Sign in to follow this  
niallmcl

Need Help!

Recommended Posts

Good morning, Niall (good afternoon to you) :(

 

Miekie did have some additional thoughts to add.

 

Let's do the following.

 

1. Please run ComboFix again and post a fresh log from it.

 

2. Use the Kaspersky free online AV scanner.

http://www.kaspersky.com/virusscanner

 

Copy the report at the end and post the results back here.

It will not remove anything found, but I just want to see the log results.

 

3. A question: Have you installed a product belonging to the Spytech Software, SpyAnywhere remote administration tool. ( http://www.spyanywhere.com/ )

Share this post


Link to post
Share on other sites

Morning Jane,

 

Here is the ComboFix Log....

 

I will do the other scan now

 

To answer your question. I dont think i have anything like that downloaded, i have never heard of it.

 

Start Time= 20/07/2006 14:28:40.61

Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff

 

QuickScan did not find any signs of infected files

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix"

2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"

2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe"

2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat"

2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner"

2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7"

2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"

2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"

2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft"

2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys"

2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys"

2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys"

2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys"

2006-07-10 19:26:12 372 ( A.... ) "C:\WINDOWS\system32\3584.exe"

2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft"

2006-07-04 20:40:12 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Lavasoft"

2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"

2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX"

2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime"

2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes"

2006-06-04 10:28:18 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla"

2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox"

2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"

2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"

2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"

2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"

2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"

2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"

2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"

2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"

2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"

2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"

2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"

2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"

2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"

2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"

2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"

2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"

2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"

2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"

2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe"

2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"

2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll"

2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"

2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"

2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"

2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"

2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"

2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"

2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll"

2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll"

2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"

2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"

2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll"

2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"

2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"

2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"

2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"

2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll"

2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"

2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"

2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"

2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"

2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"

2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"

2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"

2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll"

2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"

2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"

2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"

2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"

2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"

2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"

2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"

2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"

2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"

2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"

2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"

2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"

2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"

2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"

2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"

2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"

2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"

2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"

2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"

2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"

2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"

2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"

2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"

2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll"

2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"

2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"

2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"

2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"

2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll"

2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll"

2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll"

2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll"

2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"

2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll"

2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"

2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"

2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"

 

 

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-19 21:33 90,112 C:\WINDOWS\system32\RegDACL.exe

2006-07-19 21:33 40,960 C:\WINDOWS\system32\swsc.exe

2006-07-19 21:33 4,096 C:\WINDOWS\system32\reboot.exe

2006-07-19 21:33 38,400 C:\WINDOWS\system32\moveex.exe

2006-07-19 21:33 27,841 C:\clean.bat

2006-07-17 23:25 519,622,656 C:\hiberfil.sys

2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll

2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll

2006-07-10 19:32 6,912 C:\WINDOWS\system32\ddirectxt.sys

2006-07-10 19:29 19,840 C:\WINDOWS\system32\ntio256.sys

2006-07-10 19:26 372 C:\WINDOWS\system32\3584.exe

2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe

2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"S3hotkey"="S3hotkey.exe"

"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"

"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"

"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

"UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

 

 

Contents of the 'Scheduled Tasks' folder

 

Completion time: 20/07/2006 14:29:08.72

ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

 

ComboFix.2006-07-20.142840.txt

Share this post


Link to post
Share on other sites

Unable to connect

 

 

Firefox can't establish a connection to the server at www.kaspersky.com.

 

* The site could be temporarily unavailable or too busy. Try again in a few

moments.

 

* If you are unable to load any pages, check your computer's network

connection.

 

* If your computer or network is protected by a firewall or proxy, make sure

that Firefox is permitted to access the Web.

Share this post


Link to post
Share on other sites

Try this (it uses the KAV engine):

Get the free version and don't worry about what it finds and wants you to pay to fix. All I want to see is the log for now.

MicroWorld AntiVirus Toolkit Utility (MWAV)

http://www.mwti.net/products/mwav/mwav.asp

 

(Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) That's ok- we only want the log of what it finds, if anything

 

The log may be too large to attach here. If so, you can upload the log to the remote site we used earlier:

http://www.thespykiller.co.uk/forum/index.php?topic=2094.0

Share this post


Link to post
Share on other sites

no problem :)

 

 

Logfile of HijackThis v1.99.1

Scan saved at 23:00:14, on 20/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\eScan\TRAYSSER.EXE

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\PROGRA~1\eScan\avpm.exe

C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\PROGRA~1\eScan\TRAYICOS.EXE

C:\PROGRA~1\eScan\MAILDISP.EXE

C:\PROGRA~1\eScan\AVPMWrap.EXE

C:\Program Files\UnHackMe\hackmon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\PROGRA~1\eScan\MAILSCAN.EXE

C:\PROGRA~1\ESCAN\SPOOLER.EXE

C:\PROGRA~1\eScan\kavss.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\PROGRA~1\eScan\AvpM.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"

O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App

O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

Share this post


Link to post
Share on other sites

Thanks! :)

 

I'll be darned if it didn't remove the troublesome entries seen in Hijackthis!

 

Example - there were 3 entries total:

Thu Jul 20 21:45:13 2006 => ERROR!!! Invalid Entry ÿ_zsknk_un]oqsfyonyn[niwmdksz_ = c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Removing it.

 

They must have changed the free trial somewhat to do some removing of virus entries because I saw this in the MWAV log and was a bit confused. (But from your HJT log I now see it really did remove those anyway)

 

But, there is more to do, so let me finish reviewing the MWAV log and the ComboFix files found and come back with a reply. Back in a bit :)

Share this post


Link to post
Share on other sites

I posted those files for you :)...

 

i have already changed all my passwords to my different accounts with a different computer and i havent put any of the new ones into this computer.

Share this post


Link to post
Share on other sites

Here is an ewido report, i ran it this morning and thought i would post it. i have deleted what it found.

 

 

 

 

---------------------------------------------------------

 

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 11:05:19 21/07/2006

 

+ Scan result:

 

 

 

C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : No action taken.

:mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken.

:mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken.

:mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken.

:mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.

:mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : No action taken.

:mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.

:mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.

:mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.

:mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

 

 

::Report end

Share this post


Link to post
Share on other sites

here is the log after i cleaned

 

--------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 11:08:13 21/07/2006

 

+ Scan result:

 

 

 

C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Ignored.

:mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.

:mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

 

 

::Report end

Share this post


Link to post
Share on other sites

Goood morning, Niall

 

I'm glad you changed passwords on all accounts. I don't trust the integrity of this PC at the moment and you have a backdoor trojan and rootkit combo that is especially dangerous to have any sensitive data on that computer right now.

 

1. Please delete these files:

 

C:\WINDOWS\system32\ddirectxt.sys

 

C:\WINDOWS\system32\ntio256.sys

 

C:\WINDOWS\system32\3584.exe

 

Let me know if you have any problem deleting any of them.

 

Next step:

 

2. Go to Start then Run and type in regedit and hit OK.

Go to File then Export and save the registry somewhere as a backup. Give it a name you'll remember like SaveReg.reg.

 

Open Notepad, then copy and paste the following bold text into Notepad:

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"=-

 

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

 

3. After deleting the above files and doing the fix.reg, please reboot your computer.

 

4. Run Combofix again and post a fresh log from it.

 

5. I also need another type of log from this free tool:

Download http://www.bleepingcomputer.com/files/winpfind.php

 

Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the *Start Scan* button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

 

When it is done, it will show the results of the scan. Click on the *Copy to Clipboard* button and then paste the contents of the log in your clipboard as a reply to this topic.

 

Logs needed in your next reply are:

 

ComboFix

 

WinPFind

Share this post


Link to post
Share on other sites

here is combofix....

 

Start Time= 21/07/2006 18:19:48.68

Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff

 

QuickScan did not find any signs of infected files

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-20 21:40:46 135834 ( A.... ) "C:\WINDOWS\winsbak2.reg"

2006-07-20 21:40:46 19516 ( A.... ) "C:\WINDOWS\winsbak.reg"

2006-07-20 21:40:42 ( .D... ) "C:\Program Files\Common Files\MicroWorld"

2006-07-20 21:40:10 ( .D... ) "C:\Program Files\eScan"

2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix"

2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"

2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe"

2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat"

2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner"

2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7"

2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"

2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"

2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft"

2006-07-10 19:29:20 14848 ( A.... ) "C:\WINDOWS\system32\protector.exe.ren.ren"

2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft"

2006-07-04 20:40:12 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Lavasoft"

2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"

2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX"

2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime"

2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes"

2006-06-04 10:28:18 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla"

2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox"

2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"

2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"

2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"

2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"

2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"

2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"

2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"

2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"

2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"

2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"

2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"

2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"

2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"

2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"

2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"

2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"

2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"

2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"

2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"

2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe"

2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe"

2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"

2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll"

2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"

2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"

2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"

2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"

2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"

2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"

2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll"

2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll"

2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"

2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"

2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll"

2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"

2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"

2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"

2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"

2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll"

2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"

2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"

2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"

2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"

2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"

2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"

2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"

2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll"

2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll"

2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll"

2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"

2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"

2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"

2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"

2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"

2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"

2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"

2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"

2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"

2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"

2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"

2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"

2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"

2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"

2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"

2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"

2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"

2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"

2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"

2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"

2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"

2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"

2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"

2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll"

2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"

2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"

2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"

2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"

2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll"

2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll"

2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll"

2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll"

2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"

2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll"

2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"

2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"

2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"

 

 

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

 

 

2006-07-20 21:40 913,408 C:\WINDOWS\system32\contfilt.dll

2006-07-20 21:40 90,112 C:\WINDOWS\inst_tsp.exe

2006-07-20 21:40 9,488 C:\WINDOWS\sporder.dll

2006-07-20 21:40 7,680 C:\WINDOWS\sporder.exe

2006-07-20 21:40 508,928 C:\WINDOWS\system32\eInstall.exe

2006-07-20 21:40 41,984 C:\WINDOWS\killproc.exe

2006-07-20 21:40 335,872 C:\WINDOWS\system32\mwtsp.dll

2006-07-20 21:40 32,768 C:\WINDOWS\system32\esmxlog.dll

2006-07-20 21:40 19,516 C:\WINDOWS\winsbak.reg

2006-07-20 21:40 146,432 C:\WINDOWS\REGEDIT.COM

2006-07-20 21:40 146,432 C:\WINDOWS\R.COM

2006-07-20 21:40 135,834 C:\WINDOWS\winsbak2.reg

2006-07-20 21:40 135,680 C:\WINDOWS\system32\TASKMGR.COM

2006-07-20 21:40 135,680 C:\WINDOWS\system32\T.COM

2006-07-20 21:40 130,560 C:\WINDOWS\system32\ZIPDLL.DLL

2006-07-20 21:40 125,440 C:\WINDOWS\system32\UNZDLL.DLL

2006-07-20 21:40 110,592 C:\WINDOWS\system32\mwnsp.dll

2006-07-20 21:40 <DIR> C:\WINDOWS\system32\FLCSS.EXE

2006-07-19 21:33 90,112 C:\WINDOWS\system32\RegDACL.exe

2006-07-19 21:33 40,960 C:\WINDOWS\system32\swsc.exe

2006-07-19 21:33 4,096 C:\WINDOWS\system32\reboot.exe

2006-07-19 21:33 38,400 C:\WINDOWS\system32\moveex.exe

2006-07-19 21:33 27,841 C:\clean.bat

2006-07-17 23:25 519,622,656 C:\hiberfil.sys

2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll

2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll

2006-07-10 19:29 14,848 C:\WINDOWS\system32\protector.exe.ren.ren

2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe

2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"S3hotkey"="S3hotkey.exe"

"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"

"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

"MailScan Dispatcher"="\"C:\\Program Files\\eScan\\LAUNCH.EXE\""

"eScan Updater"="C:\\PROGRA~1\\eScan\\TRAYICOS.EXE /App"

"eScan Monitor"="C:\\PROGRA~1\\eScan\\AVPMWrap.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

 

 

Contents of the 'Scheduled Tasks' folder

 

Completion time: 21/07/2006 18:20:36.86

ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

 

ComboFix.2006-07-20.142840.txt

ComboFix.2006-07-21.181948.txt

Share this post


Link to post
Share on other sites

Here is winpfind log

 

 

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

 

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

 

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600

Internet Explorer Version: 6.0.2900.2180

 

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

 

Checking %SystemDrive% folder...

 

Checking %ProgramFilesDir% folder...

 

Checking %WinDir% folder...

UPX! 11/02/2006 03:48:40 41984 C:\WINDOWS\killproc.exe

UPX! 18/09/1997 06:12:48 7680 C:\WINDOWS\sporder.exe

 

Checking %System% folder...

PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

PEC2 01/06/2006 23:06:58 619156 C:\WINDOWS\SYSTEM32\DivX.dll

PECompact2 01/06/2006 23:06:58 619156 C:\WINDOWS\SYSTEM32\DivX.dll

PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll

aspack 06/07/2006 18:21:48 6757792 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

UPX! 10/07/2006 19:29:20 14848 C:\WINDOWS\SYSTEM32\protector.exe.ren.ren

Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll

UPX! 25/11/2005 17:48:28 40960 C:\WINDOWS\SYSTEM32\swsc.exe

winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

 

Checking %System%\Drivers folder and sub-folders...

UPX! 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

FSG! 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

PEC2 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

aspack 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

 

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

 

 

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

21/07/2006 18:16:46 S 2048 C:\WINDOWS\bootstat.dat

16/06/2006 00:14:16 H 54156 C:\WINDOWS\QTFont.qfn

22/06/2006 12:18:30 S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat

29/05/2006 17:16:00 S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat

01/06/2006 21:28:56 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat

19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat

21/07/2006 18:18:20 H 1024 C:\WINDOWS\system32\config\default.LOG

21/07/2006 18:16:58 H 1024 C:\WINDOWS\system32\config\SAM.LOG

21/07/2006 18:26:58 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG

21/07/2006 18:36:50 H 1024 C:\WINDOWS\system32\config\software.LOG

21/07/2006 18:20:52 H 1024 C:\WINDOWS\system32\config\system.LOG

18/07/2006 19:34:50 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG

07/07/2006 12:31:56 H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf

24/05/2006 23:43:10 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f7adf9fd-660a-4cd8-9c8c-be84feb8702e

24/05/2006 23:43:10 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

21/07/2006 18:16:52 H 6 C:\WINDOWS\Tasks\SA.DAT

 

Checking for CPL files...

Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl

Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl

Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl

Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl

Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl

Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl

Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Sun Microsystems 17/05/2002 17:04:56 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl

Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl

Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl

Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl

Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

 

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

 

Checking files in %ALLUSERSPROFILE%\Startup folder...

11/11/2005 14:02:54 1775 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk

02/11/2001 02:28:18 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

02/11/2004 18:34:14 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

01/11/2004 15:00:46 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

 

Checking files in %ALLUSERSPROFILE%\Application Data folder...

02/11/2001 02:15:18 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

05/06/2006 11:24:34 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

 

Checking files in %USERPROFILE%\Startup folder...

02/11/2001 02:28:18 HS 84 C:\Documents and Settings\niall mclaughlin\Start Menu\Programs\Startup\desktop.ini

 

Checking files in %USERPROFILE%\Application Data folder...

02/11/2001 02:15:18 HS 62 C:\Documents and Settings\niall mclaughlin\Application Data\desktop.ini

05/11/2004 13:16:44 27976 C:\Documents and Settings\niall mclaughlin\Application Data\GDIPFONTCACHEV1.DAT

 

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

SV1 =

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware

{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware

{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}

Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

ButtonText = AIM : C:\Program Files\AIM\aim.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}

Search Band = %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

=

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}

Favorites Band = %SystemRoot%\System32\shdocvw.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

History Band = %SystemRoot%\System32\shdocvw.dll

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

S3hotkey S3hotkey.exe

WorksFUD C:\Program Files\Microsoft Works\wkfud.exe

Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe

REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe

Motive SmartBridge C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

MailScan Dispatcher "C:\Program Files\eScan\LAUNCH.EXE"

eScan Updater C:\PROGRA~1\eScan\TRAYICOS.EXE /App

eScan Monitor C:\PROGRA~1\eScan\AVPMWrap.EXE

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

IMAIL Installed = 1

MAPI Installed = 1

MSFS Installed = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

UnHackMe Monitor C:\Program Files\UnHackMe\hackmon.exe

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID

{17492023-C23A-453E-A040-C7C580BBF700} 1

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

SynchronousMachineGroupPolicy 0

SynchronousUserGroupPolicy 0

 

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 145

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

DisableRegistryTools 0

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = explorer.exe

System =

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon

= WgaLogon.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 21/07/2006 18:37:12

Share this post


Link to post
Share on other sites

Thanks, Niall

 

That's a backdoor trojan. Please delete the file.

 

C:\WINDOWS\system32\protector.exe.ren.ren (delete this file)

 

I'm waiting on a sandbox analysis to see what all it does,but here are the scanning results so far:

 

Complete scanning result of "protector.exe.ren.ren", received in VirusTotal at 07.21.2006, 20:24:47 (CET).

 

Antivirus Version Update Result

AntiVir 6.35.0.24 07.21.2006 HEUR/Backdoor.Generic

Authentium 4.93.8 07.20.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus

Avast 4.7.844.0 07.21.2006 no virus found

AVG 386 07.21.2006 Generic.YIR

BitDefender 7.2 07.21.2006 Generic.Malware.Mdld.DCC72C67

CAT-QuickHeal 8.00 07.20.2006 no virus found

ClamAV devel-20060426 07.20.2006 no virus found

DrWeb 4.33 07.21.2006 BackDoor.Prauck

eTrust-InoculateIT 23.72.74 07.20.2006 no virus found

eTrust-Vet 12.6.2305 07.21.2006 Win32/Pokier!generic

Ewido 4.0 07.21.2006 no virus found

Fortinet 2.77.0.0 07.21.2006 PossibleThreat!06940

F-Prot 3.16f 07.21.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus

F-Prot4 4.2.1.29 07.21.2006 W32/Threat-HLLSI-based!Maximus

Ikarus 0.2.65.0 07.21.2006 no virus found

Kaspersky 4.0.2.24 07.21.2006 no virus found

McAfee 4812 07.21.2006 no virus found

Microsoft 1.1508 07.21.2006 no virus found

NOD32v2 1.1672 07.21.2006 no virus found

Norman 5.90.23 07.21.2006 no virus found

Panda 9.0.0.4 07.21.2006 Suspicious file

Sophos 4.07.0 07.21.2006 no virus found

Symantec 8.0 07.21.2006 no virus found

TheHacker 5.9.8.179 07.21.2006 no virus found

UNA 1.83 07.21.2006 no virus found

VBA32 3.11.0 07.21.2006 no virus found

VirusBuster 4.3.7:9 07.21.2006 no virus found

 

Aditional Information

File size: 14848 bytes

MD5: 3e388368d1b4ed9fe2288640bf588ad7

SHA1: 9fa9963f33c6965201a9053b0e64b24e095cc554

packers: UPX

Share this post


Link to post
Share on other sites

Hey Jane,

 

I deleted that file... Does this mean i am clean? I am sure you need to know trojan what it does first. Do you think i should still reinstall windows?

 

Thanks again :)

 

Niall

Share this post


Link to post
Share on other sites
Hey Jane,

 

I deleted that file... Does this mean i am clean? I am sure you need to know trojan what it does first. Do you think i should still reinstall windows?

 

Thanks again :)

 

Niall

I wish I could guarantee you are clean, but I can't. That's the problem with backdoor trojans and especially if they are hidden by a rootkit. Stealth technology - who knows what's been done to your computer that we can't see. If it were mine, I would be wiping the hard drive and reinstalling Windows, yes. And I have much concern about any files you have saved on there that might be infected to bring this on yourself again - as that is how this second episode started. Do you have the original install CDs and someone with the expertise to help you with that? Otherwise, I don't see any problems left at this point, but I wouldn't trust the computer with any sensitive data.

Share this post


Link to post
Share on other sites
Sign in to follow this