Virus cleanup - URGENT

Talk about internet security, computer security, personal security, your social security number...
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Virus cleanup - URGENT

Post by Alan Baxter »

JSView and Adblock Plus are very helpful here. Consider:

hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history

Adblock Plus reports the following as Blockable (which I blocked with http://no-to-be.cn)
hxxp: //no-to-be.cn/pdfs/main.php?r=+escape(document.referrer)+&n=x&s=+location.href+
JSView reports: Source of: hxxp: //no-to-be.cn/pdfs/main.php?r=+escape(document.referrer)+&n=x&s=+location.href+
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /pdfs/main.php?r=+escape(document.referrer)+&n=x&s=+location.href+ was not found on this server.<P>
</BODY></HTML>
If I Allow the script to run with both NoScript and Adblock Plus. Then JSView gives me the following info:
hxxp://antispyware-l12.com/scn1/img/drugndrop.js

Code: Select all

var Drag = {
	obj : null,
	init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
	{
		o.onmousedown	= Drag.start;

		o.hmode			= bSwapHorzRef ? false : true ;
		o.vmode			= bSwapVertRef ? false : true ;

		o.root = oRoot && oRoot != null ? oRoot : o ;

		if (o.hmode  && isNaN(parseInt(o.root.style.left  ))) o.root.style.left   = "0px";
		if (o.vmode  && isNaN(parseInt(o.root.style.top   ))) o.root.style.top    = "0px";
		if (!o.hmode && isNaN(parseInt(o.root.style.right ))) o.root.style.right  = "0px";
		if (!o.vmode && isNaN(parseInt(o.root.style.bottom))) o.root.style.bottom = "0px";

		o.minX	= typeof minX != 'undefined' ? minX : null;
		o.minY	= typeof minY != 'undefined' ? minY : null;
		o.maxX	= typeof maxX != 'undefined' ? maxX : null;
		o.maxY	= typeof maxY != 'undefined' ? maxY : null;

		o.xMapper = fXMapper ? fXMapper : null;
		o.yMapper = fYMapper ? fYMapper : null;

		o.root.onDragStart	= new Function();
		o.root.onDragEnd	= new Function();
		o.root.onDrag		= new Function();
	},

	start : function(e)
	{
		var o = Drag.obj = this;
		e = Drag.fixE(e);
		var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
		var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
		o.root.onDragStart(x, y);

		o.lastMouseX	= e.clientX;
		o.lastMouseY	= e.clientY;

		if (o.hmode) {
			if (o.minX != null)	o.minMouseX	= e.clientX - x + o.minX;
			if (o.maxX != null)	o.maxMouseX	= o.minMouseX + o.maxX - o.minX;
		} else {
			if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
			if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;
		}

		if (o.vmode) {
			if (o.minY != null)	o.minMouseY	= e.clientY - y + o.minY;
			if (o.maxY != null)	o.maxMouseY	= o.minMouseY + o.maxY - o.minY;
		} else {
			if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
			if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;
		}

		document.onmousemove	= Drag.drag;
		document.onmouseup		= Drag.end;

		return false;
	},

	drag : function(e)
	{
		e = Drag.fixE(e);
		var o = Drag.obj;

		var ey	= e.clientY;
		var ex	= e.clientX;
		var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
		var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
		var nx, ny;

		if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
		if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
		if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
		if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);

		nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
		ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));

		if (o.xMapper)		nx = o.xMapper(y)
		else if (o.yMapper)	ny = o.yMapper(x)

		Drag.obj.root.style[o.hmode ? "left" : "right"] = nx + "px";
		Drag.obj.root.style[o.vmode ? "top" : "bottom"] = ny + "px";
		Drag.obj.lastMouseX	= ex;
		Drag.obj.lastMouseY	= ey;

		Drag.obj.root.onDrag(nx, ny);
		return false;
	},

	end : function()
	{
		document.onmousemove = null;
		document.onmouseup   = null;
		Drag.obj.root.onDragEnd(	parseInt(Drag.obj.root.style[Drag.obj.hmode ? "left" : "right"]), 
									parseInt(Drag.obj.root.style[Drag.obj.vmode ? "top" : "bottom"]));
		Drag.obj = null;
	},

	fixE : function(e)
	{
		if (typeof e == 'undefined') e = window.event;
		if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
		if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
		return e;
	}
};
hxxp://antispyware-l12.com/scn1/img/geoip.js

Code: Select all

function createObject() {
	var request_type;
	var browser = navigator.appName;
	if(browser == "Microsoft Internet Explorer"){
		request_type = new ActiveXObject("Microsoft.XMLHTTP");
	} else {
		request_type = new XMLHttpRequest();
	}
	return request_type;
}
var http = createObject();
function ajaxreq() {
	document.getElementById('geoipcountry').innerHTML = "Loading...";
	nocache = Math.random();
	http.open('get', 'geoip.php?nocache='+nocache);
	divid='geoipcountry';
	http.onreadystatechange =  searchBastReply;
	http.send(null);
}
function searchBastReply() {
	if(http.readyState == 4){
		var response = http.responseText.split(" ");
		document.getElementById('geoipcountry').innerHTML = response[0];
		document.getElementById('geoipcity').innerHTML = response[1];
	}
}
ajaxreq();
hxxp://antispyware-l12.com/scn1/img/jquery-init.js

Code: Select all

$(document).ready(function() {
	isXPSP2 = (window.navigator.userAgent.indexOf("SV1") != -1);
   
  $("body").click(function() {
    download();
    return false; 
  });
});

jQuery.fn.my_hide = function() { return this.css({visibility:"hidden"});}
jQuery.fn.my_show = function() {return this.css({visibility:"visible"});}
jQuery.fn.my_toggle = function() {if(this.css("visibility")=="hidden") {this.my_show();	} else {	this.my_hide();}}

jQuery.preloadImages = function(){
  for(var i = 0; i<arguments.length; i++)
  {
    jQuery("<img>").attr("src", arguments[i]);
  }
}

$.preloadImages("img/001.gif");
$.preloadImages("cb.gif");
hxxp://antispyware-l12.com/scn1/img/jquery.js
(Too much code to include)

hxxp://antispyware-l12.com/scn1/img/listfile.js

Code: Select all

var gs=new Array();

gs[1] = 'abasnys.cpx';
gs[2] = 'abansla.cpx';
gs[3] = 'abaalsys.dll';
gs[4] = 'abamon.dll';
gs[5] = 'abclient.dll';
gs[6] = 'AboutRepliGo.dll';
gs[7] = 'ac3acm.acm';
gs[8] = 'access.cpl';
gs[9] = 'acctres.dll';
gs[10] = 'accwiz.exe';
gs[11] = 'acelpdec.ax';
gs[12] = 'acledit.dll';
gs[13] = 'aclui.dll';
gs[14] = 'activeds.dll';
gs[15] = 'activeds.tlb';
gs[16] = 'actmovie.exe';
gs[17] = 'actxprxy.dll';
gs[18] = 'ADME.DLL';
gs[19] = 'admparse.dll';
gs[20] = 'admwprox.dll';
gs[21] = 'admxprox.dll';
gs[22] = 'adptif.dll';
gs[23] = 'adsiis.dll';
gs[24] = 'adsldp.dll';
gs[25] = 'adsldpc.dll';
gs[26] = 'adsmsext.dll';
gs[27] = 'adsnds.dll';
gs[28] = 'adsnt.dll';
gs[29] = 'adsnw.dll';
gs[30] = 'advapi32.dll';
gs[31] = 'advpack.dll';
gs[32] = 'agas.dll';
gs[33] = 'ahui.exe';
gs[34] = 'alg.exe';
gs[35] = 'alrsvc.dll';
gs[36] = 'amcompat.tlb';
gs[37] = 'amstream.dll';
gs[38] = 'ansi.sys';
gs[39] = 'apcups.dll';
gs[40] = 'append.exe';
gs[41] = 'apphelp.dll';
gs[42] = 'appmgmts.dll';
gs[43] = 'appmgr.dll';
gs[44] = 'appwiz.cpl';
gs[45] = 'ArmAccess.dll';
gs[46] = 'arp.exe';
gs[47] = 'asctrls.ocx';
gs[48] = 'asferror.dll';
gs[49] = 'asfsipc.dll';
gs[50] = 'asr_fmt.exe';
gs[51] = 'asr_ldm.exe';
gs[52] = 'asr_pfu.exe';
gs[53] = 'asycfilt.dll';
gs[54] = 'at.exe';
gs[55] = 'AtalaImg2.dll';
gs[56] = 'AtalaIS.dll';
gs[57] = 'AtalCtrl.ocx';
gs[58] = 'athprxy.dll';
gs[59] = 'ati2cqag.dll';
gs[60] = 'ati2dvag.dll';
gs[61] = 'ati2edxx.dll';
gs[62] = 'ati2evxx.dll';
gs[63] = 'ati2evxx.exe';
gs[64] = 'Ati2mdxx.exe';
gs[65] = 'ati2sgag.exe';
gs[66] = 'ati3duag.dll';
gs[67] = 'ATIDDC.DLL';
gs[68] = 'ATIDEMGR.dll';
gs[69] = 'ATIDEMGX.dll';
gs[70] = 'atifglpf.xml';
gs[71] = 'atiicdxx.dat';
gs[72] = 'atiiiexx.dll';
gs[73] = 'atikvmag.dll';
gs[74] = 'atioglx1.dll';
gs[75] = 'atioglx2.dll';
gs[76] = 'atioglxx.dll';
gs[77] = 'atiok3x2.dll';
gs[78] = 'atipdlxx.dll';
gs[79] = 'atitvo32.dll';
gs[80] = 'ativcoxx.dll';
gs[81] = 'ativva5x.dat';
gs[82] = 'ativva6x.dat';
gs[83] = 'ativvaxx.dat';
gs[84] = 'ativvaxx.dll';
gs[85] = 'atkctrs.dll';
gs[86] = 'atl.dll';
gs[87] = 'atl71.dll';
gs[88] = 'AtlColor.ocx';
gs[89] = 'atmadm.exe';
gs[90] = 'atmfd.dll';
gs[91] = 'atmlib.dll';
gs[92] = 'atmpvcno.dll';
gs[93] = 'atrace.dll';
gs[94] = 'attrib.exe';
gs[95] = 'Audiodev.dll';
gs[96] = 'audiosrv.dll';
gs[97] = 'auditusr.exe';
gs[98] = 'authz.dll';
gs[99] = 'autochk.exe';
gs[100] = 'autoconv.exe';
gs[101] = 'autodisc.dll';
gs[102] = 'AUTOEXEC.NT';
gs[103] = 'autofmt.exe';
gs[104] = 'autolfn.exe';
gs[105] = 'avicap.dll';
gs[106] = 'avicap32.dll';
gs[107] = 'avifil32.dll';
gs[108] = 'avifile.dll';
gs[109] = 'avmeter.dll';
gs[110] = 'avtapi.dll';
gs[111] = 'avwav.dll';
gs[112] = 'basesrv.dll';
gs[113] = 'bass.dll';
gs[114] = 'BASSMOD.dll';
gs[115] = 'basswma.dll';
gs[116] = 'batmeter.dll';
gs[117] = 'batt.dll';
gs[118] = 'BCGCBPRO800.dll';
gs[119] = 'BCGCBPRO800u.dll';
gs[120] = 'BCGPOleAcc.dll';
gs[121] = 'bidispl.dll';
gs[122] = 'bios1.rom';
gs[123] = 'bios4.rom';
gs[124] = 'bitsprx2.dll';
gs[125] = 'bitsprx3.dll';
gs[126] = 'blackbox.dll';
gs[127] = 'blastcln.exe';
gs[128] = 'bootcfg.exe';
gs[129] = 'bootok.exe';
gs[130] = 'bootvid.dll';
gs[131] = 'bootvrfy.exe';
gs[132] = 'bopomofo.uce';
gs[133] = 'browselc.dll';
gs[134] = 'browser.dll';
gs[135] = 'browseui.dll';
gs[136] = 'browsewm.dll';
gs[137] = 'bt2k_ins.dll';
gs[138] = 'BtAudioHelper.dll';
gs[139] = 'btbigbmp.dll';
gs[140] = 'btbip.dll';
gs[141] = 'btcpl.cpl';
gs[142] = 'btcpl.cpl.manifest';
gs[143] = 'btcss.dll';
gs[144] = 'btcss.dll.manifest';
gs[145] = 'btdev.dll';
gs[146] = 'bthci.dll';
gs[147] = 'bthcrp.dll';
gs[148] = 'bthcrpui.dll';
gs[149] = 'bthprops.cpl';
gs[150] = 'bthserv.dll';
gs[151] = 'btins.dll';
gs[152] = 'BTNCopy.dll';
gs[153] = 'BTNCopy.tlb';
gs[154] = 'BTNeighborhood.dll';
gs[155] = 'BTNeighborhood.dll.manifest';
gs[156] = 'BTNeighborhood.tlb';
gs[157] = 'btosif.dll';
gs[158] = 'btosif_notes.dll';
gs[159] = 'btosif_ol.dll';
gs[160] = 'btosif_olx.dll';
gs[161] = 'btpanui.dll';
gs[162] = 'btprn2k.dll';
gs[163] = 'btrez.dll';
gs[164] = 'btrezxp.dll';
gs[165] = 'btsec.dll';
gs[166] = 'btsendto.dll';
gs[167] = 'btsendto_ie.dll';
gs[168] = 'btsendto_lnagent.nsf';
gs[169] = 'btsendto_notes.dll';
gs[170] = 'btsendto_office.dll';
gs[171] = 'btsendto_wab.dll';
gs[172] = 'btwhidcs.dll';
gs[173] = 'BtWiaExt.dll';
gs[174] = 'BtWizard.dll';
gs[175] = 'btwpimif.dll';
gs[176] = 'btw_ci.dll';
gs[177] = 'BTXPPanel.dll';
gs[178] = 'BTXPPanel.tlb';
gs[179] = 'BtXpShell.dll';
gs[180] = 'C-XLS.dll';
gs[181] = 'cabinet.dll';
gs[182] = 'cabview.dll';
gs[183] = 'cacls.exe';
gs[184] = 'calc.exe';
gs[185] = 'camocx.dll';
gs[186] = 'capesnpn.dll';
gs[187] = 'cards.dll';
gs[188] = 'catsrv.dll';
gs[189] = 'catsrvps.dll';
gs[190] = 'catsrvut.dll';
gs[191] = 'ccfgnt.dll';
gs[192] = 'ccrpbds6.dll';
gs[193] = 'ccrpprg6.ocx';
gs[194] = 'cdfview.dll';
gs[195] = 'cdm.dll';
gs[196] = 'cdmodem.dll';
gs[197] = 'cdosys.dll';
gs[198] = 'cdplayer.exe.manifest';
gs[199] = 'CDRip3.dll';
gs[200] = 'certcli.dll';
gs[201] = 'certmgr.dll';
gs[202] = 'certmgr.msc';
gs[203] = 'CEWMDM.dll';
gs[204] = 'cfgbkend.dll';
gs[205] = 'cfgmgr32.dll';
gs[206] = 'charmap.exe';
gs[207] = 'ChCfg.exe';
gs[208] = 'chcp.com';
gs[209] = 'chkdsk.exe';
gs[210] = 'chkntfs.exe';
gs[211] = 'ciadmin.dll';
gs[212] = 'ciadv.msc';
gs[213] = 'cic.dll';
gs[214] = 'cidaemon.exe';
gs[215] = 'ciodm.dll';
gs[216] = 'cipher.exe';
gs[217] = 'cisvc.exe';
gs[218] = 'ckcnv.exe';
gs[219] = 'clb.dll';
gs[220] = 'clbcatex.dll';
gs[221] = 'clbcatq.dll';
gs[222] = 'cleanmgr.exe';
gs[223] = 'cliconf.chm';
gs[224] = 'cliconfg.dll';
gs[225] = 'cliconfg.exe';
gs[226] = 'cliconfg.rll';
gs[227] = 'clipbrd.exe';
gs[228] = 'clipsrv.exe';
gs[229] = 'clspack.exe';
gs[230] = 'clusapi.dll';
gs[231] = 'cmcfg32.dll';
gs[232] = 'cmd.exe';
gs[233] = 'cmdial32.dll';
gs[234] = 'CMDIALOG.SRG';
gs[235] = 'cmdl32.exe';
gs[236] = 'cmdlib.wsc';
gs[237] = 'CmdLineExt.dll';
gs[238] = 'cmmgr32.hlp';
gs[239] = 'cmmon32.exe';
gs[240] = 'cmos.ram';
gs[241] = 'cmpbk32.dll';
gs[242] = 'cmprops.dll';
gs[243] = 'cmsetACL.dll';
gs[244] = 'cmstp.exe';
gs[245] = 'cmutil.dll';
gs[246] = 'cnbjmon.dll';
gs[247] = 'cnetcfg.dll';
gs[248] = 'cnvfat.dll';
gs[249] = 'colbact.dll';
gs[250] = 'comaddin.dll';
gs[251] = 'comcat.dll';
gs[252] = 'comct232.ocx';
gs[253] = 'comct332.ocx';
gs[254] = 'COMCTL.SRG';
gs[255] = 'COMCTL2.SRG';
gs[256] = 'comctl32.dll';
gs[257] = 'comctl32.ocx';
gs[258] = 'comdlg32.dll';
gs[259] = 'comdlg32.ocx';
gs[260] = 'comm.drv';
gs[261] = 'command.com';
gs[262] = 'commdlg.dll';
gs[263] = 'COMMTB32.DLL';
gs[264] = 'comp.exe';
gs[265] = 'compact.exe';
gs[266] = 'CompareFilesX.ocx';
gs[267] = 'compatUI.dll';
gs[268] = 'compmgmt.msc';
gs[269] = 'compobj.dll';
gs[270] = 'compstui.dll';
gs[271] = 'comrepl.dll';
gs[272] = 'comres.dll';
gs[273] = 'comsnap.dll';
gs[274] = 'comsvcs.dll';
gs[275] = 'comuid.dll';
gs[276] = 'config.hsp';
gs[277] = 'CONFIG.NT';
gs[278] = 'CONFIG.TMP';
gs[279] = 'confmsp.dll';
gs[280] = 'conime.exe';
gs[281] = 'console.dll';
gs[282] = 'control.exe';
gs[283] = 'convert.exe';
gs[284] = 'convlog.exe';
gs[285] = 'corpol.dll';
gs[286] = 'country.sys';
gs[287] = 'credui.dll';
gs[288] = 'crtdll.dll';
gs[289] = 'crypt32.dll';
gs[290] = 'cryptdlg.dll';
gs[291] = 'cryptdll.dll';
gs[292] = 'cryptext.dll';
gs[293] = 'cryptnet.dll';
gs[294] = 'cryptsvc.dll';
gs[295] = 'cryptui.dll';
gs[296] = 'cscdll.dll';
gs[297] = 'cscript.exe';
gs[298] = 'cscui.dll';
gs[299] = 'CSH.DLL';
gs[300] = 'csrsrv.dll';
gs[301] = 'csrss.exe';
gs[302] = 'csseqchk.dll';
gs[303] = 'CSVSpecialProcessing.dll';
gs[304] = 'ctfmon.exe';
gs[305] = 'ctl3d32.dll';
gs[306] = 'ctl3dv2.dll';
gs[307] = 'ctype.nls';
gs[308] = 'c_037.nls';
gs[309] = 'c_10000.nls';
gs[310] = 'c_10006.nls';
gs[311] = 'c_10007.nls';
gs[312] = 'c_10010.nls';
gs[313] = 'c_10017.nls';
gs[314] = 'c_10029.nls';
gs[315] = 'c_10079.nls';
gs[316] = 'c_10081.nls';
gs[317] = 'c_10082.nls';
gs[318] = 'c_1026.nls';
gs[319] = 'c_1250.nls';
gs[320] = 'c_1251.nls';
gs[321] = 'c_1252.nls';
gs[322] = 'c_1253.nls';
gs[323] = 'c_1254.nls';
gs[324] = 'c_1255.nls';
gs[325] = 'c_1256.nls';
gs[326] = 'c_1257.nls';
gs[327] = 'c_1258.nls';
gs[328] = 'c_20127.nls';
gs[329] = 'c_20261.nls';
gs[330] = 'c_20866.nls';
gs[331] = 'c_20905.nls';
gs[332] = 'c_21866.nls';
gs[333] = 'c_28591.nls';
gs[334] = 'c_28592.nls';
gs[335] = 'c_28593.nls';
gs[336] = 'C_28594.NLS';
gs[337] = 'C_28595.NLS';
gs[338] = 'C_28597.NLS';
gs[339] = 'c_28598.nls';
gs[340] = 'c_28599.nls';
gs[341] = 'c_28603.nls';
gs[342] = 'c_28605.nls';
gs[343] = 'c_437.nls';
gs[344] = 'c_500.nls';
gs[345] = 'c_737.nls';
gs[346] = 'c_775.nls';
gs[347] = 'c_850.nls';
gs[348] = 'c_852.nls';
gs[349] = 'c_855.nls';
gs[350] = 'c_857.nls';
gs[351] = 'c_860.nls';
gs[352] = 'c_861.nls';
gs[353] = 'c_863.nls';
gs[354] = 'c_865.nls';
gs[355] = 'c_866.nls';
gs[356] = 'c_869.nls';
gs[357] = "fdff.fd";
gs[358] = 'c_875.nls';
gs[359] = 'c_932.nls';
gs[360] = 'c_936.nls';
gs[361] = 'c_949.nls';
gs[362] = 'c_950.nls';
gs[363] = 'd3d8.dll';
gs[364] = 'd3d8caps.dat';
gs[365] = 'd3d8thk.dll';
gs[366] = 'd3d9.dll';
gs[367] = 'd3d9caps.dat';
gs[368] = 'd3dim.dll';
gs[369] = 'd3dim700.dll';
gs[370] = 'd3dpmesh.dll';
gs[371] = 'd3dramp.dll';
gs[372] = 'd3drm.dll';
gs[373] = 'd3dx9_24.dll';
gs[374] = 'd3dx9_25.dll';
gs[375] = 'd3dx9_26.dll';
gs[376] = 'd3dx9_27.dll';
gs[377] = 'd3dx9_28.dll';
gs[378] = 'd3dx9_29.dll';
gs[379] = 'd3dx9_30.dll';
gs[380] = 'd3dx9_31.dll';
gs[381] = 'd3dx9_32.dll';
gs[382] = 'd3dxof.dll';
gs[383] = 'danim.dll';
gs[384] = 'dataclen.dll';
gs[385] = 'datime.dll';
gs[386] = 'davclnt.dll';
gs[387] = 'daxctle.ocx';
gs[388] = 'dbgeng.dll';
gs[389] = 'dbghelp.dll';
gs[390] = 'dbmsrpcn.dll';
gs[391] = 'DBMSSHRN.DLL';
gs[392] = 'DBMSSOCN.DLL';
gs[393] = 'dbnetlib.dll';
gs[394] = 'dbnmpntw.dll';
gs[395] = 'Dcache.bin';
gs[396] = 'dciman32.dll';
gs[397] = 'dcomcnfg.exe';
gs[398] = 'ddeml.dll';
gs[399] = 'ddeshare.exe';
gs[400] = 'ddraw.dll';
gs[401] = 'ddrawex.dll';
gs[402] = 'debug.exe';
gs[403] = 'defrag.exe';
gs[404] = 'desk.cpl';
gs[405] = 'deskadp.dll';
gs[406] = 'deskmon.dll';
gs[407] = 'deskperf.dll';
gs[408] = 'desktop.ini';
gs[409] = 'devenum.dll';
gs[410] = 'devmgmt.msc';
gs[411] = 'devmgr.dll';
gs[412] = 'dfrg.msc';
gs[413] = 'dfrgfat.exe';
gs[414] = 'dfrgntfs.exe';
gs[415] = 'dfrgres.dll';
gs[416] = 'dfrgsnap.dll';
gs[417] = 'dfrgui.dll';
gs[418] = 'dfshim.dll';
gs[419] = 'dfsshlex.dll';
gs[420] = 'dgnet.dll';
gs[421] = 'dgrpsetu.dll';
gs[422] = 'dgsetup.dll';
gs[423] = 'dhcpcsvc.dll';
gs[424] = 'dhcpmon.dll';
gs[425] = 'dhcpsapi.dll';
gs[426] = 'diactfrm.dll';
gs[427] = 'diantz.exe';
gs[428] = 'DiffDoc.CNT';
gs[429] = 'DiffDoc.HLP';
gs[430] = 'digest.dll';
gs[431] = 'dimap.dll';
gs[432] = 'dinput.dll';
gs[433] = 'dinput8.dll';
gs[434] = 'diskcomp.com';
gs[435] = 'diskcopy.com';
gs[436] = 'diskcopy.dll';
gs[437] = 'diskmgmt.msc';
gs[438] = 'diskpart.exe';
gs[439] = 'diskperf.exe';
gs[440] = 'dispex.dll';
gs[441] = 'dllhost.exe';
gs[442] = 'dllhst3g.exe';
gs[443] = 'dmadmin.exe';
gs[444] = 'dmband.dll';
gs[445] = 'dmcompos.dll';
gs[446] = 'dmconfig.dll';
gs[447] = 'dmdlgs.dll';
gs[448] = 'dmdskmgr.dll';
gs[449] = 'dmdskres.dll';
gs[450] = 'dmime.dll';
gs[451] = 'dmintf.dll';
gs[452] = 'dmloader.dll';
gs[453] = 'dmocx.dll';
gs[454] = 'dmremote.exe';
gs[455] = 'dmscript.dll';
gs[456] = 'dmserver.dll';
gs[457] = 'dmstyle.dll';
gs[458] = 'dmsynth.dll';
gs[459] = 'dmusic.dll';
gs[460] = 'dmutil.dll';
gs[461] = 'dmview.ocx';
gs[462] = 'dns-sd.exe';
gs[463] = 'dnsapi.dll';
gs[464] = 'dnsrslvr.dll';
gs[465] = 'dnssd.dll';
gs[466] = 'docprop.dll';
gs[467] = 'docprop2.dll';
gs[468] = 'doskey.exe';
gs[469] = 'dosx.exe';
gs[470] = 'dpcdll.dll';
gs[471] = 'dplay.dll';
gs[472] = 'dplaysvr.exe';
gs[473] = 'dplayx.dll';
gs[474] = 'dpmodemx.dll';
gs[475] = 'dpnaddr.dll';
gs[476] = 'dpnet.dll';
gs[477] = 'dpnhpast.dll';
gs[478] = 'dpnhupnp.dll';
gs[479] = 'dpnlobby.dll';
gs[480] = 'dpnmodem.dll';
gs[481] = 'dpnsvr.exe';
gs[482] = 'dpnwsock.dll';
gs[483] = 'dpserial.dll';
gs[484] = 'dpvacm.dll';
gs[485] = 'dpvoice.dll';
gs[486] = 'dpvsetup.exe';
gs[487] = 'dpvvox.dll';
gs[488] = 'dpwsock.dll';
gs[489] = 'dpwsockx.dll';
gs[490] = 'Drake.dll';
gs[491] = 'DrakeCom.dll';
gs[492] = 'driversys32.exe';
gs[493] = 'drmclien.dll';
gs[494] = 'drmstor.dll';
gs[495] = 'drmupgds.exe';
gs[496] = 'drmv2clt.dll';
gs[497] = 'drprov.dll';
gs[498] = 'DRVSSRVR.HLP';
gs[499] = 'DRVVFP.CNT';
gs[500] = 'DRVVFP.HLP';
gs[501] = 'drwatson.exe';
gs[502] = 'drwtsn32.exe';
gs[503] = 'ds16gt.dLL';
gs[504] = 'ds32gt.dll';
gs[505] = 'dsauth.dll';
gs[506] = 'dsdmo.dll';
gs[507] = 'dsdmoprp.dll';
gs[508] = 'dskquota.dll';
gs[509] = 'dskquoui.dll';
gs[0] = 'dsound.dll';
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Virus cleanup - URGENT

Post by Alan Baxter »

Avast's network shield is now blocking no-to-be.cn now. At least Avast's users now get this additional layer of protection. This makes four layers of protection that I use, all of which have to be defeated for this attack to succeed.
1) Avast network shield
2) NoScript (no-to-be.cn and antispyware-l12.com have to be allowed)
3) Firefox and Windows not allowing the installer to be downloaded and executed without my explicit permission. All I had to do was close the tab or browser with the the close button. A more insistent attack may have required me to use the Task Manager.
4) My unwillingness to download or install the software. (This protection requires an educated user. Six zillion botnets would agree that, in general, this isn't very reliable).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Virus cleanup - URGENT

Post by computerfreaker »

Alan Baxter wrote:JSView and Adblock Plus are very helpful here. Consider:

hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history

<snip>
Very interesting!
Unfortunately, I was stuck using Opera in Sandboxie (Fx won't work in Sandboxie for me, probably due to ContentWatch... grr), so I didn't have JSView at my disposal... thanks for sharing that info, though!
I've reported this rogue to ISC, and they've passed the info on to AV guys. Hopefully that will take care of "Personal Security" for once and for all...

Cheers!
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Post Reply