Author Topic: Windows XP Trojan Question - Am I Safe Now?  (Read 11388 times)

0 Members and 1 Guest are viewing this topic.

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Windows XP Trojan Question - Am I Safe Now?
« on: January 04, 2009, 08:20:57 PM »
Last Tuesday, my computer (Windows XP SP3) was infected and I thought I caught it in time but it must have downloaded to my computer somehow. It disabled my Firewall and my System Restore. I tried doing a System Restore but it wouldn't let me. Initially, Avast found a couple of files and deleted them but I negelected to write them down (I remember they were of the trojan-gen type). On Thursday night, I did another scan and it found six files in my System Restore folder all named Win32: Crypt-DGV [trj]. It said that it had successfully deleted them. I then ran some other spyware programs (Malwarebytes, Superantispyware, Ad-Aware, and a-Squared). Malwarebytes detected another bad file and deleted it. I also disabled the System Restore and did another scan to be safe and Avast found nothing.

So now it's been over four days since I got the initial infection and there haven't been anymore trojan files detected in my antivirus/antispyware scans - am I still vulnerable? Have there been instances of trojans hiding out for weeks or months with no symptoms or detection?

Assuming that these programs found the trojan files last week, you would think that if they came back, they would be able to find them again, correct? Or are these trojans able to mutate into files that then can't be detected by antivirus/antispyware? I realize that the viruses "out there" on the internet can change names and configurations and it's always possible to get infected again by clicking on questionable links and the like, but can those original trojans actually mutate into new, undetectable files later on down the line while they're in your computer?

Thanks!
« Last Edit: January 04, 2009, 09:49:55 PM by audiodrome »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #1 on: January 04, 2009, 08:43:41 PM »
Hi audiodrome,

Download hijackthis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
Be sure to download it to the desktop, and not into a temporary file. Do a full scan, and place the logfile.txt as an attached file to your next posting. Do not do anything else until told,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #2 on: January 04, 2009, 08:57:47 PM »
Thanks!

I wasn't sure how to attach it as a file so I copied and pasted it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.audiodrome.net/indexholder.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_0 -reboot 1
O4 - Startup: My Little Pony Registration.lnk = D:\ATR1.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229190067328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230047109531
O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8261 bytes


Spiritsongs

  • Guest
Adobe Reader !?
« Reply #3 on: January 04, 2009, 09:57:05 PM »
 :)  Hi :

 I am unable from reading your Log as to IF you have Adobe Reader or any
 remnants from that program, but IF you do, I recommend you read
 http://forum.avast.com/index.php?topic=38839.0 ; Alternatives would be the
 FREE "Foxit Reader" or "CutePDF" .

 And having Lavasoft's Ad-Aware is not recommended, since it has an
 unnecessary "Service" running that can NOT be turned OFF .

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Adobe Reader !?
« Reply #4 on: January 04, 2009, 10:09:04 PM »
:)  Hi :

 I am unable from reading your Log as to IF you have Adobe Reader or any
 remnants from that program, but IF you do, I recommend you read
 http://forum.avast.com/index.php?topic=38839.0 ; Alternatives would be the
 FREE "Foxit Reader" or "CutePDF" .

 And having Lavasoft's Ad-Aware is not recommended, since it has an
 unnecessary "Service" running that can NOT be turned OFF .

I thought I had the latest version of Adobe Reader installed but I'll check that out. I wasn't aware of the Lavasoft issue. Should I uninstall it and just stick to the others? I'm not completely sold on it anyway. One other thing I have been concerned about is that I haven't received any automatic updates from Avast since the infection and I have both iAVS Update and Program Update set to "Automatic." I did a manual update yesterday but the fact that it wasn't automatic could just have been a timing issue.

Does the scan look OK otherwise?
« Last Edit: January 04, 2009, 10:23:01 PM by audiodrome »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #5 on: January 04, 2009, 10:39:15 PM »
Hi audiodrome,

Apparently you have no active firewall running there,
Fix this using HJT: O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe Nice utility, but it can eat CPU like anything slowing up things, reconsider,
/////////////////////////////////////
Download SAS from here: http://www.superantispyware.com/superantispywarefreevspro.html
Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me regardless of what it finds with a new HijackThis log.

polonus
« Last Edit: January 04, 2009, 10:43:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #6 on: January 04, 2009, 10:49:04 PM »
Thanks. When I check my Windows security settings, it says that the firewall is on! What's going on there? I already have Superantispyware on my computer so I will run that again now.

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #7 on: January 04, 2009, 11:35:59 PM »
I ran the Superantispyware scan and it found 1039 "infected" files and they were all tracking cookies. I was told that you can ignore cookies because they aren't much of a risk. The last time I deleted all my cookies, it screwed up a lot of the websites that I visit on a regular basis. It won't let me post the whole list here because of the character limit. Do you need to see the whole thing? All of the remaining infected files are from C:\Documents and Settings\Sean\Cookies\

Needless to say, I didn't realize that I had this many cookies, but they are all quarantined now. The weird thing is that I just checked a couple of my regular websites and they all "remembered" me. I thought that if you remove all the cookies, you had to login from scratch.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2009 at 05:22 PM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type       : Complete Scan
Total Scan Time : 00:21:38

Memory items scanned      : 441
Memory threats detected   : 0
Registry items scanned    : 6582
Registry threats detected : 0
File items scanned        : 24724
File threats detected     : 1039

Adware.Tracking Cookie
   C:\Documents and Settings\Sean\Cookies\sean@media.adrevolver[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@tribalfusion[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@advertising[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@doubleclick[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@tacoda[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@www.googleadservices[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@kontera[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@questionmarket[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager[5].txt
   C:\Documents and Settings\Sean\Cookies\sean@at.atwola[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@microsoftwindows.112.2o7[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.sun[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@apmebf[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@zedo[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@adrevolver[5].txt
   C:\Documents and Settings\Sean\Cookies\sean@xiti[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@rambler[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@ad.yieldmanager[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@revsci[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@adlegend[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@atdmt[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@adserver.adtechus[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@CAWCH2I8.txt
   C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@casalemedia[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@content.yieldmanager.edgesuite[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@statse.webtrendslive[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@media6degrees[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@statcounter[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@overture[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@mediaplex[4].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.bleepingcomputer[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@ads.monster[2].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@ontrack[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@www.ontrack[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@toplist[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@mediamgr.ugo[2].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@ads.specificclick[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@insightfirst[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@metareward[1].txt
   C:\Documents and Settings\Recording Studio\Cookies\recording studio@www.soundclick[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.heias[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@nebuad.adjuggler[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@mediamatters[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@kontera[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@www.soundtrackcollector[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@www.soundtrackcollector[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@kontera[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@profiles.hitslink[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@overture[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjkokmazchp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@casalemedia[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.hitsquad[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@soundtrack[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@stats.cdrinfo[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@www.1freecounter[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjmyapc5ado.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@servedby.advertising[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@adserve.podaddies[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@008.free-counter.co[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@app.insightgrit[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.vidsense[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4uodzwcp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@overture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@mycounter.tinycounter[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@soundtrack[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wgmiwid5wlp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@aj.ientry[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@questionmarket[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4wncjscp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.usercash[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wfkiggczwlp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@keywordmax[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wcl4smajmkq.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@005.free-counter.co[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@streamit.hardwarezone[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads4.blastro[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@adlegend[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wjl4wlcjmlp.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@scan.malwarecrush[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@stats.paypal[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@atdmt[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@mobileentertainment.directtrack[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.pubmatic[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@e-2dj6wfkygncjmkq.stats.esomniture[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.tripod.spray[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@www.adtrak[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@elitetabs[2].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.adbrite[1].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads4.blastro[3].txt
   C:\Documents and Settings\Sean\Cookies\sean@ads.hitsquad[2].txt
« Last Edit: January 04, 2009, 11:42:02 PM by audiodrome »

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #8 on: January 04, 2009, 11:49:53 PM »
Also, how do I fix the firewall problem with HijackThis? I've never used it before. I checked the box next to that line and hit "fix" and the window went blank. It didn't say "fixed" or anything like that. I then did another scan and it still said "no file." However, when I checked my security settings, it said that the firewall was on. How can it be that the HijackThis log says I have no active firewall but my Windows Security Center says that it’s on? Now I'm starting to get worried. I'm afraid that I deleted the firewall key from my registry. Either that or something really strange is going on!
« Last Edit: January 05, 2009, 12:26:24 AM by audiodrome »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #9 on: January 05, 2009, 12:26:36 AM »
Hi audiodrome,

Don't worry, we only did not detect an active software firewall, if you have the Windows fw running, no problem. The fix is for a file that has disappeared already, for the rest you are doing fine, so absolutely no reason to panic,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #10 on: January 05, 2009, 12:38:17 AM »
So I didn't change anything by fixing that line and everything else looks good? That's a relief - thanks!

How is it that those websites remembered me and I didn't have to log-in if I removed all the cookies? Or did it only quarantine the "bad" cookies?
« Last Edit: January 05, 2009, 12:40:07 AM by audiodrome »

zone12

  • Guest
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #11 on: January 05, 2009, 02:58:03 AM »
Do a spybot S&D scan too

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #12 on: January 05, 2009, 04:11:26 AM »
Thanks - Spybot looks like another good program. I ran the scan and all it found was 6 tracking cookies. It looks like I'm good for now!

So that just leaves one concern. I haven't received any automatic updates from Avast since the infection and I have both iAVS Update and Program Update set to "Automatic." I did a manual update yesterday but maybe it would have been done automatically if I had waited a little longer. Has there only been one update since New Year's Day?

This is what I currently have for Avast versions:

iAVS Version : 090104-0
Program Version: 4.8.1296

Lastly, is it worth doing an online scan?
« Last Edit: January 05, 2009, 04:14:55 AM by audiodrome »

Spiritsongs

  • Guest
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #13 on: January 05, 2009, 08:10:31 AM »
 :)  Hi :

 Sometimes malware can "hide" from a HijackThis scan UNLESS you "rename"
 "HijackThis.exe" to something else, like "humble.exe", then run another scan
 to see IF anything "different" appears in the Scan results !?

 And I always recommend "tracking/adware" cookies be immediately
 "deleted"; there is no need to "quarantine" cookies . Any safe site you visit on
 a regular basis should NOT be using "tracking" cookies, only the "regular" kind.
 With your cookie "problem", you should seriously consider installing the FREE
 "SpywareBlaster" from www.javacoolsoftware.com/spywareblaster.html ;
 there is a "Tutorial" on this program at
 www.bleepingcomputer.com/tutorials/tutorial49.html .

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #14 on: January 05, 2009, 04:49:16 PM »
Thanks for the info. I'll try that and see what I get. One more question: is it necessary to have Java installed? I don't seemed to have it on my system - only the early Microsoft Java.