Sign in to follow this  
niallmcl

Need Help!

Recommended Posts

I did the Avenger again just incase you needed it.

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\bmjmubrq

 

*******************

 

Script file located at: \??\C:\Do######ents and Settings\bggentkm.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

File c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe not found!

Deletion of file c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe failed!

 

Could not process line:

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

Status: 0xc0000034

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Share this post


Link to post
Share on other sites

Ok, you did great! That error code means the file has already been removed (probably by a prior cleaning step)

 

So, we can use HijackThis to remove the startup entries.

 

Open HijackThis and do a *system scan only*

When it finishes, checkmark these next entries in the list and press the *fix checked* button.

 

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

Close HijackThis and reboot.

 

Scan once more with HijackThis and post a fresh log please?

Share this post


Link to post
Share on other sites

Here it the HJT log... those files still seem to be there...

 

Logfile of HijackThis v1.99.1

Scan saved at 01:09:56, on 14/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

First, please get an online scan at the following (it's free) and let it clean any malware found. Please save the report at the end (if anything found) and post the results back here:

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Share this post


Link to post
Share on other sites

We still have these three registry entries hanging on.

 

Can you try again with HijackThis to checkmark these entries and then press the *fix checked* button:

 

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

If you have any security programs alert you about changes, please *allow*

 

Do another scan with HijackThis and if those items are still there, let's have a closer look using this tool to make a log please:

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

OK here are those logs....

 

Here is my hijackthis which shows they are still there...

 

Logfile of HijackThis v1.99.1

Scan saved at 20:40:41, on 14/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

And the combo fix......

 

 

 

Start Time= 14/07/2006 20:46:11.26

Running from: C:\Do######ents and Settings\niall mclaughlin\Desktop

 

QuickScan did not find any signs of infected files

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner"

2006-07-12 19:27:48 ( .D... ) "C:\Do######ents and Settings\niall mclaughlin\Application Data\AVG7"

2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"

2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"

2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft"

2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys"

2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys"

2006-07-10 19:32:18 21504 ( A.... ) "C:\WINDOWS\chk.exe"

2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys"

2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys"

2006-07-10 19:27:48 150016 ( A.... ) "C:\WINDOWS\system32\2236_26.dll"

2006-07-10 19:27:38 1665 ( A.... ) "C:\WINDOWS\user.exe"

2006-07-10 19:27:38 1665 ( A.... ) "C:\user.exe"

2006-07-10 19:26:16 73216 ( A.... ) "C:\bbug.exe"

2006-07-10 19:26:14 8778 ( A.... ) "C:\WINDOWS\system32\3580.exe"

2006-07-10 19:26:12 372 ( A.... ) "C:\WINDOWS\system32\3584.exe"

2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft"

2006-07-04 20:40:12 ( .D... ) "C:\Do######ents and Settings\niall mclaughlin\Application Data\Lavasoft"

2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"

2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX"

2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime"

2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes"

2006-06-04 10:28:18 ( .D... ) "C:\Do######ents and Settings\niall mclaughlin\Application Data\Mozilla"

2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox"

2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"

2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"

2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"

2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"

2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"

2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"

2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"

2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"

2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"

2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"

2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"

2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"

2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"

2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"

2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"

2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"

2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"

2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"

2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe"

2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"

2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll"

2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"

2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"

2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"

2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"

2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"

2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"

2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll"

2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll"

2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"

2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"

2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll"

2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"

2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"

2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"

2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"

2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll"

2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"

2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"

2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"

2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"

2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmps######.dll"

2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"

2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"

2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll"

2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"

2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"

2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"

2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"

2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"

2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"

2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"

2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"

2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"

2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"

2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"

2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"

2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"

2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"

2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"

2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"

2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"

2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"

2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"

2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"

2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"

2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"

2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"

2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll"

2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"

2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"

2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"

2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClas######tension.dll"

2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll"

2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll"

2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll"

2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll"

2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"

2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll"

2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"

2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"

2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"

2006-04-27 17:49:00 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe"

 

Rootkit driver pe386 is present. A rootkit scan is required

 

 

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-13 22:17 519,622,656 C:\hiberfil.sys

2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll

2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll

2006-07-10 19:32 6,912 C:\WINDOWS\system32\ddirectxt.sys

2006-07-10 19:32 21,504 C:\WINDOWS\chk.exe

2006-07-10 19:29 19,840 C:\WINDOWS\system32\ntio256.sys

2006-07-10 19:29 1,665 C:\WINDOWS\user.exe

2006-07-10 19:27 150,016 C:\WINDOWS\system32\2236_26.dll

2006-07-10 19:27 1,665 C:\user.exe

2006-07-10 19:26 8,778 C:\WINDOWS\system32\3580.exe

2006-07-10 19:26 73,216 C:\bbug.exe

2006-07-10 19:26 372 C:\WINDOWS\system32\3584.exe

2006-07-06 19:13 53,248 C:\WINDOWS\system32\Process.exe

2006-07-06 19:13 42,496 C:\WINDOWS\system32\swreg.exe

2006-07-06 19:13 40,960 C:\WINDOWS\system32\swsc.exe

2006-07-06 19:13 288,417 C:\WINDOWS\system32\SrchSTS.exe

2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe

2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe

2006-06-01 23:10 3,596,288 C:\WINDOWS\system32\qt-dx331.dll

2006-06-01 23:09 90,112 C:\WINDOWS\system32\dpl100.dll

2006-06-01 23:09 593,920 C:\WINDOWS\system32\dpuGUI11.dll

2006-06-01 23:09 57,344 C:\WINDOWS\system32\dpv11.dll

2006-06-01 23:09 53,248 C:\WINDOWS\system32\dpuGUI10.dll

2006-06-01 23:09 344,064 C:\WINDOWS\system32\dpus11.dll

2006-06-01 23:09 294,912 C:\WINDOWS\system32\dpu11.dll

2006-06-01 23:09 294,912 C:\WINDOWS\system32\dpu10.dll

2006-06-01 23:09 200,704 C:\WINDOWS\system32\dtu100.dll

2006-06-01 23:07 536,576 C:\WINDOWS\system32\DivXsm.exe

2006-06-01 23:07 245,408 C:\WINDOWS\system32\unicows.dll

2006-06-01 23:07 200,704 C:\WINDOWS\system32\ssldivx.dll

2006-06-01 23:07 1,044,480 C:\WINDOWS\system32\libdivx.dll

2006-06-01 23:06 778,240 C:\WINDOWS\system32\divx_xx0c.dll

2006-06-01 23:06 778,240 C:\WINDOWS\system32\divx_xx07.dll

2006-06-01 23:06 761,856 C:\WINDOWS\system32\divx_xx11.dll

2006-06-01 23:06 619,156 C:\WINDOWS\system32\DivX.dll

2006-06-01 23:06 12,288 C:\WINDOWS\system32\DivXWMPExtType.dll

2006-06-01 23:06 118,784 C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"S3hotkey"="S3hotkey.exe"

"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"

"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"

"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\s######executehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

 

 

 

Contents of the 'Scheduled Tasks' folder

 

Completion time: 14/07/2006 20:46:40.95

ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

Share this post


Link to post
Share on other sites

Hi Niall!

 

Looks like the forums are back up :)

 

Give me a few minutes to review where we are on this and what all we've already tried. I'll be back after I review the steps we've taken.

Share this post


Link to post
Share on other sites

Ok,

 

First, Adaware had a big update this morning with a lot of new variants now detected, so please update your Adaware with the latest ref. file: SE1R115 17.07.2006

 

Once you have the update loaded, do a full system scan in SAFE MODE. Let Adaware remove any new critical objects found.

 

After rebooting back into normal mode:

 

Please download and run this free tool:

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 23:28:06, on 17/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

SmitFraudFix v2.73

 

Scan done at 23:21:39.51, 17/07/2006

Run from C:\Do######ents and Settings\niall mclaughlin\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

That looks good. One item I suspected eliminated.

 

What remains is: HijackThis shows the registry entries (only) for these:

 

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

When you search do you find a file exists for this?

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

Those registry entries should fix easily with HijackThis as long as you have no security programs blocking the changes.

 

However, if you do find that the file itself exists, I need to know that

Share this post


Link to post
Share on other sites

Hey CJ,

 

I did a search for that file and i couldn't find it. So i Fix those files on HJT and restarted.

 

Here is my Log for HJT and they still seem to be there... Are these files nasties? They seem to be really hard to get rid of.

 

Logfile of HijackThis v1.99.1

Scan saved at 09:43:47, on 18/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

Those are not files. They are registry keys. If the file is gone, they are pretty much harmless, but HijackThis should be able to fix them (deletethe startup keys) unless you have something blocking the fix, which could be another security program. (Adaware's Adwatch, Spybot's teatimer, Windows Defender, other products you use? Do you have any other those or something else running?)

 

It could also be a permission issue on the keys themselves, though I have not seen that behavior on this particular infection.

 

Let's make sure there isn't any stealth Files involved.

 

Post a report from this tool

 

Download the free beta trial of this tool from F-Secure called Blacklight

F-Secure Blacklight:

https://europe.f-secure.com/blacklight/try.shtml

Doubleclick on bibeta.exe to run it.

Click the *I accept* button near the bottom of that page.

Download and run blacklite click > scan then > next, next again then exit

there will be a new text file near blacklite.Post it please. The text file is named:

fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet

..............

Please download Rootkit Revealer

http://www.sysinternals.com/utilities/rootkitrevealer.html

(link is at the very bottom of the page)

 

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)

It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan!)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Share this post


Link to post
Share on other sites

Here is the backlight log

 

07/18/06 16:33:05 [info]: BlackLight Engine 1.0.42 initialized

07/18/06 16:33:05 [info]: OS: 5.1 build 2600 (Service Pack 2)

07/18/06 16:33:06 [Note]: 7019 4

07/18/06 16:33:06 [Note]: 7005 0

07/18/06 16:33:20 [Note]: 7006 0

07/18/06 16:33:20 [Note]: 7011 1144

07/18/06 16:33:21 [Note]: 7026 0

07/18/06 16:33:21 [Note]: 7026 0

07/18/06 16:33:21 [Note]: 7024 3

07/18/06 16:33:21 [info]: Hidden process: C:\WINDOWS\system32\protector.exe

07/18/06 16:33:21 [Note]: FSRAW library version 1.7.1019

07/18/06 16:36:59 [info]: Hidden file: C:\WINDOWS\system32\protector.exe

07/18/06 16:36:59 [Note]: 7002 0

07/18/06 16:36:59 [Note]: 7003 1

07/18/06 16:36:59 [Note]: 10002 1

07/18/06 16:38:06 [Note]: 7007 0

Share this post


Link to post
Share on other sites

07/18/06 16:33:21 [info]: Hidden process: C:\WINDOWS\system32\protector.exe

07/18/06 16:36:59 [info]: Hidden file: C:\WINDOWS\system32\protector.exe

 

Well, that looks interesting. We'll use Blacklight to rename the file and make it visible so you can upload a copy for me to examine.

 

Run Blacklight again and this time choose to rename both of those listed above.

 

Then, after reboot,

 

Go here:

http://www.thespykiller.co.uk/forum/index.php?topic=2094.0

 

Press reply and attach the file to upload this file:

 

C:\WINDOWS\system32\protector.exe

 

then press the *Post* button which upload the file so I can look at it.

Share this post


Link to post
Share on other sites

I renamed that file and rebooted then when i tried to upload it for you it said file could not be found

 

I will try to get that other log for you

Share this post


Link to post
Share on other sites
I renamed that file and rebooted then when i tried to upload it for you it said file could not be found

My apologies. After renaming the file is now called:

 

C:\WINDOWS\system32\protector.exe.ren (It's located in the System32 folder)

Share this post


Link to post
Share on other sites

OK i will get that file for you now.

 

Here is the other log

 

the Rootkitreveal

 

HKLM\SOFTWARE\BroadJump\CFD\ConnectivityWatcher\State\TimerHandle 18/07/2006 17:30 6 bytes Windows API length not consistent with raw hive data.

HKLM\SOFTWARE\Classes\CHROME\s######\open\ddeexec 18/07/2006 16:28 0 bytes Hidden from Windows API.

HKLM\SOFTWARE\Classes\ftp\s######\open\ddeexec 18/07/2006 16:28 0 bytes Hidden from Windows API.

HKLM\SOFTWARE\Classes\gopher\s######\open\ddeexec 18/07/2006 16:28 0 bytes Hidden from Windows API.

HKLM\SOFTWARE\Classes\http\s######\open\ddeexec 18/07/2006 16:28 0 bytes Hidden from Windows API.

HKLM\SOFTWARE\Classes\https\s######\open\ddeexec 18/07/2006 16:28 0 bytes Hidden from Windows API.

C:\$VAULT$.AVG\00868458.FIL 18/07/2006 17:36 3.28 KB Hidden from Windows API.

C:\$VAULT$.AVG\00881397.FIL 18/07/2006 17:36 60.43 KB Hidden from Windows API.

C:\Do######ents and Settings\niall mclaughlin\Application Data\Microsoft\Internet Explorer\Desktop.htt 10/07/2006 19:30 2.80 KB Visible in Windows API, but not in MFT or directory index.

C:\Do######ents and Settings\niall mclaughlin\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2854.gthr 18/07/2006 17:32 302 bytes Visible in Windows API, but not in MFT or directory index.

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll 10/07/2006 19:26 60.00 KB Visible in Windows API, but not in MFT or directory index.

C:\System Volume Information\_restore{BCFD79B8-86E2-412D-8796-870B9B46DF3E}\RP295\A0240624.dll 10/07/2006 19:26 60.00 KB Hidden from Windows API.

C:\WINDOWS\system32\protector.exe.ren 18/07/2006 17:22 14.50 KB Hidden from Windows API.

Share this post


Link to post
Share on other sites

I couldn't upload

 

C:\WINDOWS\system32\protector.exe.ren

 

it said it did not exsisted and i couldnt find it in system32

Share this post


Link to post
Share on other sites

Make sure your PC is configured to show hidden files

How to Show Hidden Files

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Click Start.

 

Open My Computer.

 

Select the Tools menu and click Folder Options.

 

Select the View Tab.

 

Under the Hidden files and folders heading select Show hidden files and folders.

 

Uncheck the Hide protected operating system files (recommended) option.

 

Click Yes to confirm.

 

Click OK

 

Can you now see the file:

C:\WINDOWS\system32\protector.exe.ren

Share this post


Link to post
Share on other sites
Sign in to follow this