Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Is this the most stealth rootkit ever? [CLOSED]


  • This topic is locked This topic is locked

#1
adiel

adiel

    New Member

  • Member
  • Pip
  • 5 posts
Ok...I am not a noob, in fact I do consider myself an expert when it comes to viruses and trojans, but recently at my office I have encountered the most stealth and tough trojan/rootkit of all times.
Its the RECYCLER trojan. I have been searching for any info about this and although I have found a lot of people reporting it but no antivirus/antispyware detect it, I have used avira, avg, mcafee,kaspersky,spyware doctor, webroot spy sweeper, spybot, super antispyware and none detects it.
The problem is on 5 systems running xp pro sp2 with NTFS. FAT32 is safe.
Normally I do not need antiviruses or antispywares to remove a trojan, I know every place from where a trojan can start with windows. But there is NO place in registry I found where there is any entry for this trojan. Most of the people who are reporting about this has an autorun.exe or autorun.inf on their root drives from where this trojan is executed, but in my pc there is no such files, I have used icesword for this in case windows is unable to show me any file although I have set windows to show me even the superhidden files. But there is no such file on my root drive. When I open the recycler folder there is an icon of recycle bin with following name

S-1-5-21-606747145-1770027372-839522115-1005
or sometimes there are two icons and the second one is
S-1-5-21-606747145-1770027372-839522115-1004

when i open this recycle bin it directs me towards the normal windows recycel bin, but through ice sword I have accessed the real files inside this and they are

Info.exe
desktop.ini

Although I did manually removed the recycler folder many times, but whenever I delete ANY file the folder reappears. I have searched and searched in registry for any suspicious entry but I did'nt found one. And believe me I have searched EVERY starting point a trojan can use.
So is this the ultimate hiding machine or what??that I cannot see its registry entries even with a great program like icesword??
What is making me mad is that I cannot even find how it is starting with windows in the first place because there is no entry, no autorun file..then how is it doing this?? I have disconnected my pc from network hoping that it somehow copies itself from other computers but thats not the case, it has some file on my pc that I cannot see, antivius can't detect. One thing more when I access any of the infected pc through network although I can access the pc BUT I cannot access windows, program files and documents and settings folders, everything else like other drives is accessible. So I cannot see these folders through network and I think if and only if I can do that then maybe I will be able to see the malicious file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:47 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
E:\Down\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 202.147.165.40,202.147.165.41,202.147.165.40,202.147.165.41
O17 - HKLM\System\CS1\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 202.147.165.40,202.147.165.41,202.147.165.40,202.147.165.41
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 202.147.165.40,202.147.165.41,202.147.165.40,202.147.165.41
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6195 bytes

Ok now after scanning with all the good anti rootkits sophos antirootkit has shown me an interesting hidden registry value which it cannot delete, the entry is

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

when I browsed to this entry there is nothing in the Load section but thats hidden I guess. I don't know.
So I want to know what is this, why it is able to bypass antiviruses and antispywares, how is it starting with windows and so on.

Can anyone help me???
  • 0

Advertisements


#2
adiel

adiel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
nobody knows about it??
  • 0

#3
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer. Now by the sounds of it, this is not a rootkit but a worm which is capable of stealing critical information from the affected system. It sends all gathered information to a remote user using its own Simple Mail Transfer Protocol (SMTP) engine, so does not need to use a mail program.

You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change all your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of DSS main.txt
  • The contents of DSS extra.txt
  • Tell me how long this has been happening, and that the computer(s) have been effected.
Also, please do not run any fixes, without telling me about it first.

