?

jo50

lunarlander · 08-Jan-2008, 09:36 PM #8

I would do a hijackthis on your desktop machine and post the results here.

jo50 · 08-Jan-2008, 10:38 PM #9

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:54 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\stttsm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [\\YOUR-LAPTOP\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P40 "\\YOUR-LAPTOP\EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump

s_startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [\\YOUR-LAPTOP\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P40 "\\YOUR-LAPTOP\EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/consumer/cabs/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1191704449687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191523266625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/actives.../asproinst.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe

--
End of file - 11190 bytes

Additionally I did a combofix and here is that log:

ComboFix 08-01-07.5 - Owner 2008-01-07 23:28:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000228_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-05 10:04 . 2008-01-05 10:04 80,921,599 --a------ C:\WINDOWS\pav.sig
2008-01-05 09:56 . 2008-01-05 10:45 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-05 09:56 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-05 09:56 . 2008-01-05 10:07 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-05 09:56 . 2008-01-05 10:07 3,377 --a------ C:\WINDOWS\system32\.ico
2008-01-05 09:56 . 2008-01-05 10:07 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-05 09:56 . 2008-01-05 10:07 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-03 21:31 . 2008-01-03 21:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-30 13:45 . 2007-12-30 13:45 <DIR> d-------- C:\PerfLogs
2007-12-28 17:02 . 2004-04-29 18:07 122,880 --a------ C:\WINDOWS\system32\SAgent4.exe
2007-12-28 17:02 . 2004-02-18 18:03 65,536 --a------ C:\WINDOWS\system32\E_S00RP1.EXE
2007-12-08 15:03 . 2007-10-10 16:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-08 15:03 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-08 15:03 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-08 15:03 . 2007-10-10 16:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-08 15:03 . 2007-10-10 16:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-08 15:03 . 2007-10-10 16:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-08 15:03 . 2007-10-10 16:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-08 15:03 . 2007-10-10 16:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-08 07:41 . 2007-12-08 07:42 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-05 17:31 --------- d-----w C:\Program Files\UPHClean
2008-01-05 17:30 --------- d-----w C:\Program Files\SecCopy
2008-01-05 17:30 --------- d-----w C:\Program Files\Say the Time
2008-01-05 17:27 --------- d-----w C:\Program Files\iTunes
2008-01-05 17:22 --------- d-----w C:\Program Files\a-squared Free
2008-01-01 17:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\GoodSync
2007-12-22 18:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-12-21 00:47 443,424 ----a-w C:\WINDOWS\system32\drivers\SandBox.sys
2007-12-12 21:55 200,464 ----a-w C:\WINDOWS\system32\drivers\afw.sys
2007-12-09 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2007-12-08 14:56 --------- d-----w C:\Program Files\Google
2007-12-07 23:11 --------- d-----w C:\Documents and Settings\Guest\Application Data\PKWARE
2007-12-07 22:45 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2007-12-07 22:44 --------- d-----w C:\Documents and Settings\Guest\Application Data\GoodSync
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\Guest\Application Data\Agnitum
2007-12-07 05:36 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-06 17:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2007-12-06 17:50 --------- d-----w C:\Program Files\epson
2007-12-04 05:48 --------- d-----w C:\Program Files\Britannica 8.0
2007-12-03 20:07 --------- d-----w C:\Program Files\iPod
2007-12-03 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-03 20:05 --------- d-----w C:\Program Files\QuickTime
2007-12-03 20:02 --------- d-----w C:\Program Files\Apple Software Update
2007-12-03 20:01 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-03 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-01 18:33 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-11-29 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-28 21:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-28 21:26 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-28 21:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-11-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-28 21:18 --------- d-----w C:\Program Files\ACW
2007-11-28 04:05 --------- d-----w C:\Program Files\Siber Systems
2007-11-27 21:20 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\PKWARE
2007-11-23 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\PKWARE
2007-11-23 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\PKWARE
2007-11-22 23:59 --------- d-----w C:\Program Files\PKWARE
2007-11-22 23:59 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-11-22 11:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrueCrypt
2007-11-21 18:55 --------- d-----w C:\Program Files\TrueCrypt
2007-11-19 03:04 --------- d-----w C:\Program Files\Common Files\BitDefender
2007-11-18 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-18 21:56 --------- d-----w C:\Program Files\HD Tune
2007-11-18 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 18:25 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\Talkback
2007-11-13 18:20 --------- d-----w C:\Documents and Settings\Limited Owner\Application Data\Agnitum
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 05:03 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 04:11 --------- d-----w C:\Program Files\Broderbund
2007-11-12 22:24 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-12 20:43 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-11-12 20:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-12 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-11 07:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-11 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-11 05:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 22:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-08 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-08 00:46 --------- d-----w C:\Program Files\Java
2007-10-08 22:23 692 ----a-w C:\register.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 20:13 68856]
"Second Copy"="C:\PROGRA~1\SecCopy\SecCopy.exe" [2007-10-17 08:42 2425856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-08 14:47 160592]
"\\YOUR-LAPTOP\EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"1A:Stardock TrayMonitor"="" []
"CTHelper"="CTHELPER.EXE" [2007-10-04 10:47 28672 C:\WINDOWS\system32\cthelper.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"\\YOUR-LAPTOP\EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 20:00 98304]
"Say the Time"="" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2006-02-28 05:00 388608]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 17:50 939008]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" [2007-12-19 13:44 405504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2007-10-04 10:47 49152 C:\WINDOWS\mididef.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2007-10-04 10:47 49152 C:\WINDOWS\mididef.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 05:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-17 21:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoSimpleStartMenu"= 0 (0x0)
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install

R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2007-12-20 17:47]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2007-12-12 14:55]
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2007-12-20 17:48]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\DRIVERS\VBEngNT.sys [2007-10-05 16:41]
R3 VBFilt;VBFilt;C:\WINDOWS\system32\Filt\VBFilt.dll [2007-12-20 17:48]
S2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2007-12-19 13:42]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-11-04 10:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 23:28:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-07 19:31:31 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:35:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\OP_CACHE.ATR 24 bytes
C:\WINDOWS\system32\OP_CACHE.IDX 12 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P40 \"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P40 \"\\\\YOUR-LAPTOP\\EPSON Stylus CX4800 Series\" /M \"Stylus CX4800\" /EF \"HKCU\""
.
Completion time: 2008-01-07 23:38:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 06:37:30
ComboFix2.txt 2007-11-13 05:50:28
.
2007-12-10 17:05:58 --- E O F ---

lunarlander · 12-Jan-2008, 01:31 PM **#10**

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)