|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
07-15-2008, 11:30 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 14
OS: Win Xp Mediacenter
|
Unwanted "antispyware", superslow computer and "bluescreens"
First of all my computer is superslow (as expected when virus infected), and trhere is also a program that popups very often, called "Winspywareprotect" that certainly didnt installed "on purpose"
I also get these kind of bluescrens, when everything disappears from the startmenu and the desktop, but I can still usthe programs that were running. Btw I did only receive the main.txt from dss.exe.. Oh, and when browsing I sometimes get a page where it says sometyhing like "Your computer is infected, do you want to fix this bla bla.." where Im supposed to press yes or no. Disturbing! Deckard's System Scanner v20071014.68 Run by Vi on 2008-07-15 20:05:20 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Vi.exe) -------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:06, on 2008-07-15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Vi\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Vi.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/ O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: (no name) - {0A2DC52D-4268-4AE9-8AC6-012777AA0ADF} - C:\WINDOWS\system32\hgGaaWol.dll O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\iiffGVPJ.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: {22da69da-b684-0278-9c24-3d7ba6280dff} - {ffd0826a-b7d3-42c9-8720-486bad96ad22} - C:\WINDOWS\system32\dvzlpa.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: sqvgnrpx - {9437C997-89E6-4B84-A745-BEFD3A910FF5} - C:\WINDOWS\sqvgnrpx.dll (file missing) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [egui] "" /hide /waitservice O4 - HKLM\..\Run: [30b635d5] rundll32.exe "C:\WINDOWS\system32\qqntjnxf.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O15 - Trusted Zone: http://www.swebits.org O15 - Trusted Zone: *.swebits.org O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179081701640 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200933424734 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.postfoto.se/aurigma/ImageUploader4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: iiffGVPJ - C:\WINDOWS\SYSTEM32\iiffGVPJ.dll O21 - SSODL: SunRun - {d7baeb05-b1a7-431c-a6d8-81de951af168} - C:\WINDOWS\Resources\SunRun.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Eset HTTP Server (EHttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor-tjänst (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10505 bytes -- Files created between 2008-06-15 and 2008-07-15 ----------------------------- 2008-07-15 20:03:59 93184 --a------ C:\WINDOWS\system32\qqntjnxf.dll 2008-07-15 20:01:24 116864 --a------ C:\WINDOWS\system32\dvzlpa.dll 2008-07-15 20:01:23 116864 --a------ C:\WINDOWS\system32\tmiafekg.dll 2008-07-15 16:39:33 0 d-------- C:\Program Files\Panda Security 2008-07-15 16:24:50 116864 --a------ C:\WINDOWS\system32\wiufgv.dll 2008-07-15 16:24:50 116864 --a------ C:\WINDOWS\system32\bimfhjft.dll 2008-07-15 16:24:48 93184 -----n--- C:\WINDOWS\system32\ghddywsa.dll 2008-07-15 13:41:00 116864 --a------ C:\WINDOWS\system32\zxcapu.dll 2008-07-15 13:40:59 116864 --a------ C:\WINDOWS\system32\dktplmmw.dll 2008-07-15 13:40:41 116864 --a------ C:\WINDOWS\system32\xffjssdm.dll 2008-07-15 13:40:41 116864 --a------ C:\WINDOWS\system32\sepuem.dll 2008-07-14 12:21:53 92672 -----n--- C:\WINDOWS\system32\umyocjfy.dll 2008-07-14 12:21:35 92672 --a------ C:\WINDOWS\system32\shypwvnt.dll 2008-07-14 12:19:16 116352 --a------ C:\WINDOWS\system32\topbywsn.dll 2008-07-14 12:19:16 116352 --a------ C:\WINDOWS\system32\aklheb.dll 2008-07-12 14:40:12 92672 -----n--- C:\WINDOWS\system32\erasotrh.dll 2008-07-12 14:40:08 116864 --a------ C:\WINDOWS\system32\qilrnn.dll 