View Full Version : Nasty Buggers
fixn granys cpu
01-02-2006, 01:05 AM
Well I got grannys cpu running nicely thanks to you, so now I am back home and decided to tackle the mess at home. These bugs made me so mad that this is the first time i've even tried to log on at home in months. Guess Ill get right to it and post the HJT log. Whatever nasty bug I have will kick me from the internet and sometimes restart my system. Thanks again.Logfile of HijackThis v1.99.1
Scan saved at 12:10:08 PM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Administrator\Desktop\FIX ME NOWWWW\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
fixn granys cpu
01-02-2006, 01:08 AM
I have dloaded adaway, spybot, ewido. But as of yet it will not let me use an online virus scan. Also when I install spybot an error comes up saying that something has changed when downloaded and to run a virus scan immediately.
fixn granys cpu
01-02-2006, 02:31 AM
Just got this error when starting ewido "At least one part of the program has been modified. Please run an online update to replace the damaged components."
Budfred
01-02-2006, 04:20 AM
Good news/bad news... your log looks clean...
We are going to need to go right to deeper scans...
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
and...
Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/Files/RootkitRevealer.zip
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.
To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....
and after updating, try running Ewido in Safe Mode...
Post each of the logs after reboot...
fixn granys cpu
01-02-2006, 08:22 AM
Aight here is the silent runners log:"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Steam" = "C:\Program Files\Steam\Steam.exe -silent" ["Valve Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"ftutil2" = "rundll32.exe ftutil2.dll,SetWriteCacheMode" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"
Enabled Scheduled Tasks:
------------------------
"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Miscellaneous IE Hijack Points
------------------------------
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Missing lines (compared with English-language version):
[DeleteAutosearch.reg]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 2 seconds.
---------- (total run time: 32 seconds)
fixn granys cpu
01-02-2006, 08:53 AM
Ok I dont understand this, when running the rootkit revealer it came up blank the first few times then I tried puttin in its own folder and it came up with 45 descrepincies... I then saved that log to the desktop and it froze up and the computer restarted?? Now I am back to the program not finding anything. OH and the file on the desktop is not there.
fixn granys cpu
01-02-2006, 09:14 AM
C:\WINNT\SoftwareDistribution\Download\S-1-5-18 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_downloadprogr ess_.state 12/22/2005 8:11 PM 4 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_file_to_execu te_.txt 12/22/2005 8:11 PM 17 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_unpacked_.sta te 12/22/2005 8:11 PM 34 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_usedelta_.sta te 12/22/2005 8:11 PM 34 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\basesrv .dll 12/22/2005 8:11 PM 41.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\cmd.exe 12/22/2005 8:11 PM 230.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\gdi32.d ll 12/22/2005 8:11 PM 228.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\kernel3 2.dll 12/22/2005 8:11 PM 725.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\mf3216. dll 12/22/2005 8:11 PM 34.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\mpr.dll 12/22/2005 8:11 PM 53.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\msgina. dll 12/22/2005 8:11 PM 326.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \kernel32.dll 12/22/2005 8:11 PM 725.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \win32k.sys 12/22/2005 8:11 PM 1.64 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \winsrv.dll 12/22/2005 8:11 PM 246.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\user32. dll 12/22/2005 8:11 PM 393.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\userenv .dll 12/22/2005 8:11 PM 380.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\win32k. sys 12/22/2005 8:11 PM 1.64 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\winlogo n.exe 12/22/2005 8:11 PM 176.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\winsrv. dll 12/22/2005 8:11 PM 246.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\download 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\download\BIT22 .tmp 12/22/2005 8:11 PM 1.72 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\empty.cat 12/22/2005 8:11 PM 5.03 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\spmsg.dll 12/22/2005 8:11 PM 6.50 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\spuninst.exe 12/22/2005 8:11 PM 166.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\susdl.req 12/22/2005 8:11 PM 1.34 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\eula.tx t 12/22/2005 8:11 PM 4.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\KB89171 1.cat 12/22/2005 8:11 PM 11.82 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\spcusto m.dll 12/22/2005 8:11 PM 21.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. exe 12/22/2005 8:11 PM 639.50 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. inf 12/22/2005 8:11 PM 39.69 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. url 12/22/2005 8:11 PM 5.22 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. ver 12/22/2005 8:11 PM 1.19 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\Windows2000-KB891711-x86-ENU.psm 12/22/2005 8:11 PM 9.44 KB Visible in Windows API, MFT, but not in directory index.
fixn granys cpu
01-02-2006, 09:16 AM
continued:C:\WINNT\SoftwareDistribution\Download\S -1-5-18 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_downloadprogr ess_.state 12/22/2005 8:11 PM 4 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_file_to_execu te_.txt 12/22/2005 8:11 PM 17 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_unpacked_.sta te 12/22/2005 8:11 PM 34 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\_usedelta_.sta te 12/22/2005 8:11 PM 34 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\basesrv .dll 12/22/2005 8:11 PM 41.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\cmd.exe 12/22/2005 8:11 PM 230.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\gdi32.d ll 12/22/2005 8:11 PM 228.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\kernel3 2.dll 12/22/2005 8:11 PM 725.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\mf3216. dll 12/22/2005 8:11 PM 34.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\mpr.dll 12/22/2005 8:11 PM 53.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\msgina. dll 12/22/2005 8:11 PM 326.27 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \kernel32.dll 12/22/2005 8:11 PM 725.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \win32k.sys 12/22/2005 8:11 PM 1.64 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\uniproc \winsrv.dll 12/22/2005 8:11 PM 246.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\user32. dll 12/22/2005 8:11 PM 393.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\userenv .dll 12/22/2005 8:11 PM 380.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\win32k. sys 12/22/2005 8:11 PM 1.64 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\winlogo n.exe 12/22/2005 8:11 PM 176.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\backup\winsrv. dll 12/22/2005 8:11 PM 246.77 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\download 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\download\BIT22 .tmp 12/22/2005 8:11 PM 1.72 MB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\empty.cat 12/22/2005 8:11 PM 5.03 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\spmsg.dll 12/22/2005 8:11 PM 6.50 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\spuninst.exe 12/22/2005 8:11 PM 166.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\susdl.req 12/22/2005 8:11 PM 1.34 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update 12/22/2005 8:11 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\eula.tx t 12/22/2005 8:11 PM 4.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\KB89171 1.cat 12/22/2005 8:11 PM 11.82 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\spcusto m.dll 12/22/2005 8:11 PM 21.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. exe 12/22/2005 8:11 PM 639.50 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. inf 12/22/2005 8:11 PM 39.69 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. url 12/22/2005 8:11 PM 5.22 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\update\update. ver 12/22/2005 8:11 PM 1.19 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\110597388b69a898bf78fbff6d4f3311\Windows2000-KB891711-x86-ENU.psm 12/22/2005 8:11 PM 9.44 KB Visible in Windows API, MFT, but not in directory index.
fixn granys cpu
01-02-2006, 09:16 AM
**** ok that was copied here is the real continued.. sorry:
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\_downloadprogress_.state 12/22/2005 8:11 PM 4 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\_file_to_execute_.txt 12/22/2005 8:11 PM 17 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\_unpacked_.state 12/22/2005 8:11 PM 34 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\_usedelta_.state 12/22/2005 8:11 PM 34 bytes Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\backup 12/22/2005 8:11 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\basesrv.dll 6/17/2004 6:05 PM 45.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\cmd.exe 9/20/2003 7:45 PM 230.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\empty.cat 12/29/2004 3:54 AM 5.03 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\gdi32.dll 6/17/2004 6:05 PM 225.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\kernel32.dll 6/17/2004 6:05 PM 695.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\mf3216.dll 3/23/2004 9:17 PM 36.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\mpr.dll 3/23/2004 9:17 PM 53.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\msgina.dll 6/17/2004 6:05 PM 327.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\sp3res.dll 12/2/2004 9:27 AM 5.98 MB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\spmsg.dll 12/29/2004 3:54 AM 6.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\spuninst.exe 12/29/2004 3:54 AM 166.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\susdl.rq0 12/22/2005 8:11 PM 1.34 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\uniproc 12/22/2005 8:11 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\uniproc\kernel32.dll 6/17/2004 6:05 PM 695.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\uniproc\win32k.sys 12/24/2004 12:23 PM 1.56 MB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\uniproc\winsrv.dll 6/17/2004 6:05 PM 238.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update 12/22/2005 8:11 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\eula.txt 12/29/2004 3:54 AM 4.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\KB891711.cat 12/29/2004 3:54 AM 11.82 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\spcustom.dll 12/29/2004 3:54 AM 21.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\update.exe 12/29/2004 3:54 AM 639.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\update.inf 12/29/2004 3:54 AM 39.69 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\update.url 12/24/2004 12:35 PM 5.22 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\update\update.ver 12/24/2004 12:35 PM 1.19 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\user32.dll 12/29/2004 4:14 AM 371.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\userenv.dll 8/5/2003 5:14 PM 376.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\win32k.sys 12/24/2004 12:23 PM 1.56 MB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\Windows2000-KB891711-x86-ENU.psm 12/24/2004 5:42 PM 9.44 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\Windows2000-KB891711-x86-Express-ENU.EXE 12/22/2005 8:11 PM 335.23 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\winlogon.exe 8/24/2004 5:59 PM 178.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\SoftwareDistribution\Download\80c31621dbf 923e4d6b6365d5b4d1dfb\winsrv.dll 6/17/2004 6:05 PM 238.77 KB Visible in Windows API, but not in MFT or directory index.
fixn granys cpu
01-02-2006, 09:23 AM
It took me around 10 scans befor it came up with anything at all? Am I doing something wrong? IExplorer.exe also keeps shutting down. Man this is annoying.
Budfred
01-02-2006, 11:19 AM
**** ok that was copied here is the real continued.. sorry:
I don't understand what this means.... Please explain...
This page includes instructions for cleaning the Registry of at least one of the infections here...
http://www.sophos.com/virusinfo/analyses/trojsmallap.html
Since it is not showing in HJT and I am not aware of an automatic fix, you may need to do it manually...
Also, I urge you do delete this entire folder - it seems to be heavily infested:
C:\WINNT\SoftwareDistribution\
If you can't kill it in Normal mode, reboot to Safe Mode and try to kill it there... Post back on progress...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.