|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
I am using Windows XP and I have Spyware Terminator running real-time all day, and analyzing once a day all fixed disks. It works great since years ! My scan is running in the background and it stops at around 50%. As soon as you restore the display, the scan will continue.
When I am fast enough I see the file C:\Documents and Settings\%myUserName%\Application Data\*\knobflag.exe being checked at that moment. The scan goes on to the end and finds no threat.
I checked the http://www.spywareterminator.com/item/2648/TrojanFlag.html page and found this file to be critical, and the mention This threat can be removed using "Spyware Terminator" .
But I could not find any to do really remove this file. Is there any real directory called * ? Where is this file ? I also see a litte later files passing inthe c:\windows\*\ directory or in the c:\program files\*. Are these real ? Where are they and how to get rid of them ?
Thanks for your help.
|
|
 
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 7/31/2009
Posts: 328
Location: Germany/Wuppertal
|
Hi
Firstly > ' Hidden Files'
To make them visibly > follow the prompts :
To see hidden files:
1.
On the Tools menu in Windows Explorer, click Folder Options.
2.
Click the View tab.
3.
Under Hidden files and folders, click Show hidden files and folders.
Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.
please load the file up to Mimo or cham as described >
<Because of a lot of changes in samples uploading way, it would be better to have some rules for it. There's a problem with password changing and so on. The best way is to upload all samples in .zip or . rar format and they should have the same password - infected. The password is not needed, because there's no AV detection of uploaded samples and access to this part is strictly limited for other users. Thanks. >
Now download and install HijackThis 2.0.3 ß from http://free.antivirus.com/hijackthis/
Run it and copy/paste the log in your next reply.
Raziel
*copy 'Threat Samples'
Raziel
Life is a tale, told by an idiot ...
If it ain't broke... fix it until it is.
|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
First : Thanks for the quick reply.
I have hidden + system folders + files visible.
My computer is protected by SpywareTerminator, Avast and ZoneAlarm - and it seems to function all right, except for SpywareTerminator now pausing on this file when in reduced (background?) mode. The problem seems to be that the folder is called * (star) when I look at the SpywareTerminator message. When searching in Explorer for knobflag.* there are no files found.
Here is the log of Hijack this :
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:58:33, on 02/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\TDxVGAUTIL.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://y.lo.st
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://y.lo.st
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TDxVGAUTIL] C:\WINDOWS\system32\TDxVGAUTIL.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Ouvrir le fichier PDF dans Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /300
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/fr/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248725669191
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = charles-cip.fr
O17 - HKLM\Software\..\Telephony: DomainName = charles-cip.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = charles-cip.fr
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = charles-cip.fr
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: SQL Server (EBP) (MSSQL$EBP) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: OpenERP Server (openerp-service) - Unknown owner - C:\Program Files\OpenERP Server\service\OpenERPServerService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\Avlib\SSScsiSV.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
--
End of file - 11179 bytes
File Attachment(s):
 hijackthis.log (11kb) downloaded 2 time(s).
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 7/31/2009
Posts: 328
Location: Germany/Wuppertal
|
Found nothing for now - will check it later.
Please copy/paste the Scan Reports ( when the scan has hung up ).
Regards
Raziel
Life is a tale, told by an idiot ...
If it ain't broke... fix it until it is.
|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
Hi Raziel,
to get the screen capture I reduced the screen to the task bar, and waited until the percentage doesn't count up anymore. I restore the screen and pause the program and make the screen cap.
It's in French (my home language). You'll see in the upper frame "Operations en cours - Analyse des fichiers connus" the name of the file knobflag.exe and the folder name "star" *.
I never saw something like this before, my computer still seems to work fine, but I am worried....
Thanks for your help.
freeinfo attached the following image(s):
|
|
Rank: General
Groups: Beta, Member
Joined: 11/27/2008
Posts: 132
Location: US
|
Hi,
Just to answer your question about the *, it is used as a wildcard to detect malware. For example if Spyware Terminator had the following entry
C:\Windows\virus*exe
the following files would be detected:
C:\Windows\virus943.exe
C:\Windows\virusPSDL.exe
and so on.
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 7/31/2009
Posts: 328
Location: Germany/Wuppertal
|
Hello
probably a misunderstanding, but I asked for a detailed report...
Rapports du Scan
Please run an update to 2.6.6.196 and start a full scan, should it fail again
download and install Malwarebytes' Anti-Malware run a full scan and copy/paste the log in your next reply
Regards
Addendum
At last download and install CCleaner ( Pirisoft), run it and reboot.
Your Acrobat Reader is outdated ! Think about an update (you'll have the ability to adjust the 'Advanced Security' settings)
or test another reader,because there are security leaks in Java Script ( PDF ).
Raziel
Life is a tale, told by an idiot ...
If it ain't broke... fix it until it is.
|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
I am using (and updating) Ccleaner regularily.
I am using a full Acrobat version 5 with a lot of add-ons, and Foxit Reader for standard PDF access.
I updated to latest Spyware Terminator and got the joined full report. still the same thing : it "stops" when reduced on the \*\knobflag.exe ands starts running again when displayed on the screen.
The thread "Ultra VNC" is a setup file for a program I am using when on the raod to integrate a company network. The program is uninstalled after use (when going back to the office).
I am going to download the malwarebyte and run a scan.
That's all for the moment. Thanks again for theFile Attachment(s):
SpywareTerminator.log.txt (42kb) downloaded 20 time(s).
|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
Hi,
I installed the latest version of MBAM and made a full check : No problems... See the joined log.File Attachment(s):
mbam-log-2010-02-05 (00-31-08).txt (2kb) downloaded 16 time(s).
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 7/31/2009
Posts: 328
Location: Germany/Wuppertal
|
When ST is scanning in background it needs very little system resources, maybe not enough for a complete
cleaning process ( you may check it with your 'Taskmanager').
To be on the safe side try this:
WIN + R > type : Cleanmgr /sageset:65535 & Cleanmgr /sagerun:65535 > enter > tag all > enter > reboot
Hope this helps
Regards
Raziel
Raziel
Life is a tale, told by an idiot ...
If it ain't broke... fix it until it is.
|
|
Rank: Rookie
Groups: Member
Joined: 2/1/2010
Posts: 6
Location: france
|
Your last message gave me the idea of using a program to clean up my disk.
I used Eraser (www.heidi.ie/eraser/) to do it and got rid of the problem.
Thanks a lot for all your advice !
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 7/31/2009
Posts: 328
Location: Germany/Wuppertal
|
Hi
Glad that I could help. 
Solved
Raziel 
Raziel
Life is a tale, told by an idiot ...
If it ain't broke... fix it until it is.
|
|
|
Guest |