Regards,
RatHat
  • 0

#4
adiel

adiel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks.. I will post it tomorrow, I am at home right now.
  • 0

#5
adiel

adiel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK here is the dss report

Deckard's System Scanner v20071014.68
Run by admin on 2008-06-06 10:57:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:29 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\admin\Desktop\dss.exe
E:\Down\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.99.52.139/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 117.18.240.6,117.18.240.5,202.147.165.40,202.147.165.41
O17 - HKLM\System\CS1\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 117.18.240.6,117.18.240.5,202.147.165.40,202.147.165.41
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer = 117.18.240.6,117.18.240.5,202.147.165.40,202.147.165.41
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6193 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-05 12:38:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-05 12:23:45 0 d-------- C:\Program Files\Sophos
2008-06-05 12:11:31 0 d-------- C:\Program Files\Avira GmbH
2008-06-05 11:12:53 0 d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-06-05 11:12:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 11:12:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 14:22:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-04 14:22:47 0 d-------- C:\Program Files\Webroot
2008-06-04 14:22:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-04 14:22:47 0 d-------- C:\Documents and Settings\admin\Application Data\Webroot
2008-06-03 18:46:34 0 d-------- C:\Documents and Settings\admin\DoctorWeb
2008-06-03 14:57:30 68096 --a------ C:\WINDOWS\zip.exe
2008-06-03 14:57:30 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-03 14:57:30 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-03 14:57:30 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-03 14:57:30 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-03 14:57:30 80412 --a------ C:\WINDOWS\grep.exe
2008-06-03 14:57:30 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-03 14:29:29 0 d-------- C:\Documents and Settings\admin\Application Data\Avira
2008-06-03 11:53:17 0 d-------- C:\Program Files\Avira
2008-06-03 11:18:12 0 d-------- C:\WINDOWS\WinRescue
2008-06-02 17:37:28 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-06-02 17:05:17 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-06-02 16:51:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-02 13:59:16 0 d-------- C:\vdefs
2008-06-02 13:46:28 0 d-------- C:\Documents and Settings\admin.ADIEL\Application Data\SUPERAntiSpyware.com
2008-06-02 13:44:58 0 d-------- C:\Documents and Settings\admin.ADIEL\Application Data\Webroot
2008-06-02 13:42:50 0 d-------- C:\Documents and Settings\admin.ADIEL\Application Data\AVGTOOLBAR
2008-06-02 13:41:02 0 d-------- C:\Documents and Settings\admin.ADIEL\Application Data\Identities
2008-06-02 13:40:32 0 dr------- C:\Documents and Settings\admin.ADIEL\Favorites
2008-06-02 13:40:32 0 d-------- C:\Documents and Settings\admin.ADIEL\Desktop
2008-06-02 13:40:32 0 d---s---- C:\Documents and Settings\admin.ADIEL\Cookies
2008-06-02 13:40:32 0 dr-h----- C:\Documents and Settings\admin.ADIEL\Application Data
2008-06-02 13:40:32 0 d---s---- C:\Documents and Settings\admin.ADIEL\Application Data\Microsoft
2008-06-02 13:40:31 0 d--h----- C:\Documents and Settings\admin.ADIEL\Templates
2008-06-02 13:40:31 0 dr------- C:\Documents and Settings\admin.ADIEL\Start Menu
2008-06-02 13:40:31 0 dr-h----- C:\Documents and Settings\admin.ADIEL\SendTo
2008-06-02 13:40:31 0 dr-h----- C:\Documents and Settings\admin.ADIEL\Recent
2008-06-02 13:40:31 0 d--h----- C:\Documents and Settings\admin.ADIEL\PrintHood
2008-06-02 13:40:31 4018176 --a------ C:\Documents and Settings\admin.ADIEL\NTUSER.DAT
2008-06-02 13:40:31 0 d--h----- C:\Documents and Settings\admin.ADIEL\NetHood
2008-06-02 13:40:31 0 dr------- C:\Documents and Settings\admin.ADIEL\My Documents
2008-06-02 13:40:31 0 d--h----- C:\Documents and Settings\admin.ADIEL\Local Settings
2008-06-02 11:37:01 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 10:07:14 0 d-------- C:\Documents and Settings\admin\Application Data\MyPhoneExplorer
2008-05-14 10:07:10 0 d-------- C:\Documents and Settings\admin\Application Data\AD ON Multimedia
2008-05-14 10:07:04 0 d-------- C:\Program Files\MyPhoneExplorer
2008-05-12 13:14:33 0 d-------- C:\Documents and Settings\admin\Application Data\PC Tools
2008-05-12 12:58:06 15872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys <Not Verified; PC Tools Research Pty Ltd; PC Tools AntiVirus>
2008-05-12 12:58:06 22528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys <Not Verified; PC Tools Research Pty Ltd.; PC Tools AntiVirus>
2008-05-12 12:58:06 15872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys <Not Verified; PC Tools Research Pty Ltd; AVFilter Device Driver>
2008-05-12 12:57:55 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-05-12 12:57:55 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-12 12:56:56 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-05-12 12:17:30 0 d-------- C:\Documents and Settings\admin\Application Data\Smart PC Solutions
2008-05-09 15:58:05 0 d-------- C:\Documents and Settings\admin\Application Data\Conceptworld
2008-05-09 15:56:59 0 d-------- C:\Program Files\Conceptworld
2008-05-09 15:42:16 0 --a------ C:\WINDOWS\system32\suupdate.dat
2008-05-09 15:41:38 11264 --a------ C:\WINDOWS\system32\drivers\supermounter.sys <Not Verified; Superlogix; supermounter>
2008-05-09 15:41:38 44000 --a------ C:\WINDOWS\system32\drivers\AFPUni.sys <Not Verified; Alfa Corporation; AlfaFP ™ 2003 Unicode Build for Windows NT/2K>
2008-05-09 15:41:38 43936 --a------ C:\WINDOWS\system32\drivers\AFPAnsi.sys <Not Verified; Alfa Corporation; AlfaFP ™ 2003 Ansi Build for Windows NT/2K>
2008-05-09 15:41:37 2256896 --a------ C:\WINDOWS\system32\vbsbak.dat <Not Verified; SuperLogix; Super Utilities>
2008-05-09 15:41:36 6144 --a------ C:\WINDOWS\system32\SuperRes.dll
2008-05-09 15:41:36 73728 --a------ C:\WINDOWS\system32\smh.dat <Not Verified; SuperLogix; SuperMenuHook>
2008-05-09 15:41:36 89088 --a------ C:\WINDOWS\system32\Shreder.dll <Not Verified; ; Shreder Dynamic Link Library>
2008-05-09 15:41:35 1519616 --a------ C:\WINDOWS\system32\context.dll <Not Verified; SuperLogix; Enhancement to context menu>
2008-05-09 15:41:34 0 d-------- C:\Program Files\SuperLogix
2008-05-09 11:27:42 0 d-------- C:\Program Files\Best Network Security
2008-05-09 11:26:21 0 d-------- C:\Documents and Settings\All Users\Application Data\NetServerListener
2008-05-09 11:26:20 0 d-------- C:\Program Files\Best Network Security Server
2008-05-09 10:34:34 0 d-------- C:\Documents and Settings\Adiel\Application Data\WinRAR
2008-05-09 10:29:17 0 d-------- C:\Documents and Settings\Adiel\Application Data\AVGTOOLBAR
2008-05-09 10:14:31 0 d-------- C:\Program Files\Common Files\Tray
2008-05-09 10:14:30 0 d-------- C:\Program Files\Common Files\System Shared
2008-05-09 10:14:25 0 d-------- C:\WINDOWS\tray
2008-05-09 10:14:25 0 d-------- C:\WINDOWS\system32\cc32
2008-05-09 10:07:57 0 d-------- C:\Program Files\PortableFirefox
2008-05-08 14:30:52 0 d-------- C:\Program Files\Fortres Grand
2008-05-08 14:00:16 0 d-------- C:\Program Files\Stop Installation Tool
2008-05-08 12:54:49 76 --a------ C:\WINDOWS\system32\esafedrv.dat
2008-05-08 12:53:16 50 --a------ C:\WINDOWS\pcenid.dat
2008-05-08 12:53:16 50 -----n--- C:\dosldr.bin
2008-05-08 12:53:00 24 -----n--- C:\WINDOWS\enexp.dat
2008-05-08 11:47:42 0 d-------- C:\Program Files\WinRescue XP
2008-05-07 17:28:35 0 d-------- C:\Program Files\PC Chaperone
2008-05-07 17:28:35 0 d-------- C:\Documents and Settings\All Users\Application Data\PCC
2008-05-07 16:41:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-07 13:46:02 0 d-------- C:\Documents and Settings\All Users\Application Data\System
2008-05-07 13:46:01 5196917 --a------ C:\WINDOWS\system32\httpsurl.dat


-- Find3M Report ---------------------------------------------------------------

2008-06-06 10:57:27 0 d-------- C:\Program Files\FlashGet
2008-06-05 13:41:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-05 12:11:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 11:51:02 0 d-------- C:\Program Files\Common Files
2008-05-09 10:08:10 0 d-------- C:\Program Files\Mozilla Firefox(2)
2008-04-26 10:55:02 0 d-------- C:\Program Files\Total Video Converter
2008-04-23 11:52:03 0 d-------- C:\Program Files\COI_ALL_UI
2008-04-23 11:49:30 294912 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-04-23 11:49:29 82944 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-22 11:28:44 18550784 --a------ C:\WINDOWS\system32\LMS_ALL_DLL.dll <Not Verified; AISL; LMS_ALL_DLL>
2008-04-21 18:28:54 0 d-------- C:\Program Files\ReNamer
2008-04-19 15:07:20 7426048 --a------ C:\WINDOWS\system32\COI_ALL_DLL.dll <Not Verified; AIS; COI_ALL_DLL>
2008-04-19 14:53:08 2236416 --a------ C:\WINDOWS\system32\COL_ALL_DLL.dll <Not Verified; ais; COL_ALL_DLL>
2008-04-19 14:49:18 933888 --a------ C:\WINDOWS\system32\CM_ALL_DLL.dll <Not Verified; ais; CM_ALL_DLL>
2008-04-19 13:58:00 3334144 --a------ C:\WINDOWS\system32\Sys_Services.dll <Not Verified; AIS; Sys_Services>
2008-04-19 13:54:00 405504 --a------ C:\WINDOWS\system32\Attributes.dll <Not Verified; AIS; Attributes>
2008-04-19 11:58:34 0 d-------- C:\Documents and Settings\admin\Application Data\CyberLink
2008-04-18 16:24:02 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-08 12:44:18 0 d-------- C:\Documents and Settings\admin\Application Data\AVGTOOLBAR
2008-04-07 12:45:00 0 d-------- C:\Program Files\AVG
2008-04-07 11:08:26 0 d-------- C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2008-04-07 11:08:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 13:31:27 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
04/07/2008 12:45 PM 2041600 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/07/2008 12:45 PM 2041600]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [07/11/2007 09:07 AM C:\WINDOWS\RTHDCPL.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [07/11/2007 09:07 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [07/11/2007 09:07 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [07/11/2007 09:07 AM]
"avgnt"="C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"NoteZilla"="" []
"QNPlus"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
"C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddffa17c-15bf-11dd-9ae1-001cc01b73b8}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL




-- End of Deckard's System Scanner: finished at 2008-06-06 10:57:46 ------------
  • 0

#6
adiel

adiel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
And this is the extra report..

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® Dual CPU E2180 @ 2.00GHz
CPU 1: Intel® Pentium® Dual CPU E2180 @ 2.00GHz
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 1013.54 MiB / 629.42 MiB
Pagefile Memory (total/avail): 2440.69 MiB / 1996.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.61 GiB total, 14.26 GiB free.
D: is Fixed (NTFS) - 18.55 GiB total, 7.84 GiB free.
E: is Fixed (NTFS) - 37.36 GiB total, 16.67 GiB free.
F: is Network (NWCompat)
G: is CDROM (No Media)
I: is Network (NWCompat)
Z: is Network (NWCompat)

\\.\PHYSICALDRIVE0 - WDC WD800JD-22MSA1 - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 18.61 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 55.91 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

FW: Avira Firewall v8.0.1.18 (Avira GmbH)
AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH) Disabled Outdated
AV: PC Tools AntiVirus 3.6.0.34 v3.6.0.34 (PC Tools Research Pty Ltd)
AV: AVG Anti-Virus Professional Edition v8.0 (AVG Technologies) Disabled Outdated
AV: Avira Premium Security Suite v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\admin\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADIEL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\admin
LOGONSERVER=\\ADIEL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;Z:.;C:\WINDOWS\COMMAND
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\admin\LOCALS~1\Temp
TMP=C:\DOCUME~1\admin\LOCALS~1\Temp
USERDOMAIN=ADIEL
USERNAME=admin
USERPROFILE=C:\Documents and Settings\admin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Adiel (admin)
admin (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Avira Premium Security Suite --> C:\Program Files\Avira\Avira Premium Security Suite\SETUP.EXE /REMOVE
BitSpirit v3.3.2.115 Stable --> "C:\Program Files\BitSpirit\unins000.exe"
FlashGet(Jetcar) 1.80 --> C:\PROGRA~1\FlashGet\_UNWISE.EXE
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "E:\Down\HiJackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Lease Business Suite (22-Apr-08) --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\COI_ALL_UI\ST6UNST.LOG"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Opera 9.10 --> MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
ReNamer --> "C:\Program Files\ReNamer\unins000.exe"
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> D:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Total Video Converter 3.02 --> "C:\Program Files\Total Video Converter\unins000.exe"
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinRescue XP --> "C:\Program Files\WinRescue XP\unins000.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type30 / Warning
Event Submitted/Written: 06/04/2008 11:42:25 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
W32/Chir.BF:\system.exe

Event Record #/Type29 / Warning
Event Submitted/Written: 06/04/2008 11:42:23 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
W32/Chir.BF:\xo8wr9.exe

Event Record #/Type28 / Warning
Event Submitted/Written: 06/04/2008 11:42:22 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
WORM/Autorun.FY.1F:\Funny UST Scandal.avi.exe

Event Record #/Type27 / Warning
Event Submitted/Written: 06/04/2008 11:42:21 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
W32/Chir.BF:\New Folder.exe

Event Record #/Type26 / Warning
Event Submitted/Written: 06/04/2008 11:42:20 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
W32/Chir.BF:\smss.exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7616 / Error
Event Submitted/Written: 06/05/2008 11:10:47 AM
Event ID/Source: 8009 / BROWSER
Event Description:
The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is MIRZATAUSEEF.

Event Record #/Type7599 / Error
Event Submitted/Written: 06/04/2008 06:36:03 PM
Event ID/Source: 8009 / BROWSER
Event Description:
The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is ZUBAIRKHAN.

Event Record #/Type7582 / Error
Event Submitted/Written: 06/04/2008 05:50:59 PM
Event ID/Source: 8009 / BROWSER
Event Description:
The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is MIRZATAUSEEF.

Event Record #/Type7581 / Error
Event Submitted/Written: 06/04/2008 05:15:08 PM
Event ID/Source: 8009 / BROWSER
Event Description:
The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is MAQSOOD.

Event Record #/Type7564 / Error
Event Submitted/Written: 06/04/2008 04:49:20 PM
Event ID/Source: 8009 / BROWSER
Event Description:
The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is MAQSOOD.



-- End of Deckard's System Scanner: finished at 2008-06-05 11:27:58 ------------
  • 0

#7
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Not very nice what you wrote at Bleeping Computer is it? All the malware forums are overworked and staffed by volunteers, so a wait is to be expected. Also by bumping your post four times, you make it seem that it has been replied to, so the helpers there don't think it needs replying to.

I would like you to post that you are now being helped here, and an apology would not be amiss either.

You have two AV's on the computer, Avira AntiVir PersonalEdition v8.0.1.15 and AVG Anti-Virus Professional Edition v8.0 both are disabled. Please make sure that only one is enabled after running Combofix (see below).


Uninstall the following program:

BitSpirit v3.3.2.115 Stable

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save Report As Text button:
  • Under Save as type, choose Text file (*.txt)
  • Save the file to your desktop as Kaspersky.txt
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post me the logs in your next reply.

Regards,
RatHat
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP