LS CalamityJane 13 Report post Posted July 20, 2006 Good morning, Niall (good afternoon to you) Miekie did have some additional thoughts to add. Let's do the following. 1. Please run ComboFix again and post a fresh log from it. 2. Use the Kaspersky free online AV scanner. http://www.kaspersky.com/virusscanner Copy the report at the end and post the results back here. It will not remove anything found, but I just want to see the log results. 3. A question: Have you installed a product belonging to the Spytech Software, SpyAnywhere remote administration tool. ( http://www.spyanywhere.com/ ) Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 Morning Jane, Here is the ComboFix Log.... I will do the other scan now To answer your question. I dont think i have anything like that downloaded, i have never heard of it. Start Time= 20/07/2006 14:28:40.61 Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix" 2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe" 2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat" 2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner" 2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7" 2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll" 2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll" 2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft" 2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys" 2006-07-10 19:32:34 6912 ( A.... ) "C:\WINDOWS\system32\ddirectxt.sys" 2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys" 2006-07-10 19:29:22 19840 ( A.... ) "C:\WINDOWS\system32\ntio256.sys" 2006-07-10 19:26:12 372 ( A.... ) "C:\WINDOWS\system32\3584.exe" 2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft" 2006-07-04 20:40:12 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Lavasoft" 2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll" 2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX" 2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime" 2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes" 2006-06-04 10:28:18 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla" 2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox" 2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe" 2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe" 2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll" 2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll" 2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll" 2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll" 2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll" 2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll" 2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll" 2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll" 2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll" 2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe" 2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll" 2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll" 2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll" 2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll" 2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll" 2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll" 2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll" 2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe" 2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll" 2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe" 2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe" 2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll" 2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll" 2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll" 2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll" 2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll" 2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll" 2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll" 2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll" 2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll" 2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll" 2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll" 2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll" 2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll" 2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll" 2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll" 2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll" 2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll" 2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll" 2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll" 2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll" 2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll" 2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll" 2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll" 2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll" 2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll" 2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll" 2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll" 2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll" 2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll" 2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll" 2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll" 2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll" 2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe" 2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll" 2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll" 2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll" 2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll" 2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll" 2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll" 2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll" 2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll" 2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll" 2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll" 2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll" 2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll" 2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll" 2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe" 2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll" 2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll" 2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll" 2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe" 2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll" 2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll" 2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll" 2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll" 2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll" 2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll" 2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll" 2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll" 2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll" 2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll" 2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll" 2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll" 2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll" 2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-19 21:33 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-07-19 21:33 40,960 C:\WINDOWS\system32\swsc.exe 2006-07-19 21:33 4,096 C:\WINDOWS\system32\reboot.exe 2006-07-19 21:33 38,400 C:\WINDOWS\system32\moveex.exe 2006-07-19 21:33 27,841 C:\clean.bat 2006-07-17 23:25 519,622,656 C:\hiberfil.sys 2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll 2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll 2006-07-10 19:32 6,912 C:\WINDOWS\system32\ddirectxt.sys 2006-07-10 19:29 19,840 C:\WINDOWS\system32\ntio256.sys 2006-07-10 19:26 372 C:\WINDOWS\system32\3584.exe 2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe 2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "S3hotkey"="S3hotkey.exe" "WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe" "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe" "UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "ÿ_zsknk_un]oqsfyonyn[niwmdksz_"="c:\\windows\\system32\\_zskdmwin[nynoyfsqo]nu_kn.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: 20/07/2006 14:29:08.72 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-20.142840.txt Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 http://www.kaspersky.com/virusscanner That page isnt responding at the minute. I will keep trying it, can you access it? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 20, 2006 http://www.kaspersky.com/virusscanner That page isnt responding at the minute. I will keep trying it, can you access it? Yes, no problem here getting to the site. Are you getting an error message? If so, what does it say? Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 Unable to connect Firefox can't establish a connection to the server at www.kaspersky.com. * The site could be temporarily unavailable or too busy. Try again in a few moments. * If you are unable to load any pages, check your computer's network connection. * If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 I cant access it on microsoft ie either Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 20, 2006 Try this (it uses the KAV engine): Get the free version and don't worry about what it finds and wants you to pay to fix. All I want to see is the log for now. MicroWorld AntiVirus Toolkit Utility (MWAV) http://www.mwti.net/products/mwav/mwav.asp (Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) That's ok- we only want the log of what it finds, if anything The log may be too large to attach here. If so, you can upload the log to the remote site we used earlier: http://www.thespykiller.co.uk/forum/index.php?topic=2094.0 Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 ok i attached it as a text document on the other forum. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 20, 2006 Thanks, I got it. I'm going over it but it may take me while (long log!) Can you also scan and post a fresh HijackThis log? Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 20, 2006 no problem Logfile of HijackThis v1.99.1 Scan saved at 23:00:14, on 20/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\eScan\TRAYSSER.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\eScan\avpm.exe C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\S3hotkey.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\PROGRA~1\eScan\TRAYICOS.EXE C:\PROGRA~1\eScan\MAILDISP.EXE C:\PROGRA~1\eScan\AVPMWrap.EXE C:\Program Files\UnHackMe\hackmon.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\eScan\MAILSCAN.EXE C:\PROGRA~1\ESCAN\SPOOLER.EXE C:\PROGRA~1\eScan\kavss.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\PROGRA~1\eScan\AvpM.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mwtsp.dll O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 20, 2006 Thanks! I'll be darned if it didn't remove the troublesome entries seen in Hijackthis! Example - there were 3 entries total: Thu Jul 20 21:45:13 2006 => ERROR!!! Invalid Entry ÿ_zsknk_un]oqsfyonyn[niwmdksz_ = c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Removing it. They must have changed the free trial somewhat to do some removing of virus entries because I saw this in the MWAV log and was a bit confused. (But from your HJT log I now see it really did remove those anyway) But, there is more to do, so let me finish reviewing the MWAV log and the ComboFix files found and come back with a reply. Back in a bit Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 20, 2006 Upload the following files to here: http://www.thespykiller.co.uk/forum/index.php?topic=2094.0 Files to Upload: C:\WINDOWS\system32\ddirectxt.sys C:\WINDOWS\system32\ntio256.sys C:\WINDOWS\system32\3584.exe Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 I posted those files for you ... i have already changed all my passwords to my different accounts with a different computer and i havent put any of the new ones into this computer. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 Here is an ewido report, i ran it this morning and thought i would post it. i have deleted what it found. --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 11:05:19 21/07/2006 + Scan result: C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : No action taken. :mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : No action taken. :mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : No action taken. :mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken. :mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken. :mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken. :mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : No action taken. :mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken. :mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. ::Report end Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 here is the log after i cleaned -------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 11:08:13 21/07/2006 + Scan result: C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Ignored. :mozilla.62:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned. :mozilla.63:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Adtech : Cleaned. :mozilla.13:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.15:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.16:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.48:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.46:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Com : Cleaned. :mozilla.14:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.58:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.59:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.60:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.47:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.55:C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla\Firefox\Profiles\261knj8v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. ::Report end Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 21, 2006 Goood morning, Niall I'm glad you changed passwords on all accounts. I don't trust the integrity of this PC at the moment and you have a backdoor trojan and rootkit combo that is especially dangerous to have any sensitive data on that computer right now. 1. Please delete these files: C:\WINDOWS\system32\ddirectxt.sys C:\WINDOWS\system32\ntio256.sys C:\WINDOWS\system32\3584.exe Let me know if you have any problem deleting any of them. Next step: 2. Go to Start then Run and type in regedit and hit OK. Go to File then Export and save the registry somewhere as a backup. Give it a name you'll remember like SaveReg.reg. Open Notepad, then copy and paste the following bold text into Notepad: REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"=- Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. 3. After deleting the above files and doing the fix.reg, please reboot your computer. 4. Run Combofix again and post a fresh log from it. 5. I also need another type of log from this free tool: Download http://www.bleepingcomputer.com/files/winpfind.php Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the *Start Scan* button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. When it is done, it will show the results of the scan. Click on the *Copy to Clipboard* button and then paste the contents of the log in your clipboard as a reply to this topic. Logs needed in your next reply are: ComboFix WinPFind Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 here is combofix.... Start Time= 21/07/2006 18:19:48.68 Running from: C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-20 21:40:46 135834 ( A.... ) "C:\WINDOWS\winsbak2.reg" 2006-07-20 21:40:46 19516 ( A.... ) "C:\WINDOWS\winsbak.reg" 2006-07-20 21:40:42 ( .D... ) "C:\Program Files\Common Files\MicroWorld" 2006-07-20 21:40:10 ( .D... ) "C:\Program Files\eScan" 2006-07-19 21:33:00 ( .D... ) "C:\Program Files\HaxFix" 2006-07-19 09:35:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-18 20:15:14 ( .D... ) "C:\Program Files\UnHackMe" 2006-07-14 22:14:38 27841 ( A.... ) "C:\clean.bat" 2006-07-12 19:42:42 ( .D... ) "C:\Program Files\CCleaner" 2006-07-12 19:27:48 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\AVG7" 2006-07-12 19:27:34 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll" 2006-07-12 19:27:34 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll" 2006-07-12 19:27:12 ( .D... ) "C:\Program Files\Grisoft" 2006-07-10 19:29:20 14848 ( A.... ) "C:\WINDOWS\system32\protector.exe.ren.ren" 2006-07-06 16:47:58 ( .D... ) "C:\Program Files\Lavasoft" 2006-07-04 20:40:12 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Lavasoft" 2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll" 2006-06-11 22:20:56 ( .D... ) "C:\Program Files\DivX" 2006-06-08 12:38:28 ( .D... ) "C:\Program Files\QuickTime" 2006-06-08 12:35:46 ( .D... ) "C:\Program Files\iTunes" 2006-06-04 10:28:18 ( .D... ) "C:\Documents and Settings\niall mclaughlin\Application Data\Mozilla" 2006-06-04 10:28:16 ( .D... ) "C:\Program Files\Mozilla Firefox" 2006-06-01 23:11:08 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe" 2006-06-01 23:11:08 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe" 2006-06-01 23:10:26 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll" 2006-06-01 23:09:58 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll" 2006-06-01 23:09:58 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll" 2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll" 2006-06-01 23:09:58 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll" 2006-06-01 23:09:58 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll" 2006-06-01 23:09:58 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll" 2006-06-01 23:09:58 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll" 2006-06-01 23:09:58 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll" 2006-06-01 23:07:46 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe" 2006-06-01 23:07:38 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll" 2006-06-01 23:07:38 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll" 2006-06-01 23:07:34 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll" 2006-06-01 23:07:00 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll" 2006-06-01 23:06:58 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll" 2006-06-01 23:06:58 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll" 2006-06-01 23:06:58 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll" 2006-06-01 23:06:34 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe" 2006-06-01 23:06:34 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll" 2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\WdfMgr.exe" 2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\system32\uWDF.exe" 2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll" 2006-05-09 22:26:34 1641472 ( A.... ) "C:\WINDOWS\system32\wmpencen.dll" 2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll" 2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll" 2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll" 2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll" 2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll" 2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll" 2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\system32\wmdrmdev.dll" 2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\system32\wmdrmnet.dll" 2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll" 2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll" 2006-05-09 22:26:34 267776 ( A.... ) "C:\WINDOWS\system32\Audiodev.dll" 2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll" 2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll" 2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll" 2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll" 2006-05-09 22:26:34 203776 ( A.... ) "C:\WINDOWS\system32\wmpsrcwp.dll" 2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll" 2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll" 2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll" 2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll" 2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll" 2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll" 2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll" 2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVE.DLL" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\WMVADVD.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wdfApi.dll" 2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll" 2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll" 2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll" 2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll" 2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll" 2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll" 2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll" 2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe" 2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll" 2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll" 2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll" 2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll" 2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll" 2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll" 2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll" 2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll" 2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll" 2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll" 2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll" 2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll" 2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll" 2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe" 2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll" 2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll" 2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll" 2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe" 2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\system32\wpd_ci.dll" 2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll" 2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll" 2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll" 2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll" 2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\system32\WPDSp.dll" 2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\system32\wpdmtp.dll" 2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\system32\wpdmtpus.dll" 2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\system32\wpdconns.dll" 2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll" 2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\system32\wpdtrace.dll" 2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll" 2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll" 2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-20 21:40 913,408 C:\WINDOWS\system32\contfilt.dll 2006-07-20 21:40 90,112 C:\WINDOWS\inst_tsp.exe 2006-07-20 21:40 9,488 C:\WINDOWS\sporder.dll 2006-07-20 21:40 7,680 C:\WINDOWS\sporder.exe 2006-07-20 21:40 508,928 C:\WINDOWS\system32\eInstall.exe 2006-07-20 21:40 41,984 C:\WINDOWS\killproc.exe 2006-07-20 21:40 335,872 C:\WINDOWS\system32\mwtsp.dll 2006-07-20 21:40 32,768 C:\WINDOWS\system32\esmxlog.dll 2006-07-20 21:40 19,516 C:\WINDOWS\winsbak.reg 2006-07-20 21:40 146,432 C:\WINDOWS\REGEDIT.COM 2006-07-20 21:40 146,432 C:\WINDOWS\R.COM 2006-07-20 21:40 135,834 C:\WINDOWS\winsbak2.reg 2006-07-20 21:40 135,680 C:\WINDOWS\system32\TASKMGR.COM 2006-07-20 21:40 135,680 C:\WINDOWS\system32\T.COM 2006-07-20 21:40 130,560 C:\WINDOWS\system32\ZIPDLL.DLL 2006-07-20 21:40 125,440 C:\WINDOWS\system32\UNZDLL.DLL 2006-07-20 21:40 110,592 C:\WINDOWS\system32\mwnsp.dll 2006-07-20 21:40 <DIR> C:\WINDOWS\system32\FLCSS.EXE 2006-07-19 21:33 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-07-19 21:33 40,960 C:\WINDOWS\system32\swsc.exe 2006-07-19 21:33 4,096 C:\WINDOWS\system32\reboot.exe 2006-07-19 21:33 38,400 C:\WINDOWS\system32\moveex.exe 2006-07-19 21:33 27,841 C:\clean.bat 2006-07-17 23:25 519,622,656 C:\hiberfil.sys 2006-07-12 19:27 499,712 C:\WINDOWS\system32\msvcp71.dll 2006-07-12 19:27 348,160 C:\WINDOWS\system32\msvcr71.dll 2006-07-10 19:29 14,848 C:\WINDOWS\system32\protector.exe.ren.ren 2006-06-11 22:21 109,568 C:\WINDOWS\system32\pxinsi64.exe 2006-06-11 22:21 108,544 C:\WINDOWS\system32\pxcpyi64.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "S3hotkey"="S3hotkey.exe" "WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "MailScan Dispatcher"="\"C:\\Program Files\\eScan\\LAUNCH.EXE\"" "eScan Updater"="C:\\PROGRA~1\\eScan\\TRAYICOS.EXE /App" "eScan Monitor"="C:\\PROGRA~1\\eScan\\AVPMWrap.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: 21/07/2006 18:20:36.86 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-20.142840.txt ComboFix.2006-07-21.181948.txt Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 21, 2006 Very good! Ok, I think the hidden file may now be visible to you. Go here: http://www.thespykiller.co.uk/forum/index.php?topic=2094.0 Upload (attach) this file: C:\WINDOWS\system32\protector.exe.ren.ren Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 Here is winpfind log WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... Checking %WinDir% folder... UPX! 11/02/2006 03:48:40 41984 C:\WINDOWS\killproc.exe UPX! 18/09/1997 06:12:48 7680 C:\WINDOWS\sporder.exe Checking %System% folder... PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc PEC2 01/06/2006 23:06:58 619156 C:\WINDOWS\SYSTEM32\DivX.dll PECompact2 01/06/2006 23:06:58 619156 C:\WINDOWS\SYSTEM32\DivX.dll PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll aspack 06/07/2006 18:21:48 6757792 C:\WINDOWS\SYSTEM32\MRT.exe aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll UPX! 10/07/2006 19:29:20 14848 C:\WINDOWS\SYSTEM32\protector.exe.ren.ren Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll UPX! 25/11/2005 17:48:28 40960 C:\WINDOWS\SYSTEM32\swsc.exe winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe Checking %System%\Drivers folder and sub-folders... UPX! 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys FSG! 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys PEC2 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys aspack 12/07/2006 19:27:26 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 21/07/2006 18:16:46 S 2048 C:\WINDOWS\bootstat.dat 16/06/2006 00:14:16 H 54156 C:\WINDOWS\QTFont.qfn 22/06/2006 12:18:30 S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat 29/05/2006 17:16:00 S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat 01/06/2006 21:28:56 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat 19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat 21/07/2006 18:18:20 H 1024 C:\WINDOWS\system32\config\default.LOG 21/07/2006 18:16:58 H 1024 C:\WINDOWS\system32\config\SAM.LOG 21/07/2006 18:26:58 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG 21/07/2006 18:36:50 H 1024 C:\WINDOWS\system32\config\software.LOG 21/07/2006 18:20:52 H 1024 C:\WINDOWS\system32\config\system.LOG 18/07/2006 19:34:50 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG 07/07/2006 12:31:56 H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf 24/05/2006 23:43:10 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f7adf9fd-660a-4cd8-9c8c-be84feb8702e 24/05/2006 23:43:10 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 21/07/2006 18:16:52 H 6 C:\WINDOWS\Tasks\SA.DAT Checking for CPL files... Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Sun Microsystems 17/05/2002 17:04:56 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 11/11/2005 14:02:54 1775 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk 02/11/2001 02:28:18 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini 02/11/2004 18:34:14 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk 01/11/2004 15:00:46 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... 02/11/2001 02:15:18 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini 05/06/2006 11:24:34 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache Checking files in %USERPROFILE%\Startup folder... 02/11/2001 02:28:18 HS 84 C:\Documents and Settings\niall mclaughlin\Start Menu\Programs\Startup\desktop.ini Checking files in %USERPROFILE%\Application Data folder... 02/11/2001 02:15:18 HS 62 C:\Documents and Settings\niall mclaughlin\Application Data\desktop.ini 05/11/2004 13:16:44 27976 C:\Documents and Settings\niall mclaughlin\Application Data\GDIPFONTCACHEV1.DAT »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\System32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} ButtonText = AIM : C:\Program Files\AIM\aim.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\System32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\System32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] S3hotkey S3hotkey.exe WorksFUD C:\Program Files\Microsoft Works\wkfud.exe Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe Motive SmartBridge C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP !ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized MailScan Dispatcher "C:\Program Files\eScan\LAUNCH.EXE" eScan Updater C:\PROGRA~1\eScan\TRAYICOS.EXE /App eScan Monitor C:\PROGRA~1\eScan\AVPMWrap.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] UnHackMe Monitor C:\Program Files\UnHackMe\hackmon.exe [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID {17492023-C23A-453E-A040-C7C580BBF700} 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 SynchronousMachineGroupPolicy 0 SynchronousUserGroupPolicy 0 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System DisableRegistryTools 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon = WgaLogon.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 21/07/2006 18:37:12 Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 21, 2006 Super, while I review that, make sure you saw my last post: Ok, I think the hidden file may now be visible to you. Go here: http://www.thespykiller.co.uk/forum/index.php?topic=2094.0 Upload (attach) this file: C:\WINDOWS\system32\protector.exe.ren.ren Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 I posted that file for you. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 21, 2006 Thanks, Niall That's a backdoor trojan. Please delete the file. C:\WINDOWS\system32\protector.exe.ren.ren (delete this file) I'm waiting on a sandbox analysis to see what all it does,but here are the scanning results so far: Complete scanning result of "protector.exe.ren.ren", received in VirusTotal at 07.21.2006, 20:24:47 (CET). Antivirus Version Update Result AntiVir 6.35.0.24 07.21.2006 HEUR/Backdoor.Generic Authentium 4.93.8 07.20.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus Avast 4.7.844.0 07.21.2006 no virus found AVG 386 07.21.2006 Generic.YIR BitDefender 7.2 07.21.2006 Generic.Malware.Mdld.DCC72C67 CAT-QuickHeal 8.00 07.20.2006 no virus found ClamAV devel-20060426 07.20.2006 no virus found DrWeb 4.33 07.21.2006 BackDoor.Prauck eTrust-InoculateIT 23.72.74 07.20.2006 no virus found eTrust-Vet 12.6.2305 07.21.2006 Win32/Pokier!generic Ewido 4.0 07.21.2006 no virus found Fortinet 2.77.0.0 07.21.2006 PossibleThreat!06940 F-Prot 3.16f 07.21.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus F-Prot4 4.2.1.29 07.21.2006 W32/Threat-HLLSI-based!Maximus Ikarus 0.2.65.0 07.21.2006 no virus found Kaspersky 4.0.2.24 07.21.2006 no virus found McAfee 4812 07.21.2006 no virus found Microsoft 1.1508 07.21.2006 no virus found NOD32v2 1.1672 07.21.2006 no virus found Norman 5.90.23 07.21.2006 no virus found Panda 9.0.0.4 07.21.2006 Suspicious file Sophos 4.07.0 07.21.2006 no virus found Symantec 8.0 07.21.2006 no virus found TheHacker 5.9.8.179 07.21.2006 no virus found UNA 1.83 07.21.2006 no virus found VBA32 3.11.0 07.21.2006 no virus found VirusBuster 4.3.7:9 07.21.2006 no virus found Aditional Information File size: 14848 bytes MD5: 3e388368d1b4ed9fe2288640bf588ad7 SHA1: 9fa9963f33c6965201a9053b0e64b24e095cc554 packers: UPX Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 Hey Jane, I deleted that file... Does this mean i am clean? I am sure you need to know trojan what it does first. Do you think i should still reinstall windows? Thanks again Niall Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 21, 2006 Hey Jane, I deleted that file... Does this mean i am clean? I am sure you need to know trojan what it does first. Do you think i should still reinstall windows? Thanks again Niall I wish I could guarantee you are clean, but I can't. That's the problem with backdoor trojans and especially if they are hidden by a rootkit. Stealth technology - who knows what's been done to your computer that we can't see. If it were mine, I would be wiping the hard drive and reinstalling Windows, yes. And I have much concern about any files you have saved on there that might be infected to bring this on yourself again - as that is how this second episode started. Do you have the original install CDs and someone with the expertise to help you with that? Otherwise, I don't see any problems left at this point, but I wouldn't trust the computer with any sensitive data. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 21, 2006 Thanks so much for all your help!! I am going to reinstall windows this weekend. Share this post Link to post Share on other sites