My Anti Spyware
News, Free Programs, Online Scanners, Tutorials
Post your problems with Spyware, Hijackers, Trojans...
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister     ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Strange behavior from hidden Trojan

 
Post new topic   Reply to topic    My Anti Spyware Forum Index -> Spyware Removal
View previous topic :: View next topic  
Author Message
janlafata



Joined: 15 Nov 2008
Posts: 4
Location: Yuma, AZ
PostPosted: Sat Nov 15, 2008 6:18 pm    Post subject: Strange behavior from hidden Trojan Reply with quote
I am running Vista Home Basic x64. My system is running fine, however I like to do weekly spyware scans. For the past three weeks, both my AntiSpyware apps, Spy Cleaner Platinum and Spyware Doctor (an older version for x64) have turned up a trojan in C:\Windows\System32\explorer.exe.

Spyware Doctor says it deleted it, but i'm not so sure, because it seems to keep coming back. Spy Cleaner flat out said it couldn't delete it. So the first obvious thing I did was look in the System32 folder for it..nothing there, and my view was set at Show Hidden Files and Folders.

Then I changed Folder Options to also show Protected System Files...still couldn't see it! I also ran a HijackThis scan, however no trojan in that directory turned up. I should also mention that the two times Spyware Doctor alerted to it, it was named something different each time.

When I ran Spy Cleaner, it also had a different name, but still, in all three scans, it showed the trojan as being embeded in C:\Windows\System32\explorer.exe. But why can't I find it? By the way, I also run ESET Smart Security and it has not turned up anything in scans.
Back to top
View user's profile Send private message Send e-mail
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1865
PostPosted: Sun Nov 16, 2008 2:54 am    Post subject: Reply with quote
Hello janlafata, welcome to the Myantispyware forum!

Download and install HijackThis, make a HijackThis log.
Quote:
1. Save it to your Desktop.
2. Doubleclick on the HJTinstall.exe icon on your desktop for install.
3. Click on Install, It will create a HijackThis icon on the desktop.
4. Once installed, it will launch Hijackthis.
5. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad.


Download RSIT by random/random and save it to your desktop.
Quote:
1. Double click on RSIT.exe to run RSIT.
2. Click Continue at the disclaimer screen.
3. Once it has finished, two logs will open.


Post back with following:
- HijackThis log
- RSIT log 1 (log.txt)
- RSIT log 2 (info.txt)
_________________
Free Antispyware: HijackThis, SmitfraudFix, ComboFix, Super Antispyware, Malwarebytes Anti-malware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
janlafata



Joined: 15 Nov 2008
Posts: 4
Location: Yuma, AZ
PostPosted: Mon Nov 17, 2008 4:38 am    Post subject: Tasks completed...kind of! Reply with quote
patrik..I ran the HijackThis scan and have included the log below, but when I ran RSIT, it just created one text file, and it says on it that it's a log file of HijackThis! So I don't know if I did something wrong or if just doesn't work under x64 or what?

Anyway here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:38 PM, on 11/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ClipCache\Pro\clipc.exe
C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [WallpaperChanger] "C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe" -startup
O4 - Startup: ClipCache Pro.lnk = C:\Program Files (x86)\ClipCache\Pro\clipc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Indexing Service (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\Smart Security\x86\ekrn.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Engine.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5146 bytes


Logfile of random's system information tool 1.04 (written by random/random)
Run by Jan at 2008-11-16 21:32:04
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 9 GB (28%) free of 34 GB
Total RAM: 2047 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:10 PM, on 11/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ClipCache\Pro\clipc.exe
C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe
C:\Program Files (x86)\Firefox\Browser\firefox.exe
C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbam.exe
D:\RSIT.exe
C:\Program Files (x86)\Trend Micro\HijackThis\Jan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [WallpaperChanger] "C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe" -startup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbamgui.exe" /install /silent
O4 - Startup: ClipCache Pro.lnk = C:\Program Files (x86)\ClipCache\Pro\clipc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Indexing Service (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\Smart Security\x86\ekrn.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Engine.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5395 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WallpaperChanger"=C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe [2007-11-24 650240]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbamgui.exe [2008-10-22 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Cop Pro Startup Launcher]
[]

C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ClipCache Pro.lnk - C:\Program Files (x86)\ClipCache\Pro\clipc.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SBAMSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoToolbarCustomize"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"NoActiveDesktopChanges"=
"ForceActiveDesktopOn"=
"NoFolderOptions"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files (x86)\BitTorrent\Sharing\bittorrent.exe"="C:\Program Files (x86)\BitTorrent\Sharing\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-11-16 20:57:37 ----D---- C:\Users\Jan\AppData\Roaming\Malwarebytes
2008-11-16 20:57:31 ----D---- C:\ProgramData\Malwarebytes
2008-11-16 20:57:31 ----D---- C:\Program Files (x86)\Malwarebytes
2008-11-16 13:11:51 ----D---- C:\rsit
2008-11-15 14:35:23 ----D---- C:\Users\Jan\AppData\Roaming\Sunbelt
2008-11-15 14:35:14 ----D---- C:\ProgramData\Sunbelt
2008-11-15 14:34:57 ----D---- C:\Program Files (x86)\Sunbelt Software
2008-11-15 09:33:13 ----D---- C:\Program Files (x86)\Trend Micro
2008-11-14 21:30:39 ----D---- C:\Users\Jan\AppData\Roaming\Ulead Systems
2008-11-14 21:26:22 ----D---- C:\Program Files (x86)\Common Files\InterVideo
2008-11-14 21:26:17 ----D---- C:\ProgramData\InterVideo
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresizeW7.dll
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresizePX.dll
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresizeP6.dll
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresizeM6.dll
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresizeA6.dll
2008-11-14 21:26:15 ----A---- C:\Windows\system32\IVIresize.dll
2008-11-14 21:19:45 ----D---- C:\ProgramData\Ulead Systems
2008-11-14 21:08:20 ----D---- C:\Program Files (x86)\Ulead
2008-11-14 10:04:45 ----D---- C:\Users\Jan\AppData\Roaming\Xilisoft Corporation
2008-11-14 10:04:23 ----D---- C:\Program Files (x86)\Xilisoft
2008-11-12 16:34:55 ----D---- C:\Users\Jan\AppData\Roaming\GEAR Video 9.00
2008-11-12 16:33:14 ----D---- C:\Users\Jan\AppData\Roaming\LiveMetrics
2008-11-12 16:32:42 ----A---- C:\Windows\system32\GEARAspi.dll
2008-11-12 16:32:19 ----D---- C:\ProgramData\GEAR Software
2008-11-12 16:30:28 ----A---- C:\Windows\system32\Test.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\msxml2.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\LWXLLDFRequest3.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\LWLLInstances3.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\LWLLHttpsUpload2.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\LWLLClientMiddleWare3.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\LWLLClasses3.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\GUID.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\coreEncryptDecrypt.dll
2008-11-12 16:30:27 ----A---- C:\Windows\system32\AdvMetrics.dll
2008-11-12 16:30:05 ----D---- C:\Program Files (x86)\Common Files\LiveMetrics
2008-11-12 16:02:14 ----D---- C:\Program Files (x86)\GEAR
2008-11-12 14:12:26 ----A---- C:\Windows\system32\msxml3.dll
2008-11-12 14:12:23 ----A---- C:\Windows\system32\win32spl.dll
2008-11-12 14:12:20 ----A---- C:\Windows\system32\msxml6.dll
2008-11-12 14:12:16 ----A---- C:\Windows\system32\Faultrep.dll
2008-10-28 16:28:12 ----A---- C:\Windows\system32\sbbd.exe
2008-10-28 15:36:00 ----A---- C:\Windows\system32\divx_xx0c.dll
2008-10-28 15:36:00 ----A---- C:\Windows\system32\divx_xx07.dll
2008-10-28 15:35:58 ----A---- C:\Windows\system32\divx_xx11.dll
2008-10-28 15:35:58 ----A---- C:\Windows\system32\divx_xx0a.dll
2008-10-28 15:35:56 ----A---- C:\Windows\system32\DivX.dll
2008-10-27 21:52:26 ----D---- C:\Users\Jan\AppData\Roaming\MozillaControl
2008-10-27 21:48:56 ----D---- C:\Program Files (x86)\Full Speed
2008-10-27 21:48:02 ----D---- C:\aidualc3
2008-10-27 21:43:44 ----D---- C:\Windows\'Full Speed' Internet Booster + Performance Tests
2008-10-27 21:42:38 ----A---- C:\Windows\'Full Speed' Internet Booster + Performance Tests Setup Log.txt
2008-10-27 17:32:58 ----A---- C:\Windows\ntbtlog.txt
2008-10-27 12:08:39 ----D---- C:\Users\Jan\AppData\Roaming\CyberScrub
2008-10-27 12:05:51 ----A---- C:\Windows\csact.ini
2008-10-27 12:05:48 ----D---- C:\Program Files (x86)\CyberScrub
2008-10-24 13:05:02 ----D---- C:\Users\Jan\AppData\Roaming\Macromedia
2008-10-24 13:05:02 ----D---- C:\Users\Jan\AppData\Roaming\Adobe
2008-10-24 13:04:30 ----D---- C:\Windows\system32\Macromed
2008-10-23 20:49:05 ----D---- C:\Users\Jan\AppData\Roaming\XRayz
2008-10-23 20:47:55 ----D---- C:\Program Files (x86)\ClipCache
2008-10-23 20:23:15 ----D---- C:\Users\Jan\AppData\Roaming\Acoustica
2008-10-23 20:22:55 ----D---- C:\Program Files (x86)\Acoustica
2008-10-23 10:15:02 ----A---- C:\Windows\system32\netapi32.dll
2008-10-23 09:38:17 ----D---- C:\Program Files (x86)\Common Files\EZB Systems
2008-10-23 09:38:07 ----D---- C:\Program Files (x86)\Ultra ISO
2008-10-23 02:39:40 ----D---- C:\Program Files (x86)\Shell Menu View
2008-10-20 23:38:17 ----D---- C:\Program Files (x86)\MSXML 4.0
2008-10-20 04:43:54 ----D---- C:\Program Files (x86)\Common Files\MSSoap
2008-10-18 18:02:00 ----D---- C:\Program Files (x86)\Media Monkey

======List of files/folders modified in the last 1 months======

2008-11-16 21:28:20 ----D---- C:\Windows\Temp
2008-11-16 21:05:56 ----D---- C:\Windows\Prefetch
2008-11-16 21:05:47 ----D---- C:\Windows\system32\drivers
2008-11-16 20:57:31 ----RD---- C:\Program Files (x86)
2008-11-16 20:57:31 ----HD---- C:\ProgramData
2008-11-16 12:50:55 ----SHD---- C:\System Volume Information
2008-11-16 12:50:55 ----D---- C:\Windows\Logs
2008-11-15 15:38:17 ----D---- C:\Windows\SysWOW64
2008-11-15 14:35:25 ----SHD---- C:\Windows\Installer
2008-11-15 10:41:23 ----D---- C:\Users\Jan\AppData\Roaming\LimeWire
2008-11-15 07:00:49 ----N---- C:\Windows\win.ini
2008-11-14 21:26:47 ----D---- C:\Windows\winsxs
2008-11-14 21:26:22 ----D---- C:\Program Files (x86)\Common Files
2008-11-14 21:26:14 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2008-11-14 21:26:14 ----D---- C:\Program Files (x86)\Common Files\InstallShield
2008-11-14 21:26:07 ----D---- C:\Windows\inf
2008-11-14 21:26:02 ----D---- C:\Program Files (x86)\Common Files\LightScribe
2008-11-14 21:21:27 ----RSD---- C:\Windows\Fonts
2008-11-14 21:21:16 ----D---- C:\Program Files (x86)\Common Files\Ulead Systems
2008-11-14 15:25:44 ----D---- C:\Windows\Tasks
2008-11-14 15:25:44 ----D---- C:\Windows\System32
2008-11-14 15:25:44 ----D---- C:\Windows
2008-11-14 15:25:42 ----D---- C:\Windows\registration
2008-11-14 15:23:25 ----D---- C:\ProgramData\Martau
2008-11-14 15:23:07 ----D---- C:\Program Files (x86)\Total Uninstall
2008-11-14 12:05:14 ----D---- C:\Users\Jan\AppData\Roaming\BitTorrent
2008-10-26 23:22:04 ----SD---- C:\ProgramData\Microsoft
2008-10-24 12:58:48 ----RD---- C:\Users
2008-10-23 09:32:50 ----RD---- C:\Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys []
R1 epfwtdi;epfwtdi; C:\Windows\system32\DRIVERS\epfwtdi.sys []
R1 ISODrive;ISO DVD/CD-ROM Device Driver; \??\C:\Program Files (x86)\Ultra ISO\EZB Systems\drivers\ISODrv64.sys [2007-11-07 104912]
R2 DefragFS;DefragFS; C:\Windows\system32\drivers\DefragFS.sys []
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys []
R2 epfw;epfw; C:\Windows\system32\DRIVERS\epfw.sys []
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys []
R3 Epfwndis;Eset Personal Firewall; C:\Windows\system32\DRIVERS\Epfwndis.sys []
R3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver; C:\Windows\system32\DRIVERS\fet6x64v.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys []
R3 P17;SB Live! 24-bit; C:\Windows\system32\drivers\P17.sys []
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys []
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys []
R3 VX3000;VX-3000; C:\Windows\system32\DRIVERS\VX3000.sys []
S2 WinVd32;WinVd32; \??\C:\Windows\system32\WinVd32.sys [2008-10-09 180064]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 FET5A64;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\Windows\system32\DRIVERS\fet5a64.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys []
S3 NTIDrvr;NTIDrvr; C:\Windows\system32\drivers\NTIDrvr.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Capture Device Service;Capture Device Service; C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe [2006-08-11 200704]
R2 CISVC;Indexing Service; C:\Windows\system32\CISVC.EXE []
R2 ekrn;Eset Service; C:\Program Files\ESET\Smart Security\x86\ekrn.exe [2008-08-18 468224]
R2 MDM;Machine Debug Manager; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 SBAMSvc;CounterSpy Antispyware; C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-11-15 886056]
S3 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service; C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe [2007-02-22 2217416]
S3 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe [2007-09-14 599320]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-01-05 93696]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\Smart Security\EHttpSrv.exe [2008-08-18 21760]
S3 MSCamSvc;MSCamSvc; C:\Program Files (x86)\Microsoft LifeCam\MSCamS64.exe [2007-05-17 443752]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PD91Agent;PD91Agent; C:\Program Files\Raxco\Perfect Disk\PD91Agent.exe [2008-09-09 1101064]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\Perfect Disk\PD91Engine.exe [2008-09-09 1285384]
S3 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-09-14 492600]
S4 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
S4 PerfHost;Performance Counter DLL Host; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968]

-----------------EOF-----------------
Back to top
View user's profile Send private message Send e-mail
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1865
PostPosted: Mon Nov 17, 2008 12:31 pm    Post subject: Reply with quote
Please scan your PC with Kapersky Online Scanner.
Only open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Once the scan is complete, click on View scan report. Click on the Save Report as button. Save the file to your desktop.

Copy and paste that information in your next post.
_________________
Free Antispyware: HijackThis, SmitfraudFix, ComboFix, Super Antispyware, Malwarebytes Anti-malware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
janlafata



Joined: 15 Nov 2008
Posts: 4
Location: Yuma, AZ
PostPosted: Tue Nov 18, 2008 4:32 am    Post subject: One more task complete Reply with quote
patrik,

Sorry it took me so long, but I finally have the Kaspersky online scan log. It takes awhile to get that thing going sometimes!

It definitely did show some nasties, some of which were a surprise like RSIT.exe, which you recommended. Also the Nero Light.exe is, at least I thought, a legit program and finally, the D Recycle Bin, which always brings up the question for me, about the whole emptying of the recycle bin.

I always thought that when you empty the desktop recycle bin, that it's getting everything you ever deleted from the hard drive and all the drives. But figuring I needed to be real thorough, I changed Folder Options to show Protected files and then I opened up each drives recycle bin and recycles folder.

Boy was I surprised to still find a lot of junk in there. Like I said, I thought that was all supposed to be deleted when you emptied the desktop recycle bin? Anyway, I deleted everything in those protected folders and the other files the scan recommended too, so hopefully I'm back on track now.

Here's the log of the Kaspersky scan:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 17, 2008
Operating System: Microsoft Windows Vista Home Basic Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 17, 2008 22:51:02
Records in database: 1390362
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 90328
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:15:18


File name / Threat name / Threats count

D:\$RECYCLE.BIN\S-1-5-21-1265292681-488348833-2239942560-1000\$RPPJ9O5.exe Infected: Trojan.Win32.Autoit.gs 1
D:\Pending\Nero Lite 9.0.9.4c.exe Infected: Trojan.Win32.Autoit.gs 2
G:\Pending\Nero Lite 9.0.9.4c.exe Infected: Trojan.Win32.Autoit.gs 2
G:\RSIT.exe Infected: Trojan.Win32.Autoit.gs 1

The selected area was scanned.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    My Anti Spyware Forum Index -> Spyware Removal All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
phpBB SEO