2008-07-12 14:40:07 116864 --a------ C:\WINDOWS\system32\dyhxdhet.dll 2008-07-11 18:07:10 92672 -----n--- C:\WINDOWS\system32\tagtqmsb.dll 2008-07-11 18:04:23 116864 --a------ C:\WINDOWS\system32\nenpfl.dll 2008-07-11 18:04:22 116864 --a------ C:\WINDOWS\system32\sklfnynw.dll 2008-07-11 17:43:47 140177 --ahs---- C:\WINDOWS\system32\loWaaGgh.ini2 2008-07-11 17:34:44 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec> 2008-07-11 17:08:21 68096 --a------ C:\WINDOWS\zip.exe 2008-07-11 17:08:21 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-11 17:08:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-11 17:08:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-11 17:08:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-11 17:08:21 98816 --a------ C:\WINDOWS\sed.exe 2008-07-11 17:08:21 80412 --a------ C:\WINDOWS\grep.exe 2008-07-11 17:08:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-10 19:41:08 0 d-------- C:\Program Files\Spyware Doctor 2008-07-10 19:41:08 0 d-------- C:\Documents and Settings\Vi\Application Data\PC Tools 2008-07-10 19:33:10 116352 --a------ C:\WINDOWS\system32\xkwzxm.dll 2008-07-10 19:33:10 116352 --a------ C:\WINDOWS\system32\agxdpkex.dll 2008-07-08 19:24:14 0 d-------- C:\Program Files\Kaspersky Lab 2008-07-08 19:22:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-07-08 17:38:14 29568 --a------ C:\WINDOWS\system32\rqRKBQkh.dll 2008-07-08 17:38:14 29568 --a------ C:\WINDOWS\system32\ljJCrQhH.dll 2008-07-08 17:37:51 318208 -----n--- C:\WINDOWS\system32\hgGaaWol.dll 2008-07-08 17:32:47 29568 --a------ C:\WINDOWS\system32\iiffGVPJ.dll 2008-07-08 17:32:47 29568 --a------ C:\WINDOWS\system32\efcAQIax.dll 2008-07-08 17:31:50 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd -- Find3M Report --------------------------------------------------------------- 2008-07-15 16:31:57 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-15 16:19:54 0 d-------- C:\Documents and Settings\Vi\Application Data\uTorrent 2008-07-14 11:46:20 0 d-------- C:\Documents and Settings\Vi\Application Data\SiteAdvisor 2008-07-08 23:09:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-08 19:12:40 0 d-------- C:\Program Files\Avanquest update 2008-06-26 14:49:21 0 d-------- C:\Program Files\Windows Live Safety Center 2008-06-23 18:47:55 0 d-------- C:\Program Files\DC++ 2008-06-19 09:31:31 0 d-------- C:\Program Files\Windows Media Connect 2 2008-06-19 09:31:30 0 d-------- C:\Program Files\Winamp 2008-06-19 09:31:30 0 d-------- C:\Program Files\Winamp Remote 2008-06-19 09:31:27 0 d-------- C:\Program Files\QuickTime Alternative 2008-06-19 09:31:26 0 d-------- C:\Program Files\MOBILedit! 2008-06-19 09:31:25 0 d-------- C:\Program Files\Messenger 2008-06-19 09:31:25 0 d-------- C:\Program Files\DivX 2008-06-03 12:36:55 48 --a------ C:\Documents and Settings\Vi\Application Data\ItDb.enc 2008-05-22 22:51:06 0 d-------- C:\Program Files\Fma 2008-05-22 22:31:55 0 d-------- C:\Documents and Settings\Vi\Application Data\MyPhoneExplorer 2008-05-22 22  49 0 d-------- C:\Program Files\Sony Ericsson2008-05-22 21:48:45 0 d-------- C:\Program Files\MyPhoneExplorer 2008-05-22 21:48:42 0 d-------- C:\Documents and Settings\Vi\Application Data\AD ON Multimedia 2008-05-22 17:45:02 0 d-------- C:\Program Files\SiteAdvisor 2008-05-22 04:36:58 0 d-------- C:\Documents and Settings\Vi\Application Data\FMA 2008-05-22 02:59:12 0 d-------- C:\Program Files\ffdshow 2008-05-20 17:13:22 0 d-------- C:\Program Files\Microsoft Silverlight -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A2DC52D-4268-4AE9-8AC6-012777AA0ADF}] 2008-07-08 17:37 318208 --------- C:\WINDOWS\system32\hgGaaWol.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73984FE0-9702-4C55-9C7B-9BA3C5861F25}] 2008-07-08 17:32 29568 --a------ C:\WINDOWS\system32\iiffGVPJ.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffd0826a-b7d3-42c9-8720-486bad96ad22}] 2008-07-15 20:01 116864 --a------ C:\WINDOWS\system32\dvzlpa.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-18 00:58] "SigmatelSysTrayApp"="stsystra.exe" [] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-21 20:09] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-21 20:09] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 21:02] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 23:03] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25] "egui"=" /hide /waitservice" [] "30b635d5"="C:\WINDOWS\system32\qqntjnxf.dll" [2008-07-15 20:04] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 20:10] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:35] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19] "WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [2008-07-08 17:32] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{73984FE0-9702-4C55-9C7B-9BA3C5861F25}"= C:\WINDOWS\system32\iiffGVPJ.dll [2008-07-08 17:32 29568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SunRun"= {d7baeb05-b1a7-431c-a6d8-81de951af168} - C:\WINDOWS\Resources\SunRun.dll [2008-07-10 16:22 21030] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffGVPJ] iiffGVPJ.dll 2008-07-08 17:32 29568 C:\WINDOWS\system32\iiffGVPJ.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaWol [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" *Newly Created Service* - PAVBOOT -- End of Deckard's System Scanner: finished at 2008-07-15 20 54 ------------ |
|
     |
|
07-21-2008, 03:59 AM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 2,790
OS: XP
|
Re: Unwanted "antispyware", superslow computer and "bluescreens"
Hi,
Please run Deckard's System Scanner once again, this time using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\dss.exe" /config Click on Extra Log and tick all boxes below that. Click Scan! When finished, it shall produce two logs for you. Post those logs in your next reply. ========== Logs Required C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<----Attached
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
07-21-2008, 10:15 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 14
OS: Win Xp Mediacenter
|
Re: Unwanted "antispyware", superslow computer and "bluescreens"
Deckard's System Scanner v20071014.68
Run by Vi on 2008-07-21 19:02:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Vi.exe) -------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:03, on 2008-07-21 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Documents and Settings\Vi\desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Vi.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/ O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: {9a6f4bb8-845f-6b29-c034-feb927c6ccc0} - {0ccc6c72-9bef-430c-92b6-f5488bb4f6a9} - C:\WINDOWS\system32\ezeitm.dll O2 - BHO: (no name) - {6BEA2868-8DAE-4586-B0D0-EC105594D65A} - C:\WINDOWS\system32\hgGaaWol.dll O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\iiffGVPJ.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: sqvgnrpx - {9437C997-89E6-4B84-A745-BEFD3A910FF5} - C:\WINDOWS\sqvgnrpx.dll (file missing) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [egui] "" /hide /waitservice O4 - HKLM\..\Run: [30b635d5] rundll32.exe "C:\WINDOWS\system32\rwxrmamd.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O15 - Trusted Zone: http://www.swebits.org O15 - Trusted Zone: *.swebits.org O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179081701640 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200933424734 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.postfoto.se/aurigma/ImageUploader4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: iiffGVPJ - C:\WINDOWS\SYSTEM32\iiffGVPJ.dll O21 - SSODL: SunRun - {d7baeb05-b1a7-431c-a6d8-81de951af168} - C:\WINDOWS\Resources\SunRun.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Eset HTTP Server (EHttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor-tjänst (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10649 bytes -- Files created between 2008-06-21 and 2008-07-21 ----------------------------- 2008-07-21 00:13:34 116352 --a------ C:\WINDOWS\system32\rnegjcnx.dll 2008-07-21 00:13:34 116352 --a------ C:\WINDOWS\system32\ezeitm.dll 2008-07-21 00:11:21 92672 --a------ C:\WINDOWS\system32\rwxrmamd.dll 2008-07-19 08:42:17 116864 --a------ C:\WINDOWS\system32\rymvvauj.dll 2008-07-19 08:42:17 116864 --a------ C:\WINDOWS\system32\hngjuy.dll 2008-07-19 08:42:00 116864 --a------ C:\WINDOWS\system32\dsseed.dll 2008-07-19 08:41:59 116864 --a------ C:\WINDOWS\system32\bebudowf.dll 2008-07-19 08:38:47 116864 --a------ C:\WINDOWS\system32\vhhfib.dll 2008-07-19 08:38:46 116864 --a------ C:\WINDOWS\system32\huhhqemv.dll 2008-07-18 08:36:27 116352 --a------ C:\WINDOWS\system32\hndsig.dll 2008-07-18 08:36:26 116352 --a------ C:\WINDOWS\system32\tqfybkdx.dll 2008-07-15 20:12:51 116864 --a------ C:\WINDOWS\system32\yagdmk.dll 2008-07-15 20:12:51 116864 --a------ C:\WINDOWS\system32\pcsivxhi.dll 2008-07-15 20:01:24 116864 --a------ C:\WINDOWS\system32\dvzlpa.dll 2008-07-15 20:01:23 116864 --a------ C:\WINDOWS\system32\tmiafekg.dll 2008-07-15 16:39:33 0 d-------- C:\Program Files\Panda Security 2008-07-15 16:24:50 116864 --a------ C:\WINDOWS\system32\wiufgv.dll 2008-07-15 16:24:50 116864 --a------ C:\WINDOWS\system32\bimfhjft.dll 2008-07-15 16:24:48 93184 -----n--- C:\WINDOWS\system32\ghddywsa.dll 2008-07-15 13:41:00 116864 --a------ C:\WINDOWS\system32\zxcapu.dll 2008-07-15 13:40:59 116864 --a------ C:\WINDOWS\system32\dktplmmw.dll 2008-07-15 13:40:41 116864 --a------ C:\WINDOWS\system32\xffjssdm.dll 2008-07-15 13:40:41 116864 --a------ C:\WINDOWS\system32\sepuem.dll 2008-07-14 12:21:53 92672 -----n--- C:\WINDOWS\system32\umyocjfy.dll 2008-07-14 12:21:35 92672 --a------ C:\WINDOWS\system32\shypwvnt.dll 2008-07-14 12:19:16 116352 --a------ C:\WINDOWS\system32\topbywsn.dll 2008-07-14 12:19:16 116352 --a------ C:\WINDOWS\system32\aklheb.dll 2008-07-12 14:40:12 92672 -----n--- C:\WINDOWS\system32\erasotrh.dll 2008-07-12 14:40:08 116864 --a------ C:\WINDOWS\system32\qilrnn.dll 2008-07-12 14:40:07 116864 --a------ C:\WINDOWS\system32\dyhxdhet.dll 2008-07-11 18:07:10 92672 -----n--- C:\WINDOWS\system32\tagtqmsb.dll 2008-07-11 18:04:23 116864 --a------ C:\WINDOWS\system32\nenpfl.dll 2008-07-11 18:04:22 116864 --a------ C:\WINDOWS\system32\sklfnynw.dll 2008-07-11 17:43:47 150682 --ahs---- C:\WINDOWS\system32\loWaaGgh.ini2 2008-07-11 17:34:44 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec> 2008-07-11 17:08:21 68096 --a------ C:\WINDOWS\zip.exe 2008-07-11 17:08:21 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-11 17:08:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-11 17:08:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-11 17:08:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-11 17:08:21 98816 --a------ C:\WINDOWS\sed.exe 2008-07-11 17:08:21 80412 --a------ C:\WINDOWS\grep.exe 2008-07-11 17:08:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-10 19:41:08 0 d-------- C:\Program Files\Spyware Doctor 2008-07-10 19:41:08 0 d-------- C:\Documents and Settings\Vi\Application Data\PC Tools 2008-07-10 19:33:10 116352 --a------ C:\WINDOWS\system32\xkwzxm.dll 2008-07-10 19:33:10 116352 --a------ C:\WINDOWS\system32\agxdpkex.dll 2008-07-08 19:24:14 0 d-------- C:\Program Files\Kaspersky Lab 2008-07-08 19:22:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-07-08 17:38:14 29568 --a------ C:\WINDOWS\system32\rqRKBQkh.dll 2008-07-08 17:38:14 29568 --a------ C:\WINDOWS\system32\ljJCrQhH.dll 2008-07-08 17:37:51 318208 -----n--- C:\WINDOWS\system32\hgGaaWol.dll 2008-07-08 17:32:47 29568 --a------ C:\WINDOWS\system32\iiffGVPJ.dll 2008-07-08 17:32:47 29568 --a------ C:\WINDOWS\system32\efcAQIax.dll 2008-07-08 17:31:50 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd -- Find3M Report --------------------------------------------------------------- 2008-07-20 03:53:37 0 d-------- C:\Documents and Settings\Vi\Application Data\uTorrent 2008-07-18 08:22:03 0 d-------- C:\Documents and Settings\Vi\Application Data\SiteAdvisor 2008-07-16 16:39:48 0 d-------- C:\Program Files\DC++ 2008-07-15 16:31:57 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-08 23:09:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-08 19:12:40 0 d-------- C:\Program Files\Avanquest update 2008-06-26 14:49:21 0 d-------- C:\Program Files\Windows Live Safety Center 2008-06-19 09:31:31 0 d-------- C:\Program Files\Windows Media Connect 2 2008-06-19 09:31:30 0 d-------- C:\Program Files\Winamp 2008-06-19 09:31:30 0 d-------- C:\Program Files\Winamp Remote 2008-06-19 09:31:27 0 d-------- C:\Program Files\QuickTime Alternative 2008-06-19 09:31:26 0 d-------- C:\Program Files\MOBILedit! 2008-06-19 09:31:25 0 d-------- C:\Program Files\Messenger 2008-06-19 09:31:25 0 d-------- C:\Program Files\DivX 2008-06-03 12:36:55 48 --a------ C:\Documents and Settings\Vi\Application Data\ItDb.enc 2008-05-22 22:51:06 0 d-------- C:\Program Files\Fma 2008-05-22 22:31:55 0 d-------- C:\Documents and Settings\Vi\Application Data\MyPhoneExplorer 2008-05-22 22 49 0 d-------- C:\Program Files\Sony Ericsson2008-05-22 21:48:45 0 d-------- C:\Program Files\MyPhoneExplorer 2008-05-22 21:48:42 0 d-------- C:\Documents and Settings\Vi\Application Data\AD ON Multimedia 2008-05-22 17:45:02 0 d-------- C:\Program Files\SiteAdvisor 2008-05-22 04:36:58 0 d-------- C:\Documents and Settings\Vi\Application Data\FMA 2008-05-22 02:59:12 0 d-------- C:\Program Files\ffdshow -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ccc6c72-9bef-430c-92b6-f5488bb4f6a9}] 2008-07-21 00:13 116352 --a------ C:\WINDOWS\system32\ezeitm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BEA2868-8DAE-4586-B0D0-EC105594D65A}] 2008-07-08 17:37 318208 --------- C:\WINDOWS\system32\hgGaaWol.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73984FE0-9702-4C55-9C7B-9BA3C5861F25}] 2008-07-08 17:32 29568 --a------ C:\WINDOWS\system32\iiffGVPJ.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-18 00:58] "SigmatelSysTrayApp"="stsystra.exe" [] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-21 20:09] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-21 20:09] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 21:02] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 23:03] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25] "egui"=" /hide /waitservice" [] "30b635d5"="C:\WINDOWS\system32\rwxrmamd.dll" [2008-07-21 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 20:10] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:35] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19] "WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [2008-07-08 17:32] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{73984FE0-9702-4C55-9C7B-9BA3C5861F25}"= C:\WINDOWS\system32\iiffGVPJ.dll [2008-07-08 17:32 29568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SunRun"= {d7baeb05-b1a7-431c-a6d8-81de951af168} - C:\WINDOWS\Resources\SunRun.dll [2008-07-10 16:22 21030] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffGVPJ] iiffGVPJ.dll 2008-07-08 17:32 29568 C:\WINDOWS\system32\iiffGVPJ.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaWol [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" -- End of Deckard's System Scanner: finished at 2008-07-21 19:04:31 ------------ |
|
|
|
|
07-22-2008, 03:07 AM
|
#5 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 2,790
OS: XP
|
Re: Unwanted "antispyware", superslow computer and "bluescreens"
Hello again
Your logs suggest the possibility that your computer was attacked by a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? ========== Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please Do Not Attach logs to your posts unless you are advised to do so. ======== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ========= You forgot to post the extra.txt, this can be found at C:\Deckard\System Scanner\extra.txt. If you cannot locate the extra.txt, please do this instead. Hijackthis Uninstall List * Start HijackThis * Click on the Config button * Click on the Misc Tools button * Click on the Open Uninstall Manager button. * You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next reply. ============= Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following :
============ Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. =========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ============ Logs Required Uninstall List or Extra.txt Report.txt C:\Combofix.txt Hijackthis Log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
07-22-2008, 12:25 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 14
OS: Win Xp Mediacenter
|
Re: Unwanted "antispyware", superslow computer and "bluescreens"
Hi, Yes, sorry about the extra.txt The computer freaked out last time.. But here it is. SDFix: Version 1.207 Run by Vi on 2008-07-22 at 20:32 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\iiffGVPJ.dll - Deleted C:\Documents and Settings\Vi\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted Folder C:\Documents and Settings\Vi\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-22 20:47:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:7bdc1628 "s2"=dword:971ee58b "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:4b,b6,19,10,61,6d,f9,81,88,53,eb,4a,29,a2,0e,3c,22,6d,07,b9,0e,.. "p0"="C:\Program Files\DAEMON Tools\" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,f0,b5,78,87,a1,fb,d4,22,a8,f8,9c,28,64,9a,14,7e,66,.. "khjeh"=hex:ab,e4,0a,b2,c9,92,14,10,7c,75,35,26,66,85,ae,fa,64,b4,5a,4b,32,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:a6,a3,df,ef,a5,b2,1e,f0,96,6c,64,cf,ca,5a,c7,93,c4,48,c8,72,40,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:4b,b6,19,10,61,6d,f9,81,88,53,eb,4a,29,a2,0e,3c,22,6d,07,b9,0e,.. "p0"="C:\Program Files\DAEMON Tools\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,f0,b5,78,87,a1,fb,d4,22,a8,f8,9c,28,64,9a,14,7e,66,.. "khjeh"=hex:ab,e4,0a,b2,c9,92,14,10,7c,75,35,26,66,85,ae,fa,64,b4,5a,4b,32,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:a6,a3,df,ef,a5,b2,1e,f0,96,6c,64,cf,ca,5a,c7,93,c4,48,c8,72,40,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "AppInit_Dlls"="" scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent" "C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe:*:Enabled:Kaspersky Internet Security 2009 Setup" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 15 Jul 2008 1,773,480 ..SH. --- "C:\WINDOWS\system32\aswyddhg.tmp" Wed 14 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 13 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\39d992caaf2653d2541623883d4da968\BITD.tmp" Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3ae0283cc5a5b1aa1e0729354e5096d\BITE.tmp" Finished! ------------ ComboFix 08-07-21.2 - Vi 2008-07-22 20:58:58.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.483 [GMT 2:00] Running from: C:\Documents and Settings\Vi\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\system32\agxdpkex.dll C:\WINDOWS\system32\aidtkgvu.ini C:\WINDOWS\system32\aklheb.dll C:\WINDOWS\system32\ardewupe.ini C:\WINDOWS\system32\aswyddhg.ini C:\WINDOWS\system32\aswyddhg.tmp C:\WINDOWS\system32\bebudowf.dll C:\WINDOWS\system32\bimfhjft.dll C:\WINDOWS\system32\bsmqtgat.ini C:\WINDOWS\system32\dktplmmw.dll C:\WINDOWS\system32\dmamrxwr.ini C:\WINDOWS\system32\dojlxl.dll C:\WINDOWS\system32\dsseed.dll C:\WINDOWS\system32\dvzlpa.dll C:\WINDOWS\system32\dyhxdhet.dll C:\WINDOWS\system32\ecedpicc.ini C:\WINDOWS\system32\ecedpicc.ini2 C:\WINDOWS\system32\efcAQIax.dll C:\WINDOWS\system32\erasotrh.dll C:\WINDOWS\system32\euldbvuv.ini C:\WINDOWS\system32\ezeitm.dll C:\WINDOWS\system32\fxnjtnqq.ini C:\WINDOWS\system32\ghddywsa.dll C:\WINDOWS\system32\hgGaaWol.dll C:\WINDOWS\system32\hndsig.dll C:\WINDOWS\system32\hngjuy.dll C:\WINDOWS\system32\hrtosare.ini C:\WINDOWS\system32\huhhqemv.dll C:\WINDOWS\system32\iczgzw.dll C:\WINDOWS\system32\ljJCrQhH.dll C:\WINDOWS\system32\loWaaGgh.ini C:\WINDOWS\system32\loWaaGgh.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\nenpfl.dll C:\WINDOWS\system32\pcsivxhi.dll C:\WINDOWS\system32\qilrnn.dll C:\WINDOWS\system32\qjbkaplb.dll C:\WINDOWS\system32\rmovcodq.ini C:\WINDOWS\system32\rnegjcnx.dll C:\WINDOWS\system32\rqRKBQkh.dll C:\WINDOWS\system32\rwxrmamd.dll C:\WINDOWS\system32\rymvvauj.dll C:\WINDOWS\system32\scoumink.ini C:\WINDOWS\system32\sepuem.dll C:\WINDOWS\system32\shypwvnt.dll C:\WINDOWS\system32\sklfnynw.dll C:\WINDOWS\system32\tagtqmsb.dll C:\WINDOWS\system32\tmiafekg.dll C:\WINDOWS\system32\tnvwpyhs.ini C:\WINDOWS\system32\topbywsn.dll C:\WINDOWS\system32\tqfybkdx.dll C:\WINDOWS\system32\umyocjfy.dll C:\WINDOWS\system32\uysrpmlq.dll C:\WINDOWS\system32\vhhfib.dll C:\WINDOWS\system32\wiufgv.dll C:\WINDOWS\system32\xffjssdm.dll C:\WINDOWS\system32\xkwzxm.dll C:\WINDOWS\system32\yagdmk.dll C:\WINDOWS\system32\yfjcoymu.ini C:\WINDOWS\system32\zxcapu.dll . ((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 ))))))))))))))))))))))))))))))) . 2008-07-22 20:24 . 2008-07-22 20:25 <KAT> d-------- C:\WINDOWS\ERUNT 2008-07-22 20:17 . 2008-07-22 20:51 <KAT> d-------- C:\SDFix 2008-07-22 19:19 . 2008-07-22 19:19 94,848 --a------ C:\WINDOWS\system32\ccipdece.dll 2008-07-15 16:39 . 2008-07-15 16:39 <KAT> d-------- C:\Program Files\Panda Security 2008-07-15 16:39 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-10 19:41 . 2008-07-11 17:02 <KAT> d-------- C:\Program Files\Spyware Doctor 2008-07-10 19:41 . 2008-07-10 19:41 <KAT> d-------- C:\Documents and Settings\Vi\Application Data\PC Tools 2008-07-10 19:41 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-07-10 19:41 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-07-10 19:41 . 2008-07-10 21:06 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-07-10 19:41 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-07-10 16:25 . 2008-07-10 16:25 7,168 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-07-08 19:24 . 2008-07-08 19:24 <KAT> d-------- C:\Program Files\Kaspersky Lab 2008-07-08 19:22 . 2008-07-08 19:22 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-07-08 17:31 . 2008-07-08 17:31 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-22 18:17 --------- d-----w C:\Documents and Settings\Vi\Application Data\uTorrent 2008-07-18 06:22 --------- d-----w C:\Documents and Settings\Vi\Application Data\SiteAdvisor 2008-07-16 14:39 --------- d-----w C:\Program Files\DC++ 2008-07-15 14:31 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-11 15:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-08 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-07-08 21:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-08 17:12 --------- d-----w C:\Program Files\Avanquest update 2008-06-26 12:49 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-06-19 07:31 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-19 07:31 --------- d-----w C:\Program Files\Winamp Remote 2008-06-19 07:31 --------- d-----w C:\Program Files\Winamp 2008-06-19 07:31 --------- d-----w C:\Program Files\QuickTime Alternative 2008-06-19 07:31 --------- d-----w C:\Program Files\MOBILedit! 2008-06-19 07:31 --------- d-----w C:\Program Files\DivX 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-22 20:51 --------- d-----w C:\Program Files\Fma 2008-05-22 20:31 --------- d-----w C:\Documents and Settings\Vi\Application Data\MyPhoneExplorer 2008-05-22 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software 2008-05-22 20:06 --------- d-----w C:\Program Files\Sony Ericsson 2008-05-22 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2008-05-22 19:48 --------- d-----w C:\Program Files\MyPhoneExplorer 2008-05-22 19:48 --------- d-----w C:\Documents and Settings\Vi\Application Data\AD ON Multimedia 2008-05-22 15:45 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-22 02:36 --------- d-----w C:\Documents and Settings\Vi\Application Data\FMA 2008-05-22 00:59 --------- d-----w C:\Program Files\ffdshow . ((((((((((((((((((((((((((((( snapshot@2008-07-11_17.46.13.96 ))))))))))))))))))))))))))))))))))))))))) . + 2008-06-30 08:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll + 2008-07-20 12:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-07-22 18:25:33 14,589,952 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-07-22 18:25:33 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-07-20 12:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-07-22 18:25:06 14,589,952 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-07-22 18:25:06 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 20:10 15360] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:35 5724184] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="/waitservice" [X] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-18 00:58 64512] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-21 20:09 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-21 20:09 696320] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 21:02 786521] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 23:03 36640] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312] "30b635d5"="C:\WINDOWS\system32\ccipdece.dll" [2008-07-22 19:19 94848] "SigmatelSysTrayApp"="stsystra.exe" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Program Files\\DC++\\DCPlusPlus.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R3 SynMini;ASUS WebCam, 1.3M, USB2.0, FF;C:\WINDOWS\system32\Drivers\SynMini.sys [2006-01-20 16:59] R3 SynScan;ASUS WebCam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2006-01-02 18:02] R3 tenCapture;tenCapture;C:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 16:15] S3 st3tgbus;st3tgbus;C:\WINDOWS\system32\DRIVERS\st3tgbus.sys [2003-03-12 19:37] S3 st3tiger;st3tiger;C:\WINDOWS\system32\DRIVERS\st3tiger.sys [2003-03-12 19:38] . Contents of the 'Scheduled Tasks' folder "2008-07-22 19 59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"- C:\Program Files\Windows Defender\MpCmdRun.exe . . ------- Supplementary Scan ------- . R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.asus.com/ O8 -: E&xportera till Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 -: {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-22 21:03:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\ecedpicc.ini 294 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll -> C:\WINDOWS\system32\ccipdece.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\ehome\ehRecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2008-07-22 21:10:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-22 19:10:47 ComboFix2.txt 2008-07-11 15:46:55 ComboFix3.txt 2008-02-06 18:33:53 Pre-Run: 10,189,471,744 bytes free Post-Run: 10,226,556,928 byte ledigt 216 --- E O F --- 2008-06-26 12:18:36 ======== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:20, on 2008-07-22 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn |
