Need Help!

LS CalamityJane · July 20, 2006

Good morning, Niall (good afternoon to you)

Miekie did have some additional thoughts to add.

Let's do the following.

1. Please run ComboFix again and post a fresh log from it.

2. Use the Kaspersky free online AV scanner.

http://www.kaspersky.com/virusscanner

Copy the report at the end and post the results back here.

It will not remove anything found, but I just want to see the log results.

3. A question: Have you installed a product belonging to the Spytech Software, SpyAnywhere remote administration tool. ( http://www.spyanywhere.com/ )

niallmcl · July 20, 2006

Morning Jane,

Here is the ComboFix Log....

I will do the other scan now

To answer your question. I dont think i have anything like that downloaded, i have never heard of it.

Start Time= 20/07/2006 14:28:40.61

Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix"

2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"

2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe"

2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat"

2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner"

2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7"

2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"

2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"

2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft"

2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys"

2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys"

2006-07-10 19:26:12 372 ( A.... ) "C:\WINDOWS\system32\3584.exe"

2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft"

2006-07-04 20:40:12 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Lavasoft"

2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"

2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX"

2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime"

2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes"

2006-06-04 10:28:18 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla"

2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox"

2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"

2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"

2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"

2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"

2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"

2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"

2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"

2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"

2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"

2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"

2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"

2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"

2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"

2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"

2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"

2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"

2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"

2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"

2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe"

2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"

2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll"

2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"

2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"

2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"

2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"

2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"

2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"

2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll"

2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll"

2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"

2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"

2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll"

2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"

2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"

2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"

2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"

2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll"

2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"

2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"

2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"

2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"

2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"

2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"

2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"

2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll"

2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"

2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"

2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"

2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"

2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"

2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"

2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"

2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"

2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"

2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"

2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"

2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"

2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"

2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"

2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"

2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"

2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"

2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"

2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"

2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"

2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"

2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"

2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"

2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll"

2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"

2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"

2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"

2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"

2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll"

2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll"

2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll"

2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll"

2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"

2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll"

2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"

2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"

2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-19 21:33 90,112 C:\WINDOWS\system32\RegDACL.exe

2006-07-19 21:33 40,960 C:\WINDOWS\system32\swsc.exe

2006-07-19 21:33 4,096 C:\WINDOWS\system32\reboot.exe

2006-07-19 21:33 38,400 C:\WINDOWS\system32\moveex.exe

2006-07-19 21:33 27,841 C:\clean.bat

2006-07-17 23:25 519,622,656 C:\hiberfil.sys

2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll

2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll

2006-07-10 19:32 6,912 C:\WINDOWS\system32\ddirectxt.sys

2006-07-10 19:29 19,840 C:\WINDOWS\system32\ntio256.sys

2006-07-10 19:26 372 C:\WINDOWS\system32\3584.exe

2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe

2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"S3hotkey"="S3hotkey.exe"

"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"

"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"

"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"Ã¿_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Ã¿_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

"UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Ã¿_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder

Completion time: 20/07/2006 14:29:08.72

ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-20.142840.txt

niallmcl · July 20, 2006

http://www.kaspersky.com/virusscanner

That page isnt responding at the minute. I will keep trying it, can you access it?

LS CalamityJane · July 20, 2006

http://www.kaspersky.com/virusscanner
That page isnt responding at the minute. I will keep trying it, can you access it?

Yes, no problem here getting to the site.

Are you getting an error message? If so, what does it say?

niallmcl · July 20, 2006

Unable to connect

Firefox can't establish a connection to the server at www.kaspersky.com.

* The site could be temporarily unavailable or too busy. Try again in a few

moments.

* If you are unable to load any pages, check your computer's network

connection.

* If your computer or network is protected by a firewall or proxy, make sure

that Firefox is permitted to access the Web.

niallmcl · July 20, 2006

I cant access it on microsoft ie either

LS CalamityJane · July 20, 2006

Try this (it uses the KAV engine):

Get the free version and don't worry about what it finds and wants you to pay to fix. All I want to see is the log for now.

MicroWorld AntiVirus Toolkit Utility (MWAV)

http://www.mwti.net/products/mwav/mwav.asp

(Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) That's ok- we only want the log of what it finds, if anything

The log may be too large to attach here. If so, you can upload the log to the remote site we used earlier:

http://www.thespykiller.co.uk/forum/index.php?topic=2094.0

niallmcl · July 20, 2006

ok i attached it as a text document on the other forum.

LS CalamityJane · July 20, 2006

Thanks, I got it. I'm going over it but it may take me while (long log!)

Can you also scan and post a fresh HijackThis log?

niallmcl · July 20, 2006

no problem

Logfile of HijackThis v1.99.1

Scan saved at 23:00:14, on 20/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\eScan\TRAYSSER.EXE

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\PROGRA~1\eScan\avpm.exe

C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\PROGRA~1\eScan\TRAYICOS.EXE

C:\PROGRA~1\eScan\MAILDISP.EXE

C:\PROGRA~1\eScan\AVPMWrap.EXE

C:\Program Files\UnHackMe\hackmon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\PROGRA~1\eScan\MAILSCAN.EXE

C:\PROGRA~1\ESCAN\SPOOLER.EXE

C:\PROGRA~1\eScan\kavss.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\PROGRA~1\eScan\AvpM.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"

O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App

O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

LS CalamityJane · July 20, 2006

Thanks!

I'll be darned if it didn't remove the troublesome entries seen in Hijackthis!

Example - there were 3 entries total:

Thu Jul 20 21:45:13 2006 => ERROR!!! Invalid Entry Ã¿_zsknk_un]oqsfyonyn[niwmdksz_ = c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Removing it.

They must have changed the free trial somewhat to do some removing of virus entries because I saw this in the MWAV log and was a bit confused. (But from your HJT log I now see it really did remove those anyway)

But, there is more to do, so let me finish reviewing the MWAV log and the ComboFix files found and come back with a reply. Back in a bit

LS CalamityJane · July 20, 2006

Upload the following files to here:

http://www.thespykiller.co.uk/forum/index.php?topic=2094.0

Files to Upload:

C:\WINDOWS\system32\ddirectxt.sys

C:\WINDOWS\system32\ntio256.sys

C:\WINDOWS\system32\3584.exe

niallmcl · July 21, 2006

I posted those files for you ...

i have already changed all my passwords to my different accounts with a different computer and i havent put any of the new ones into this computer.

niallmcl · July 21, 2006

Here is an ewido report, i ran it this morning and thought i would post it. i have deleted what it found.

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 11:05:19 21/07/2006

+ Scan result:

C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : No action taken.

:mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken.

:mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken.

:mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.

:mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : No action taken.

:mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.

:mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.

:mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end

niallmcl · July 21, 2006

here is the log after i cleaned

--------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 11:08:13 21/07/2006

+ Scan result:

C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Ignored.

:mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.

:mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

LS CalamityJane · July 21, 2006

Goood morning, Niall

I'm glad you changed passwords on all accounts. I don't trust the integrity of this PC at the moment and you have a backdoor trojan and rootkit combo that is especially dangerous to have any sensitive data on that computer right now.

1. Please delete these files:

C:\WINDOWS\system32\ddirectxt.sys

C:\WINDOWS\system32\ntio256.sys

C:\WINDOWS\system32\3584.exe

Let me know if you have any problem deleting any of them.

Next step:

2. Go to Start then Run and type in regedit and hit OK.

Go to File then Export and save the registry somewhere as a backup. Give it a name you'll remember like SaveReg.reg.

Open Notepad, then copy and paste the following bold text into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"=-

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

3. After deleting the above files and doing the fix.reg, please reboot your computer.

4. Run Combofix again and post a fresh log from it.

5. I also need another type of log from this free tool:

Download http://www.bleepingcomputer.com/files/winpfind.php

Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the *Start Scan* button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the *Copy to Clipboard* button and then paste the contents of the log in your clipboard as a reply to this topic.

Logs needed in your next reply are:

ComboFix

WinPFind

niallmcl · July 21, 2006

here is combofix....

Start Time= 21/07/2006 18:19:48.68

Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-20 21:40:46 135834 ( A.... ) "C:\WINDOWS\winsbak2.reg"

2006-07-20 21:40:46 19516 ( A.... ) "C:\WINDOWS\winsbak.reg"

2006-07-20 21:40:42 ( .D... ) "C:\Program Files\Common Files\MicroWorld"

2006-07-20 21:40:10 ( .D... ) "C:\Program Files\eScan"

2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix"

2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"

2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe"

2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat"

2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner"

2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7"

2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"

2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"

2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft"

2006-07-10 19:29:20 14848 ( A.... ) "C:\WINDOWS\system32\protector.exe.ren.ren"