Tech Support Forum banner

Winvestigator, Nirsoft & XPCSpypro found

2135 Views 0 Replies 1 Participant Last post by  Amanda_hacked
First time posting to any computer security forum, so I apologize in advance if this is confusing. I read the "Please Read" file and followed it to the letter, so hopefully I can convey the situation. I am not a techie by any means, but regretfully, I have had to learn more about computer security than I ever wanted to know. I have only a small amount of scattered information which has become completely confusing, so hopefully somebody can help . . .

I first discovered security problems with my PC about a year ago (upon filing for divorce) and used a computer forensic company who helped me determine that my system was hacked through the wireless configuration. My ******* ex-husband was a bit too obvious or figured I would never notice, though even with a $350/hr security expert, there was no legal proof of who had accessed the laptop.

So, I chucked the laptop, got a desktop, and started over about 6 months. I am very, very careful about the websites I go to, opening emails, phishing sites, online purchases, and all other obvious sources of problems. Additionally, I live alone, so no one other than my 2 year old son has any legitimate access to the computer, as it was brand new in May. I'm running XP Sp2, and to my knowledge, all patches, etc., are current. Until recently, I have had nagging suspicions that things were not kosher on my computer, but I had no idea why or what was going on, and I can't afford to use the forensic people anymore. I began running Rootkit Revealer and saving the logs since I couldn't interpret them on my own, but figured it would be a good idea to save the information.

About a month ago, the Spyware program I was using, SpySweeper, detected a keylogger, Winvestigator, on my system. I spent about 200 hours researching the stupid program, trying to figure out where it was and what it did. I eventually did find it, and did everything I could to remove it, but I know I haven't gotten all of it out. I found the log it was keeping though, and it really freaked me out. Scary stuff. Especially since it seems as though it could only be installed at my PC, which indicates some real security and legal problems.

After doing everything I could to remove Winvestigator, I installed AdAware and Lavasoft Personal Firewall, and tried researching the network activity on my computer, but UDP and TCIP and IGMP confuse the hell out of me, so I gave up. I have saved all of the logs from that as well.

While trying to solve the Winvestigator issue, I realized that many of the processes running on my PC were very suspect. By reading other HijackThis postings, I realized that many instances of "suspicious", but common dll's and exe's where running on my system. I determined that many were legit, but there were instances of svchost.exe, services.exe and rundll32, among others, that were running from very strange places (at least I think strange) such as Temp folders, prefetch folders and the D:/ drive.

I identified several very strange instances of RunDll32 running from a prefetch folder, and the info. I gathered from other posters in this forum was that it was a new Keylogger, apparently installed on January 16th, named XPCSpypro.

Obviously, I need to get rid of this crap and learn what I can do to eliminate these possibilities in the future. As an FYI - my ex-husband's closest friend has a PhD in EE from Stanford, and he is very active with Defcon and hacking stuff, so in my opinion, even the most obscure or unusual explanation is possible. Basically, this isn't some kiddie hack or Browser Hijacker. The police have found phone taps, my identity was stolen and savagely abused, and the computer crap is just the most recent episode in a fairly lengthy list of very, very scary stalking behavior. Along those lines, I truly appreciate any help. My legal bills are quickly approaching 6 figures, and I would really like to be able to stop spending all that money and once again be able to send an email without having it recorded and sent to a *******.


1. Ad-Aware continues to find "Critical Objects" that appear to be tracking cookies. I try to delete them, but they keep coming back . . .
2. SpyBoot Search and Destroy finds nothing
3. CW Shredder finds nothing.
All of these programs were repeated in Safe mode, with the same results.

1. Trend Micro online found 7 threats, including Winvestigator and Nirsoft. Also detected a "Hacking Tool_EtherDetect Packet Sniffer" which sounds ominous to me.
2. eTrends found nothing
3. Repeated Trend Micro, and Nirsoft is still present.

None of the programs listed were on my system

No rogue or suspected programs found.

I think I already have SP2, and all of the updates should be current. I didn't want to run any other updates, since I don't really know what I am doing, and there was a note that SP2 should only be put on a clean system, which I don't know if I have.

The event logs in Windows are disabled, and when I try to activate them, it says the settings are controlled by Group Policy. I am the only group on the computer, so that doesn't make sense to me. The Security Log is most problematic, as it indicates when I log on to Windows that the Log is full and can only be cleared by an administraor.

Also, any remote access, file sharing, remote procedures, etc., are supposed to be disabled. Yet, these programs (as far as I can tell) are actively running when I view the few logs that I can access.

Lastly, Rootkit Revealer detects all sorts of crap on my system. As I said above, I just run it and save the logs, but at one point, there were 116 discrepancies found. Right now, there are only 3, but one appears very strange and I could find no info. It is listed as HKLM\Security\Policy\Secrets\SANSC*

HijackThis log - I followed the instructions and installed in to C:\HJT. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:03 AM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Downloaded Program Files\SpSubRx.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [msci] D:\Temp\200693125019_mcinfo.exe /insfin
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SetIcon] "\Program Files\WDC\SetIcon.exe"
O4 - HKLM\..\Run: [Personal Firewall] "C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe" /waitservice
O4 - HKLM\..\Run: [PCTools FW] "C:\Program Files\PC Tools Firewall Plus\PCTFW.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone:
O15 - Trusted Zone: *
O15 - Trusted Zone: *
O15 - Trusted Zone: *
O15 - Trusted Zone:
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -,0,0,101/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BOMXISM - Sysinternals - - D:\Temp\BOMXISM.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EGGXV - Sysinternals - - D:\Temp\EGGXV.exe
O23 - Service: IHNFPCZU - Sysinternals - - D:\Temp\IHNFPCZU.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IUBG - Sysinternals - - D:\Temp\IUBG.exe
O23 - Service: KXAKOUTQUDQC - Sysinternals - - D:\Temp\KXAKOUTQUDQC.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: MKFK - Sysinternals - - D:\Temp\MKFK.exe
O23 - Service: MPXHHSQADJ - Sysinternals - - D:\Temp\MPXHHSQADJ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Any help is greatly appreciated. Sorry this post is so ridiculously long. My gender is prone to efflusive detail, and this has been a long standing problem, so there was a decent amount of history to relay.

Thanks so much in advance!!
See less See more
Not open for further replies.
1 - 1 of 1 Posts
1 - 1 of 1 Posts
Not open for further replies.