Protection did not work vs "XP antispyware"

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
#1

I was not really sure where to put this, but I wanted to give some feedback.

Recently I was under the attack of some malware called XP antispyware.

Comodo’s firewall was on custom policy and defense + was on the highest setting.

The operating system was windows XP.

Defense + detected the malware attempting to access various .exe’s and registry keys.
I told it to block the program each time.
Even though I told it to block the program’s many actions, the spyware installed itself anyway without my permission.

I am currently in the process of removing the spyware and I wanted to give this feedback in order to be helpful to the beneficial growth of comodo.

If more information is required let me know and I will try to provide the information.

#2

Can you PM me a link to the malware please.

Thank you.

#3

I am not sure how to go about providing a link to the malware. I am not even sure how it got on my computer as I wasn’t even downloading anything at the time.

I just got finished with a scan using malwarebytes and I can post the log if that would help.

one of the offending .exe’s was “jwo.exe”

#4

Yes that will help :slight_smile:

#5

Could you show us a Defence+ log as well please? Click on more after Defence+ Events for a more detailed view and the ability to export.

Thanks,
Matty

#6

Ok I think I finally got rid of it.

first scan in safe mode for malwarebytes:
Malwarebytes’ Anti-Malware 1.50.1.1100

Database version: 5781

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

2011/04/11 2:38:42
mbam-log-2011-04-11 (02-38-42).txt

Scan type: Full scan (C:|)
Objects scanned: 481617
Time elapsed: 2 hour(s), 37 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{1001697C-9EDB-4EE0-92CD-F3D70CD239B9} (Password.Stealer) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Tracur.S) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe” -a “%1” %) Good: (“%1” %) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\20\70ffd514-2f7e019e (Rogue.Palladium) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\lliehramcp.dll (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\tmp220.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\xcijptlinj.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\documents and settings\administrator\my documents\frostwire\Saved\setup\setup.exe (Trojan.Tracur.S) → Quarantined and deleted successfully.
c:\program files\COMODO\comodo internet security\quarantine\tmp1c5.tmp.exe1 (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-776561741-1647877149-682003330-500\Dc190.exe (Trojan.P2P.Dropper) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\0.21538885934361673.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\0.4629449240526694.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\0.8014596046939423.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt156.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt188.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt226.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt359.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt377.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt547.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt553.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt619.tmp.exe (Trojan.Pakes) → Quarantined and deleted successfully.

second scan in safe mode with malwarebytes:
Malwarebytes’ Anti-Malware 1.50.1.1100

Database version: 6333

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

2011/04/11 11:16:24
mbam-log-2011-04-11 (11-16-24).txt

Scan type: Full scan (C:|I:|)
Objects scanned: 488919
Time elapsed: 1 hour(s), 43 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT.exe\shell\open\command(default) (Hijack.ExeFile) → Value: (default) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”) Good: (firefox.exe) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode) Good: (firefox.exe -safe-mode) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\3\192fadc3-4157ec13 (Trojan.Agent) → Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\55\726d4277-33efab64 (Trojan.Agent) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\ognbtkdry\rhqmgifsika.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\porkhvxhv\lrtayypsika.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\documents and settings\all users\application data\lpn31002hobdd31002\lpn31002hobdd31002.exe (Rogue.MSRemovalTool) → Quarantined and deleted successfully.

#7

Defense + log

Defense + log:
4/10/2011 3:07:02 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:09 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:18 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:28 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:30 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:32 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:07:43 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:11 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:19 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:21 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:25 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:27 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:29 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:31 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:16:34 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:17:00 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:17:02 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:17:05 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:17:07 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 3:17:23 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 6:00:37 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 6:00:59 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 6:04:07 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:16:51 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:16:56 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:17:25 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:18:00 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:19:39 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:20:36 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:24:26 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:27:50 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:27:54 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:33:25 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:34:50 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:35:38 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 8:36:04 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 9:55:47 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:11:25 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:11:27 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:12:30 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:12:56 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:04 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:16 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:18 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:19 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:29 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:39 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:47 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:28:53 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:34:51 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:34:53 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:34:58 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:35:08 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:35:09 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:35:43 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:35:50 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:36:23 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
4/10/2011 10:36:35 PM C:\Program Files\Mozilla Firefox\plugin-container.exe Modify File C:\WINDOWS\system32\Macromed\Flash\testUpdate.txt
4/10/2011 10:36:43 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
4/10/2011 10:36:55 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
4/10/2011 10:36:58 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
4/10/2011 10:37:11 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
4/10/2011 10:37:18 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
4/10/2011 10:37:22 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
4/10/2011 10:37:33 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Modify Key HKUS\S-1-5-21-776561741-1647877149-682003330-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\lPn31002hObDd31002
4/10/2011 10:37:44 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
4/10/2011 10:37:48 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions
4/10/2011 10:37:58 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions
4/10/2011 10:38:01 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
4/10/2011 10:38:04 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
4/10/2011 10:38:11 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Start
4/10/2011 10:38:15 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Start
4/10/2011 10:38:18 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
4/10/2011 10:38:22 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
4/10/2011 10:38:26 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
4/10/2011 10:38:29 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
4/10/2011 10:38:33 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
4/10/2011 10:38:36 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
4/10/2011 10:38:39 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
4/10/2011 10:38:41 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
4/10/2011 10:38:45 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.21538885934361673.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
4/10/2011 10:38:49 PM C:\Documents and Settings\Administrator\Local Settings\Temp\0.8014596046939423.exe Modify Key HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
4/10/2011 10:38:51 PM C:\WINDOWS\system32\services.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\wuauserv\DeleteFlag
4/10/2011 10:38:59 PM C:\WINDOWS\system32\services.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters
4/10/2011 10:39:19 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory System
4/10/2011 10:39:38 PM C:\WINDOWS\system32\services.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\wuauserv
4/10/2011 10:39:45 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\smss.exe
4/10/2011 10:39:48 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\csrss.exe
4/10/2011 10:39:51 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\winlogon.exe
4/10/2011 10:40:07 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\services.exe
4/10/2011 10:40:14 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\lsass.exe
4/10/2011 10:40:25 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\svchost.exe
4/10/2011 10:40:45 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\spoolsv.exe
4/10/2011 10:40:49 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:40:57 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
4/10/2011 10:41:00 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Java\jre6\bin\jqs.exe
4/10/2011 10:41:04 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Webroot\Washer\WasherSvc.exe
4/10/2011 10:41:54 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\RTHDCPL.exe
4/10/2011 10:42:37 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
4/10/2011 10:42:41 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\COMODO\livePCsupport\ELPS.exe
4/10/2011 10:43:25 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\hplampc.exe
4/10/2011 10:43:43 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\igfxtray.exe
4/10/2011 10:43:52 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\hkcmd.exe
4/10/2011 10:44:00 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\igfxpers.exe
4/10/2011 10:44:07 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
4/10/2011 10:44:12 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Common Files\Java\Java Update\jusched.exe
4/10/2011 10:44:22 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
4/10/2011 10:44:28 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
4/10/2011 10:46:09 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\DAEMON Tools Lite\DTLite.exe
4/10/2011 10:46:27 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\OpenOffice.org 3\program\soffice.exe
4/10/2011 10:46:37 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\OpenOffice.org 3\program\soffice.bin
4/10/2011 10:46:40 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\alg.exe
4/10/2011 10:46:44 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\foxit\Foxit Reader\Foxit Reader.exe
4/10/2011 10:46:47 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Common Files\Java\Java Update\jucheck.exe
4/10/2011 10:46:52 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\PDA\ssp.exe
4/10/2011 10:46:57 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\conime.exe
4/10/2011 10:47:02 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Sengoku Rance English\System40.exe
4/10/2011 10:47:13 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Modify Key HKUS\S-1-5-21-776561741-1647877149-682003330-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\lPn31002hObDd31002
4/10/2011 10:47:21 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Trillian\trillian.exe
4/10/2011 10:47:39 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory System
4/10/2011 10:47:48 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
4/10/2011 10:47:54 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\smss.exe
4/10/2011 10:47:56 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Mozilla Firefox\firefox.exe
4/10/2011 10:47:59 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\csrss.exe

#8

defense + log part 2

4/10/2011 10:48:01 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Mozilla Firefox\plugin-container.exe
4/10/2011 10:48:04 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\winlogon.exe
4/10/2011 10:48:07 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Java\jre6\bin\java.exe
4/10/2011 10:48:10 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\services.exe
4/10/2011 10:48:12 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Program Files\Winamp\winamp.exe
4/10/2011 10:48:15 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\lsass.exe
4/10/2011 10:48:18 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\My entertainment\MUD\MUSHclient\MUSHclient.exe
4/10/2011 10:48:20 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\svchost.exe
4/10/2011 10:48:23 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe
4/10/2011 10:48:25 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\system32\spoolsv.exe
4/10/2011 10:48:31 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Modify Key HKUS\S-1-5-21-776561741-1647877149-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
4/10/2011 10:48:34 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:37 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
4/10/2011 10:48:39 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\Program Files\Java\jre6\bin\jqs.exe
4/10/2011 10:48:42 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:44 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:46 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:48 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:50 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:52 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:54 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:56 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:48:58 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:00 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:02 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:04 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:06 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:08 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:10 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:12 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:14 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:16 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:18 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:20 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:22 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:24 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:26 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:28 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:30 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:32 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:34 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:36 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:38 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:41 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:43 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:45 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:47 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:49 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:51 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:53 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:55 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:57 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:49:59 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:01 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:03 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:05 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:07 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:09 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:11 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:13 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:15 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:17 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:19 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:21 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 10:50:40 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\WINDOWS\RTHDCPL.exe
4/10/2011 10:50:48 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
4/10/2011 10:51:44 PM C:\Documents and Settings\All Users\Application Data\lPn31002hObDd31002\lPn31002hObDd31002.exe Access Memory C:\Program Files\COMODO\livePCsupport\ELPS.exe
4/10/2011 11:20:12 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory System
4/10/2011 11:20:20 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
4/10/2011 11:20:25 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\system32\dumprep.exe
4/10/2011 11:20:38 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:40 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:42 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:44 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:46 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:48 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:50 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:52 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:54 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:56 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:20:58 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:21:00 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:21:02 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:21:04 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:21:06 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory C:\WINDOWS\explorer.exe
4/10/2011 11:21:13 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory System
4/10/2011 11:21:41 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory System
4/10/2011 11:22:03 PM C:\Documents and Settings\Administrator\Local Settings\Application Data\jwo.exe Access Memory System
4/11/2011 2:44:25 AM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:44:26 AM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:44:26 AM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:44:27 AM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:45:13 AM C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
4/11/2011 2:47:11 AM C:\WINDOWS\system32\services.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\MBAMSwissArmy
4/11/2011 2:47:30 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
4/11/2011 2:47:34 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Access Memory C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
4/11/2011 2:47:57 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:57 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:57 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:57 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:58 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:58 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:58 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:58 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:47:58 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Program Files\DNA\btdna.exe
4/11/2011 2:49:43 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:43 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:44 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:44 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:44 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:45 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:45 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:45 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:45 AM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.com Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 2:49:56 AM \Device\CdRom4\LaunchU3.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
4/11/2011 2:50:09 AM \Device\CdRom4\LaunchU3.exe Modify Key HKUS\S-1-5-21-776561741-1647877149-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
4/11/2011 2:50:15 AM \Device\CdRom4\LaunchU3.exe Direct Disk Access C:
4/11/2011 12:01:04 PM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:01:05 PM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:01:06 PM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:01:06 PM C:\WINDOWS\explorer.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:02:03 PM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 12:02:03 PM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 12:02:03 PM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 12:02:03 PM C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe
4/11/2011 12:02:11 PM C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
4/11/2011 12:17:47 PM \Device\CdRom4\LaunchU3.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
4/11/2011 12:17:47 PM \Device\CdRom4\LaunchU3.exe Access Memory C:\WINDOWS\explorer.exe
4/11/2011 12:17:47 PM C:\Documents and Settings\Administrator\Application Data\U3\11006113E641BB66\Intro\U3Introduction.exe Access COM Interface Shell.Explorer.2
4/11/2011 12:17:47 PM C:\WINDOWS\system32\drwtsn32.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
4/11/2011 12:17:48 PM \Device\CdRom4\LaunchU3.exe Modify File C:\Documents and Settings\Administrator\Application Data\U3\11006113E641BB66\Intro\U3Introduction.exe
4/11/2011 12:33:59 PM C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:33:59 PM C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:33:59 PM C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:33:59 PM C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe Block File C:\Program Files\DNA\btdna.exe
4/11/2011 12:34:00 PM C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe Block File C:\Documents and Settings\Administrator\Local Settings\Temp\ognbtkdry\rhqmgifsika.exe

#9

One more reason to sandbox your browsers.

Are you using a limited acct. in WinXP?..DEP enabled?..UAC enabled?

Sorry this happened to you. I feel your pain…it happened to me last summer.
Was running Avast at the time.

#10

If someone have this malware can provide me a link to download via PM?

#11

You are aware that these two security features aren’t in Windows XP, right? Only Vista and 7 benefit from these two features.

#12

not sure what sandboxing means.

It looks like the computer is clean now though, but I am wary about an icon near my time click at the lower right corner.

It says autoupdates are off, but I don’t remember that being there before. It could just be windows… Other than that everything is back to normal.

#13

It´s virtualizattion. In Comodo it is the Manual Sandbox. Go to “D+” - Computer security policy" - “always sandbox”. Put you browsers and other applications that go to the internet. It is an other layer of protection (stronger than the Automatic sandbox).

There is also an other product called “sandboxie”

.

Could not agree more. That is why comodo should improve the MS. I am sure that the AS in “Restricted” or above would stop this. But nothing is 100%. That is why is so important to have an other layer of protection, specially if it is from the same company to evade conflicts and slowdowns.
AS to “Blocked” and the MS in conjuction, if it is not 100% is 99,999999999999999999999% :wink:

#14

There is no tray icon when windows automatic update is off.

On top of manual sandbox of CIS or Sandboxie or Geswall, if you allow me a small advice, use a backup and restore software. That will spare you the troubles and anxiety of desinfecting your PC. All you’ll need to do in case of infection is restore a previous clean image of your system.

Boris

#15

Hi Guys,

Hi WinDefend,

Sure about UAC, but DEP is present on XP

  1. native MS Software DEP. See System > Advanced > Performance > “Data Execution Prevention” Tab;
  2. hardware DEP … depending on motherboard/BIOS feature (rather be set if present);
  3. Software DEP by Comodo

All 3 actually can coexist. There could be conflicts but that is very rare.

My regards

#16

Oops, I forgot to specify. :stuck_out_tongue:

Windows XP SP1 and below do not have DEP. If I remember correctly, DEP was introduced in SP2.

#17

I dont want to bring bad news but:

System Requirements:

Windows 7 / Vista / XP SP2
128 MB RAM / 350 MB hard disk space

CIS probably failed in your case due to SP1… I remember having XP SP1, it got infected (without any security) just being connected to the web, within about 15 minutes…

#18

Forgot about UAC, but I know people using XP who have enabled DEP.
I haven’t used XP since…whenever Vista was released…2007?
:stuck_out_tongue:

To the Original Poster…
You should consider enabling DEP…

it’s not a magic bullet but it can help.

And you might want to consider adding a second Administrator acct. and then
down-grade your present Administrator acct to ‘Limited’.
I’m assuming you are using an Administrator acct.
http://www.mechbgon.com/build/Limited.html

The more road blocks the better…in my opinion

#19

Hi OmeletGuy,
Even having strong security may not help in many cases when the latest SP is not installed and all MS Security Patches are applied religiously. Well, patches by other vendors are important too , but since SP was mentioned…

According to the report provided above

Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 6.0.2900.5512
[i]SP3 is in place [/i] unless I'm missing something At the same, time running IE [b]6[/b] would be a big(!) concern in any circumstances

Cheers!

#20

Oh, my bad. thought the post by the user at the top of this page was saying his OS and SP… now I understand.

:embarassed: