EXE in Windows fonts folder?

[epp_b]

I was cleaning out my parents' computer (which wasn't too bad, cause I'm usually around ) running Windows 98, and found something odd...There is a file named lassas.exe in the Windows fonts folder. It has an icon that makes it appear to be a WinRAR archive (but I don't know if it is). Going the properties for the file reveals that the "Original Filename" is a bunch of giberish, which makes me suspective of it. I've run HiJackThis and uploaded the log to an online analyser, which returned "unknown" for the file (as a running process, which after killed afterwards). SpyBot S&D and AdAware with updated definitions both returned nothing in obvious assocation with the file. Google doesn't even return any relavent results!Any ideas?

[Jeber]

From The Scream:

Are you sure it's lassas.exe?If it's lssas[sic...should be lassas].exe you may have a virus. Go here (http://www.the-scream.co.uk/forums/t14166.html?) and pick one of the links for an online check.If it's lsass.exe then it's a Windows process.

Process File: lsass or lsass.exeProcess Name: Local Security Authority Service Description:lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Note: lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR, Nimos.worm which spread via floppy disk drives, mass-mailing and peer-to-peer sharing. Please review file path for clarification of this. System Process: YesBackground Process: YesUses Network: YesHardware Related: NoCommon Errors: N/AMemory Usage: N/A

[epp_b]

Yes, I am 100% positive that it is lassas (underlined is lowercase 'L' and not uppercase 'i'). I have currently renamed it to lassas.old until I find out what it is.But...why on Earth is it in the Windows fonts system folder? And why is the "Original Filename" (under the "Version" tab in the file properties) labelled as "JHDSKJHJKSHKJHFJHKJSHFJSSSF.exe"?Oh, and BTW, this is Windows 98SE -- only Windows >= 2000 have lassas.exe as a running process, yet another reason I am suspicious of this file.

Edited June 26, 2005 by epp_b

[ross549]

Well.... it was one of the more publicized virii that came out late last year, if I remember correctly. Do you run AV software? It would tell you for sure.......

[epp_b]

Well.... it was one of the more publicized virii that came out late last year, if I remember correctly.

Well, that's odd since the 2 pages that Google returns are of no relavence whatsoever.

Do you run AV software? It would tell you for sure.......

I have scanned the file with AVG Free 7.0.323 with latest definitions, Norton AV 2002 with latest definitions. In addition to that, I have also scanned the hard drive with HiJackThis (returned "unknown" in online analyser), SpyBot S&D, and AdAware. Nothing has returned positive! BTW, this does not appear to be a valid WinRAR file as WinRAR does not insert the "Extract" command in the context menu for this file.

[TeMerc]

Hi, it sounds to me like a file which was created to look legit, but it is not. The results of a Google search do not show anything of specific nature. Thats not good. That, combined with the fact that you say the properties are gibberish, is the clincher for me. And seeing as neither Adaware or Spybot find anything, is also another thing, tho, not entirely unusual.The way you describe its file path, in the font folder, makes me think it could be an infection called MSEvents\Vundo.Running any online auto analyser as you did will not give you much info, you need to have your HJT log analysed by someone who is trained in doing the logs. As far as I know, there is no forum here for that. I, however have a forum where I'd be more than happy to look at your log. I have quite a bit of experience wiuth HJT logs, and if you register, and post your log, we can figure it out.I don't know if this will constitute 'spamming' the boards, but here is my forum:http://temerc.com/phpBB2/`

[epp_b]

I can just post the log right here

Logfile of HijackThis v1.99.1Scan saved at 8:56:17 AM, on 6/26/05Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\ATI2EVXX.EXEC:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXEC:\WINDOWS\SYSTEM\KB891711\KB891711.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXEC:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXEC:\WINDOWS\LOADQM.EXEC:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXEC:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXEC:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXED:\SETUPS & INSTALLERS\SOFTWARE\SECURITY\HIJACKTHIS.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pembinavalleyonline.com/F1 - win.ini: run=hpfschedO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLLO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [SystemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXEO4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXEO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [Ron & Rhonda] C:\WINDOWS\FONTS\lassas.exeO4 - HKLM\..\Run: [User] C:\WINDOWS\FONTS\lassas.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exeO4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exeO4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -serviceO4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXEO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.htmlO8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.htmlO8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.htmlO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CABO16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab

BTW, I see that lassas.exe is set to run @ startup, but I have renamed it so that it doesn't start (lassas.old)

[TeMerc]

OK, well, the good thing is your running Win9x, so, the infection does not go as deep. Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.Your running Spybots TeaTimer, we need to dissable that before we fix things:Right click the running icon of spybot's teatimer, and choose exit.:arrow: Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O4 - HKLM\..\Run: [Ron & Rhonda] C:\WINDOWS\FONTS\lassas.exeO4 - HKLM\..\Run: [user] C:\WINDOWS\FONTS\lassas.exe Reboot, into safe mode, one of these ways:Method 1 Turn on your computer. Hold down the <Ctrl> key until the Windows 98 Startup menu appears. Highlight or select Safe Mode (usually number 3) from the Startup menu. Press the <Enter> key. Method 2 Click the Start button, click Run, in the Open box type msconfig and click OK. Click the Advanced button. Click Enable Startup Menu. A check mark will appear in the box. Click OK. Choose to restart your computer when prompted. When the system restarts, use the arrow keys to highlight Safe Mode, then press the <Enter> key. Method 3 Insert a non-bootable floppy disk in the floppy drive, and restart your computer. When the message Non-system disk or disk error. Replace and strike any key when ready appears, remove the floppy disk from the drive. Press the <F8> key twice. The Windows 98 Startup menu appears. Use the arrow keys to highlight Safe Mode, and press the <Enter> key. Method 4 If Windows 98 fails to start, it will attempt to enter Safe Mode automatically on the following restart.Also, enable the 'Show Hidden Folders' option, like this:Open My Computer. Select the View menu and click Folder Options. Select the View Tab. In the Hidden files section select Show all files. Click OK. And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:C:\WINDOWS\FONTS\lassas.exe<<<--fileTo exit Safe Mode, click the Start button, click Shutdown, click Restart The Computer, and click Yes.Post a new HJT log back into this thread please.

[epp_b]

Thanks, I've done that. Except, I didn't boot into safe mode - I just killed the process via Process Explorer and renamed it to "lassas.old" so that it wouldn't run.It's interesting, however, that this program did not attempt to access the internet at all (ZA did not notify me of anything).Anyway, here's the latest HJT log:

Logfile of HijackThis v1.99.1Scan saved at 11:32:12 AM, on 6/26/05Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\ATI2EVXX.EXEC:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXEC:\WINDOWS\SYSTEM\KB891711\KB891711.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXEC:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXEC:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXEC:\WINDOWS\LOADQM.EXEC:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXEC:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXEC:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXED:\SETUPS & INSTALLERS\SOFTWARE\SECURITY\HIJACKTHIS.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pembinavalleyonline.com/F1 - win.ini: run=hpfschedO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLLO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [SystemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXEO4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXEO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exeO4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exeO4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -serviceO4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXEO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.htmlO8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.htmlO8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.htmlO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CABO16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab

Secondly, I noticed a related file named "lassas.lgc" with the following contents:

{o c166d4b0 345a4 "C:\WINDOWS\FONTS\LASSAS.EXE"R c166d4b0 0 40R c166d4b0 80 f8R c166d4b0 80 1c0R c166d4b0 30200 1000R c166d4b0 2fe00 400o c166d4e0 14b000 "C:\WINDOWS\SYSTEM\MSVBVM50.DLL"R c166d4e0 0 400R c166d4e0 400 40R c166d4e0 440 400R c166d4e0 10e000 800R c166d4e0 c40 800R c166d4e0 1c40 800R c166d4e0 1840 400R c166d4e0 23e7 a00R c166d4e0 0 200R c166d4e0 1000 620R c166d4e0 1be7 200R c166d4e0 14a000 1000R c166d4e0 840 400R c166d4e0 0 40R c166d4e0 80 4R c166d4e0 84 14R c166d4e0 98 e0R c166d4e0 178 c8R c166d4e0 1be7 1200R c166d4e0 0 200R c166d4e0 80 4R c166d4e0 84 14R c166d4e0 98 e0R c166d4e0 178 c8R c166d4e0 1000 1200C c166d4e0o c166d4e0 14b000 "C:\WINDOWS\SYSTEM\MSVBVM50.DLL"R c166d4e0 0 40R c166d4e0 80 f8R c166d4e0 80 1c0R c166d4e0 112000 1000r c166d4e0 113000 1000r c166d4e0 f9000 1000o c16362b0 e3000 "C:\WINDOWS\SYSTEM\OLEAUT32.DLL"R c16362b0 85000 1000R c16362b0 86000 1000R c16362b0 87000 1000R c16362b0 85000 1000R c16362b0 2000 1000R c16362b0 2000 1000r c166d4e0 fa000 1000r c166d4e0 1000 1000R c166d4e0 1000 1000R c166d4e0 f9000 1000R c166d4e0 f4000 1000R c166d4e0 f6000 1000R c166d4e0 f7000 1000R c166d4e0 f8000 1000R c166d4b0 2fe00 400R c166d4e0 f5000 1000o c1635830 c1000 "C:\WINDOWS\SYSTEM\OLE32.DLL"R c1635830 ae000 1000R c1635830 b3000 1000R c16362b0 73000 1000R c16362b0 8f000 1000R c16362b0 10000 1000R c16362b0 76000 1000R c16362b0 7a000 1000R c16362b0 8c000 1000R c16362b0 8d000 1000R c16362b0 8e000 1000R c16362b0 75000 1000R c16362b0 77000 1000R c16362b0 8b000 1000R c16362b0 78000 1000R c16362b0 7b000 1000R c16362b0 8a000 1000R c16362b0 74000 1000R c16362b0 39000 1000R c16362b0 44000 1000R c16362b0 d000 1000R c16362b0 50000 1000R c16362b0 5f000 1000R c16362b0 18000 1000R c16362b0 4e000 1000R c16362b0 12000 1000R c16362b0 52000 1000R c16362b0 3d000 1000R c16362b0 17000 1000R c16362b0 13000 1000R c16362b0 30000 1000R c166d4e0 110000 1000R c166d4e0 4000 1000R c166d4e0 63000 1000R c166d4e0 5000 1000R c166d4e0 64000 1000R c166d4e0 10e000 1000R c166d4e0 111000 1000R c166d4e0 6000 1000R c166d4e0 7000 1000R c166d4e0 8000 1000R c166d4e0 9000 1000R c166d4e0 2000 1000R c166d4e0 10f000 1000R c166d4e0 a000 1000R c166d4e0 16000 1000R c166d4e0 12000 1000R c166d4b0 400 1000R c166d4b0 1400 1000R c166d4e0 61000 1000r c166d4e0 137000 1000R c166d4e0 b000 1000R c16362b0 51000 1000R c1635830 b2000 1000R c166d4e0 d000 1000R c166d4e0 65000 1000R c166d4e0 f000 1000R c166d4e0 c000 1000R c166d4e0 e000 1000R c166d4e0 f3000 1000R c166d4e0 66000 1000R c16362b0 88000 1000R c16362b0 89000 600r c166d4e0 138000 1000R c16362b0 29000 1000R c16362b0 5d000 1000R c166d4b0 31200 600R c166d4e0 3000 1000R c166d4e0 fd000 1000r c166d4e0 101000 1000R c166d4e0 1f000 1000R c166d4e0 10000 1000R c166d4e0 17000 1000R c166d4e0 ed000 1000R c166d4e0 f2000 1000R c166d4e0 ee000 1000R c166d4e0 ef000 1000R c166d4e0 7e000 1000R c166d4e0 20000 1000R c166d4e0 11000 1000R c166d4e0 f1000 1000R c166d4e0 f0000 1000R c166d4e0 4c000 1000R c166d4e0 53000 1000R c166d4e0 2c000 1000R c166d4b0 2400 1000R c166d4e0 43000 1000R c166d4e0 2a000 1000R c166d4e0 2b000 1000R c166d4e0 39000 1000R c166d4b0 6400 1000R c166d4b0 4400 1000R c166d4b0 3400 1000R c166d4b0 5400 1000R c166d4b0 7400 1000R c166d4b0 8400 1000R c166d4b0 b400 1000R c166d4b0 9400 1000R c166d4b0 a400 1000R c166d4b0 c400 1000R c166d4e0 1b000 1000R c16362b0 2a000 1000R c166d4b0 d400 1000R c166d4e0 3a000 1000R c166d4e0 78000 1000R c166d4e0 5b000 1000R c166d4e0 22000 1000R c16362b0 21000 1000R c166d4e0 23000 1000R c166d4e0 13000 1000R c166d4e0 6b000 1000R c166d4b0 e400 1000R c166d4e0 1e000 1000R c166d4e0 21000 1000R c166d4e0 25000 1000R c166d4e0 1c000 1000r c166d4e0 102000 1000r c166d4e0 103000 1000R c166d4b0 23400 1000r c166d4e0 100000 1000r c166d4e0 fe000 1000r c166d4e0 ff000 1000r c166d4e0 106000 1000R c166d4e0 de000 1000R c166d4e0 df000 1000R c166d4e0 49000 1000R c166d4e0 ec000 1000R c166d4e0 41000 1000R c166d4e0 26000 1000R c166d4e0 27000 1000R c166d4e0 90000 1000R c166d4e0 24000 1000R c166d4e0 86000 1000R c166d4e0 5e000 1000R c166d4e0 1d000 1000R c166d4e0 14000 1000R c166d4e0 29000 1000R c166d4e0 28000 1000R c16362b0 42000 1000R c16362b0 41000 1000R c166d4e0 31000 1000R c16362b0 3000 1000R c16362b0 43000 1000R c16362b0 45000 1000R c166d4e0 30000 1000R c16362b0 4b000 1000R c16362b0 47000 1000R c16362b0 4c000 1000R c16362b0 48000 1000R c16362b0 4a000 1000r c1635830 24000 1000r c1635830 23000 1000r c1635830 a000 1000o c16177e0 73000 "C:\WINDOWS\SYSTEM\KERNEL32.DLL"R c16177e0 32000 1000r c1635830 3000 1000R c1635830 af000 1000r c1635830 6000 1000R c166d4e0 3d000 1000R c166d4e0 15000 1000R c166d4e0 68000 1000R c166d4e0 6e000 1000R c166d4e0 46000 1000R c166d4e0 45000 1000R c166d4e0 44000 1000R c166d4e0 2f000 1000R c166d4b0 f400 1000R c166d4e0 32000 1000R c166d4e0 55000 1000R c166d4b0 11400 1000R c166d4e0 bf000 1000R c166d4e0 5a000 1000R c166d4e0 58000 1000R c16362b0 2b000 1000R c166d4e0 33000 1000R c166d4e0 2d000 1000R c166d4e0 59000 1000R c166d4e0 40000 1000r c166d4e0 12a000 1000R c166d4e0 48000 1000R c166d4e0 4b000 1000R c166d4e0 4f000 1000R c166d4e0 5d000 1000R c166d4e0 4d000 1000o c16b2c30 3d9e0 "C:\WINDOWS\FONTS\TAHOMABD.TTF"R c16b2c30 7000 1000R c166d4e0 2e000 1000o c164eae0 1800 "C:\WINDOWS\TEMP\~DFF085.TMP"R c164eae0 800 e36R c166d4e0 47000 1000R c166d4e0 83000 1000R c166d4b0 29400 1000R c166d4b0 28400 1000R c166d4e0 42000 1000R c16362b0 2f000 1000R c16362b0 2c000 1000r c166d4e0 105000 1000r c166d4e0 10b000 1000r c166d4e0 10d000 1000R c166d4b0 14400 1000R c166d4e0 4e000 1000r c166d4e0 104000 1000R c166d4e0 cf000 1000R c166d4e0 d2000 1000R c166d4b0 18400 1000R c166d4e0 7c000 1000R c166d4b0 2a400 1000R c166d4e0 36000 1000R c166d4e0 7b000 1000o c16f5dd0 345a4 "C:\WINDOWS\FONTS\LASSAS.EXE"R c16f5dd0 0 345a4C c16f5dd0R c166d4b0 16400 1000R c166d4e0 d9000 1000R c166d4e0 3c000 1000R c166d4b0 1c400 1000r c166d4e0 108000 1000R c166d4e0 6d000 1000R c166d4b0 15400 1000R c166d4e0 e9000 1000R c166d4e0 50000 1000o c168cdd0 cb020 "C:\WINDOWS\USER.DAT"R c168cdd0 c2020 9000C c168cdd0R c166d4b0 1d400 1000R c166d4e0 d3000 1000r c166d4e0 109000 1000R c166d4b0 27400 1000R c166d4e0 80000 1000R c166d4b0 1e400 1000o c168cdd0 8000 "C:\WINDOWS\SYSTEM\IPHLPAPI.DLL"R c168cdd0 0 400R c168cdd0 400 40R c168cdd0 440 400R c168cdd0 5040 800R c168cdd0 c40 800R c168cdd0 2840 800R c168cdd0 2440 400R c168cdd0 2d52 a00R c168cdd0 0 200R c168cdd0 1000 620R c168cdd0 2552 200R c168cdd0 7000 1000R c168cdd0 4c40 400R c168cdd0 840 400R c168cdd0 0 40R c168cdd0 80 4R c168cdd0 84 14R c168cdd0 98 e0R c168cdd0 178 a0R c168cdd0 2552 1200R c168cdd0 0 200R c168cdd0 80 4R c168cdd0 84 14R c168cdd0 98 e0R c168cdd0 178 a0R c168cdd0 2000 1200C c168cdd0o c168cdd0 8000 "C:\WINDOWS\SYSTEM\IPHLPAPI.DLL"R c168cdd0 0 40R c168cdd0 80 f8R c168cdd0 80 198R c168cdd0 6000 400r c168cdd0 3000 1000o c16312e0 47035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL"R c16312e0 3a000 1000R c16312e0 3a000 1000R c16312e0 34000 1000R c16312e0 34000 1000R c16312e0 3b000 600o c16399d0 12000 "C:\WINDOWS\SYSTEM\WS2_32.DLL"R c16399d0 f000 a00R c16399d0 f000 1000R c16312e0 36000 1000R c16312e0 38000 1000R c16312e0 37000 1000R c16312e0 39000 1000o c1679320 2580 "C:\WINDOWS\SYSTEM\ICMP.DLL"R c1679320 0 400R c1679320 400 40R c1679320 440 400R c1679320 1c40 800R c1679320 c40 800R c1679320 1840 400R c1679320 1440 400R c1679320 1e9c 6e4R c1679320 0 200R c1679320 1000 620R c1679320 169c 200R c1679320 1580 1000R c1679320 840 400R c1679320 0 40R c1679320 80 4R c1679320 84 14R c1679320 98 e0R c1679320 178 c8R c1679320 169c 400R c1679320 0 200R c1679320 80 4R c1679320 84 14R c1679320 98 e0R c1679320 178 c8R c1679320 1600 230C c1679320o c1679320 2580 "C:\WINDOWS\SYSTEM\ICMP.DLL"R c1679320 0 40R c1679320 80 f8R c1679320 80 1c0R c1679320 1e00 400R c1679320 1000 a00o c1679040 6000 "C:\WINDOWS\SYSTEM\DHCPCSVC.DLL"R c1679040 0 400R c1679040 400 40R c1679040 440 400R c1679040 3440 800R c1679040 840 400R c1679040 1040 800R c1679040 c40 400R c1679040 147e a00R c1679040 0 200R c1679040 600 620R c1679040 c7e 200R c1679040 5000 1000R c1679040 3040 400R c1679040 0 40R c1679040 d8 4R c1679040 dc 14R c1679040 f0 e0R c1679040 1d0 a0R c1679040 c7e 400R c1679040 0 200R c1679040 d8 4R c1679040 dc 14R c1679040 f0 e0R c1679040 1d0 a0R c1679040 c00 1200C c1679040o c1679040 6000 "C:\WINDOWS\SYSTEM\DHCPCSVC.DLL"R c1679040 0 40R c1679040 d8 f8R c1679040 d8 198R c1679040 3400 200R c1679040 2600 c00R c1679040 600 1000R c1679040 600 1000R c1679040 2600 c00o c16ab5a0 7000 "C:\WINDOWS\SYSTEM\IPCFGDLL.DLL"R c16ab5a0 0 400R c16ab5a0 400 40R c16ab5a0 440 400R c16ab5a0 4040 800R c16ab5a0 c40 800R c16ab5a0 2840 800R c16ab5a0 2440 400R c16ab5a0 2dfa a00R c16ab5a0 0 200R c16ab5a0 1000 620R c16ab5a0 25fa 200R c16ab5a0 6000 1000R c16ab5a0 3c40 400R c16ab5a0 840 400R c16ab5a0 0 40R c16ab5a0 80 4R c16ab5a0 84 14R c16ab5a0 98 e0R c16ab5a0 178 a0R c16ab5a0 25fa 1200R c16ab5a0 0 200R c16ab5a0 80 4R c16ab5a0 84 14R c16ab5a0 98 e0R c16ab5a0 178 a0R c16ab5a0 2000 1200C c16ab5a0o c16ab5a0 7000 "C:\WINDOWS\SYSTEM\IPCFGDLL.DLL"R c16ab5a0 0 40R c16ab5a0 80 f8R c16ab5a0 80 198r c16ab5a0 5000 1000r c16ab5a0 3000 1000r c16ab5a0 1000 1000R c16ab5a0 1000 1000R c16ab5a0 3000 1000r c168cdd0 1000 1000R c168cdd0 1000 1000R c168cdd0 3000 1000R c16312e0 3c000 1000R c16312e0 35000 1000R c166d4b0 0 400R c16312e0 3e000 1000R c16312e0 3f000 1000R c16312e0 40000 1000R c16312e0 3d000 1000R c16399d0 d000 1000R c16399d0 e000 600o c163a600 90a00 "C:\WINDOWS\SYSTEM\WININET.DLL"R c163a600 77400 1000o c163a940 5af10 "C:\WINDOWS\SYSTEM\CRYPT32.DLL"R c163a940 49600 1000R c163a940 4a600 1000o c163aba0 25000 "C:\WINDOWS\SYSTEM\MSOSS.DLL"R c163aba0 20000 1000R c163aba0 20000 1000R c163aba0 1000 1000R c163aba0 1000 1000R c163a940 49600 1000R c163a940 600 1000R c163a940 600 1000R c163aba0 21000 600o c1631140 62400 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL"R c1631140 55400 1000R c1631140 56400 1000R c1631140 57400 1000R c1631140 58400 1000R c1631140 55400 1000R c1631140 400 1000R c1631140 400 1000R c163a600 77400 1000R c163a600 400 1000R c163a600 400 1000R c163a940 4b600 1000R c163a940 4c600 1000R c163a600 78400 a00R c1631140 59400 1000R c1631140 5a400 c00R c163aba0 22000 800R c163aba0 3000 1000o c16365f0 53000 "C:\WINDOWS\SYSTEM\RPCRT4.DLL"R c16365f0 4c000 800R c163a940 5600 1000R c163a940 2c600 1000R c163a940 4d600 1000R c163a940 22600 1000R c163a940 37600 1000R c163a940 3600 1000R c163a940 2e600 1000R c163a940 23600 1000R c163a940 f600 1000R c163a940 53600 1000R c163a940 6600 1000R c163a940 1b600 1000R c163a940 1600 1000R c163a940 19600 1000R c163a940 24600 1000R c163a940 2600 1000R c163a940 7600 1000R c163a940 11600 1000R c163a940 2a600 1000R c163a940 16600 1000R c163a940 3f600 1000R c163a940 12600 1000R c163a940 38600 1000R c163a940 3b600 1000R c163a940 39600 1000R c163a940 3a600 1000R c163a940 52600 1000R c163a940 1d600 1000R c163a940 2d600 1000R c163a940 50600 1000R c163a940 3e600 1000R c163a940 47600 1000R c163a940 1a600 1000R c163a940 51600 1000R c1631140 1d400 1000R c1631140 1e400 1000R c1631140 5b000 800R c1631140 51400 1000R c1631140 22400 1000R c1631140 9400 1000R c1631140 49400 1000R c1631140 52400 1000R c1631140 3b400 1000R c163a600 2c400 1000R c163a600 78e00 1000R c163a600 1d400 1000R c163a600 79e00 1000R c163a600 4400 1000R c163a600 1b400 1000R c163a600 1e400 1000R c163a600 2400 1000R c163a600 1a400 1000R c163a600 1400 1000R c1679320 1a00 200o c16355b0 a000 "C:\WINDOWS\SYSTEM\WSOCK32.DLL"R c16355b0 6000 a00o c163b130 15000 "C:\WINDOWS\SYSTEM\MSWSOCK.DLL"R c163b130 f000 1000R c163b130 e000 1000R c163b130 10000 600R c1679040 3200 200R c16ab5a0 2000 1000R c16ab5a0 4000 200R c168cdd0 2000 1000R c168cdd0 5000 400o c168b400 b000 "C:\WINDOWS\SYSTEM\MSAFD.DLL"R c168b400 7000 600R c168b400 7000 1000R c168b400 6000 400o c161f7b0 86320 "C:\WINDOWS\SYSTEM\USER.EXE"R c161f7b0 1844 225eR c168cdd0 4000 a00R c16362b0 2e000 1000R c166d4e0 e8000 1000R c166d4e0 d8000 1000r c166d4e0 139000 1000R c16362b0 11000 1000R c16362b0 7000 1000R c16362b0 16000 1000R c16362b0 33000 1000R c16362b0 9000 1000R c16362b0 2d000 1000R c166d4e0 18000 1000R c166d4e0 19000 1000R c163a600 18400 1000R c163a600 e400 1000R c163a600 1c400 1000R c163a600 23400 1000R c163a600 2e400 1000R c163a600 7ae00 800o c1630e10 153110 "C:\WINDOWS\SYSTEM\SHELL32.DLL"R c1630e10 82600 1000R c1630e10 82600 1000R c1630e10 600 1000R c1630e10 600 1000R c1630e10 83600 1000R c1630e10 84600 1000R c1630e10 4600 1000R c1630e10 1b600 1000R c1630e10 85e00 a00R c1630e10 1c600 1000R c1630e10 9600 1000R c1630e10 1600 1000R c1630e10 80600 1000R c1630e10 81600 1000o c16636e0 5800 "C:\WINDOWS\SYSTEM\SHFOLDER.DLL"R c16636e0 1400 1000R c16636e0 1400 1000R c16636e0 400 1000R c16636e0 400 1000R c16636e0 2400 200R c1631140 30400 1000R c1631140 2c400 1000R c1631140 2b400 1000R c1631140 29400 1000R c1631140 a400 1000R c1631140 b400 1000R c1630e10 66600 1000R c1631140 3c400 1000R c163a600 19400 1000R c163a600 d400 1000R c163a600 3400 1000R c1631140 20400 1000R c1631140 27400 1000R c1631140 24400 1000R c1631140 1f400 1000R c1631140 23400 1000R c163a600 16400 1000R c163a600 f400 1000o c16f0090 1910 "C:\WINDOWS\SYSTEM\SENSAPI.DLL"R c16f0090 400 e00R c16f0090 400 e00R c163a600 30400 1000R c163a600 2d400 1000R c166d4b0 1b400 1000R c166d4b0 1a400 1000R c166d4b0 17400 1000R c16362b0 31000 1000R c16177e0 4d000 1000R c16362b0 c000 1000R c16362b0 32000 1000R c166d4b0 13400 1000r c166d4e0 10c000 1000R c166d4e0 98000 1000R c166d4e0 76000 1000R c166d4e0 c7000 1000R c166d4e0 8f000 1000R c166d4e0 c6000 1000R c166d4e0 72000 1000}

Edited June 26, 2005 by epp_b

[TeMerc]

OK, well it seems you got the offending files, I would remind you to also delete the file you renamed. Couple of minor entries need removal tho, but should go this time around.:arrow: Reboot, into 'Safe mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) :arrow: Reboot, run HJT, if the above are gone, no need to repost with new log. AdAware SE is a great companion to Spybot, and virtually all security forums recommend they run in tandem. Ad-aware SE v1.06rDL, check for updates and quarantine all that's found. To further prevent the installation of ad/mal/spyware, DL these two apps, which are becoming the next one-two punch in the fight against ad/mal/spyware with AdAware & Spybot S&D:SpywareGuard & SpywareBlaster v3.4With Spyware Blaster and Spyware Guard, just DL, check for updates, enable protection, and your done!To avoid known malware infested sites from loading in IE install IESPY ADS.And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.And to prevent unknown applications from being installed on your machine inistall WinPatrol v9.5.0.1.Links for tutorials for all the apps I mentioned can be found on my site as well.Confused about which apps are good or not? Read about Rogue/Approved Anti Security appsAnd just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:Calendar of UpdatesSubscribe to update alerts for all the above security apps here.You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed. TeMerc Test Box ForumHappy surfing!!Tom

[Guest LilBambi]

TeMerc, is this a Win98 variant of this one listed at Bleeping Computer?http://www.bleepingcomputer.com/forums/How...nts-t18610.htmlGreat job of figuring it out so quickly!

[epp_b]

Thanks, TecMerc. I've already installed a number of those programs you mentioned also keep an updated copy of MVPS' hosts file on their computer.

[TeMerc]

LilBambi, that was the infection I was thinking of, tho, it didn't present the infection symptoms as listed in the Bleeping post. There was an older version of that infection, dated around Sept '04 as well. It was called Stopguard then. As I have done a ton of HJT logs, the file path jumped right out of that file. anything that attaches itself to a fonts folder is just looking to trick the user. epp_b did a good job recognising it was odd, and did not belong.OK, epp_b, glad we were able to get things cleaned out.

[Guest LilBambi]

Yes, I agree regarding the location. Nothing executable should be there. It's as bad as executables or batch files being found in Application Data main directory or a number of other places where none should exist. :thumbsup:Was just wondering what made you think that particular problem and you answered that very well.Just curious was all.Great instincts! :'(