Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wintools/huntbar Removal


  • This topic is locked This topic is locked
16 replies to this topic

#1 The ELF

The ELF

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 August 2007 - 11:27 AM

I have Dell machine running Windows XP Home with 3 user accounts
It has/had Winantivirus 2007 and Drive cleaner on it.
I managed to remove those items, I think.
I have run vundofix, Adaware 2007, Spybot, AVG (Ewido) and things seemed to be ok, until I ran SuperAntiSpyware which came back and told me I have 5 items that needed to be removed in the registry, Spyware.Websearch (wintools/huntbar). It says it removed them and I need to reboot. I reboot and rerun the program and the same thing again. When I go into the registry to check it's still there, HKLMSoftware\Micorosoft\CurrentVersion\uninstall\Wintools_ESIES. When I do the search for it I get Error opening key: Cannot open Wintools_ESIES:Error while opening key. When I try to manuallly remove it and I get: Cannot delete Wintools_ESIES:Error while deleteing key. Normal or Safemode.
When I run HiJackthis 202 I don't seem to see it.
This is what I got from HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:11 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mylee\Desktop\HiJackThis202.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4963 bytes


Hope this make sense.
Also the system had Norton Antivirus which expired and is probably way I'm in this mess in the first place.
I started by removeing it first.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 01 September 2007 - 01:27 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Also the system had Norton Antivirus which expired and is probably way I'm in this mess in the first place.
I started by removeing it first.

Norton may not be the best, but it is better than nothing. Without an antivirus you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Once you have done this, please post a new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 04 September 2007 - 12:01 PM

Hello Charles

Thanks for taking time out to look at this.
I installed and ran AVG.
It found two viruses and deleted them
C:\windows\apppatch\anti.dll
C:\windows\msagent\intl\javapp.dll
I ran it on the other two accounts and it came back clean.
I took a look at the registry and Wintools_ESIES is still there but this
time it open but still can not delete.

Here is the hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:03 AM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Valerie\Desktop\HiJackThis_v202.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5497 bytes


Thanks in advance

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 04 September 2007 - 12:33 PM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 04 September 2007 - 02:12 PM

ComboFix 07-08-30.3 - "Valerie" 2007-09-04 13:45:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.269 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\DriveCleaner
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Hilary\err.log
C:\DOCUME~1\Hilary\ResErrors.log
C:\DOCUME~1\Mylee\err.log
C:\DOCUME~1\Mylee\ResErrors.log
C:\DOCUME~1\Valerie\err.log
C:\DOCUME~1\Valerie\ResErrors.log
C:\Program Files\Common Files\Companion Wizard
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\Program Files\Common Files\companion wizard\size.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\DOWNLO~1.\Quarantine
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\stera.log


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_NTTF


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 13:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 10:32 <DIR> d-------- C:\DOCUME~1\Hilary\APPLIC~1\SUPERAntiSpyware.com
2007-08-30 18:25 <DIR> d-------- C:\DOCUME~1\Mylee\APPLIC~1\SUPERAntiSpyware.com
2007-08-30 14:48 <DIR> d-------- C:\DOCUME~1\Valerie\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 11:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 10:32 <DIR> d-------- C:\WINDOWS\SysbckUp
2007-08-17 16:17 <DIR> d-------- C:\PUC
2007-08-13 19:59 237,588 --a------ C:\WINDOWS\SYSTEM32\hoyqcgiq.dll
2007-08-13 17:59 237,588 --a------ C:\WINDOWS\SYSTEM32\qgbvhiky.dll
2007-08-13 17:51 2,560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2007-08-13 17:51 2,432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-08-13 17:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\IOSUBSYS
2007-08-13 17:50 <DIR> d-------- C:\Program Files\Google
2007-08-13 13:07 237,588 --a------ C:\WINDOWS\SYSTEM32\lynotybm.dll
2007-08-11 08:09 237,588 --a------ C:\WINDOWS\SYSTEM32\clneupje.dll
2007-08-10 18:44 237,588 --a------ C:\WINDOWS\SYSTEM32\mudwsfxw.dll
2007-08-10 18:44 237,588 --a------ C:\WINDOWS\SYSTEM32\gyjftpeb.dll
2007-08-10 11:41 237,588 --a------ C:\WINDOWS\SYSTEM32\kevveiih.dll
2007-08-10 11:03 237,588 --a------ C:\WINDOWS\SYSTEM32\mvlkqobl.dll
2007-08-09 18:40 <DIR> d-------- C:\DOCUME~1\Hilary\APPLIC~1\Leadertech
2007-08-08 08:20 237,588 --a------ C:\WINDOWS\SYSTEM32\amlbfhec.dll
2007-08-07 08:20 237,588 --a------ C:\WINDOWS\SYSTEM32\quijdsnk.dll
2007-08-06 21:31 237,588 --a------ C:\WINDOWS\SYSTEM32\vjmyqmcn.dll
2007-08-05 21:31 237,588 --a------ C:\WINDOWS\SYSTEM32\couchsyd.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 18:24 --------- d-------- C:\DOCUME~1\Mylee\APPLIC~1\Skype
2007-08-30 14:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-28 19:14 --------- d-------- C:\Program Files\QuickTime
2007-08-28 19:13 --------- d-------- C:\Program Files\Picasa2
2007-08-28 19:13 --------- d-------- C:\Program Files\iTunes
2007-08-21 17:54 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-21 12:05 --------- d-------- C:\Program Files\shaw
2007-08-13 23:36 --------- d-------- C:\DOCUME~1\Valerie\APPLIC~1\Skype
2007-08-09 18:48 --------- d-------- C:\DOCUME~1\Hilary\APPLIC~1\Sonic
2007-08-08 17:16 --------- d-------- C:\DOCUME~1\Hilary\APPLIC~1\Skype
2007-08-01 00:59 237588 --a------ C:\WINDOWS\system32\pqqyelhq.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-27 14:34 237588 --a------ C:\WINDOWS\system32\lvdaemwx.dll
2007-07-25 21:40 237588 --a------ C:\WINDOWS\system32\qeijthwr.dll
2007-07-25 21:40 237588 --a------ C:\WINDOWS\system32\hkydgqqx.dll
2007-07-19 00:03 124180 --a------ C:\WINDOWS\system32\hoxxlvyn.dll
2007-07-16 09:29 124180 --a------ C:\WINDOWS\system32\yljntmni.dll
2007-07-15 06:50 124180 --a------ C:\WINDOWS\system32\swvgtmen.dll
2007-07-14 00:13 124180 --a------ C:\WINDOWS\system32\afnyytke.dll
2007-07-11 15:39 124180 --a------ C:\WINDOWS\system32\biiqmmlc.dll
2007-07-10 15:21 124180 --a------ C:\WINDOWS\system32\tuhnopwu.dll
2007-07-06 15:04 124180 --a------ C:\WINDOWS\system32\svaqacgi.dll
2007-07-05 21:43 124180 --a------ C:\WINDOWS\system32\ukowvnky.dll
2007-07-05 07:38 124180 --a------ C:\WINDOWS\system32\jxkogenm.dll
2007-07-02 08:35 124180 --a------ C:\WINDOWS\system32\vkveqtge.dll
2007-07-01 12:07 124180 --a------ C:\WINDOWS\system32\beojbtxn.dll
2007-06-30 20:47 124180 --a------ C:\WINDOWS\system32\unrlodib.dll
2007-06-30 17:47 124180 --a------ C:\WINDOWS\system32\mmirkygg.dll
2007-06-28 23:26 124180 --a------ C:\WINDOWS\system32\pidtujub.dll
2007-06-28 05:46 124180 --a------ C:\WINDOWS\system32\wmgdaufy.dll
2007-06-27 05:55 124180 --a------ C:\WINDOWS\system32\cuvnxjcp.dll
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-25 13:37 124180 --a------ C:\WINDOWS\system32\hndlfntf.dll
2007-06-23 22:45 124180 --a------ C:\WINDOWS\system32\xbnjxxak.dll
2007-06-22 23:52 124180 --a------ C:\WINDOWS\system32\siwjrfsp.dll
2007-06-22 09:20 124180 --a------ C:\WINDOWS\system32\ldtsoyeq.dll
2007-06-22 09:20 124180 --a------ C:\WINDOWS\system32\ghhbpjeu.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-04 01:03]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 12:04]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-01-26 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 15:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 16:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-02-06 13:49]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []

C:\DOCUME~1\Hilary\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Mylee\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Valerie\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 8.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\AOL 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CompanionWizard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6cw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Debdxsu]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSafe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSafeFree]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERScw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inub]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mav_startupmon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\hoyqcgiq.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAS_Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDR6_Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UERScw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpsellTool]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wa7pcw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\was_check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiVirus Pro 2007]

S0 fsflt;fsflt;C:\WINDOWS\system32\Drivers\fsflt.sys
S2 PMJ151NM;Panasonic DVC Web Camera;C:\WINDOWS\system32\DRIVERS\PMJ151NM.sys
S3 MTDVC;Panasonic DVC USB-SERIAL Driver for NT Technology;C:\WINDOWS\system32\DRIVERS\mtdv2ku1.sys
S3 MTDVC_ENUM;Panasonic DVC COM Driver for NT Technology;C:\WINDOWS\system32\DRIVERS\mtdv2ks1.sys


Contents of the 'Scheduled Tasks' folder
2007-09-04 18:59:00 C:\WINDOWS\Tasks\ ().job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-09-04 18:59:00 C:\WINDOWS\Tasks\ (D48L2051-Mylee).job
2007-09-04 18:58:00 C:\WINDOWS\Tasks\ (D48L2051-Valerie).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-09-04 18:54:00 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job - C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 13:59:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 14:01:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 14:01

--- E O F ---

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 04 September 2007 - 04:41 PM

Hello again,
Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\hoyqcgiq.dll
C:\WINDOWS\SYSTEM32\qgbvhiky.dll
C:\WINDOWS\SYSTEM32\lynotybm.dll
C:\WINDOWS\SYSTEM32\clneupje.dll
C:\WINDOWS\SYSTEM32\mudwsfxw.dll
C:\WINDOWS\SYSTEM32\gyjftpeb.dll
C:\WINDOWS\SYSTEM32\kevveiih.dll
C:\WINDOWS\SYSTEM32\mvlkqobl.dll
C:\WINDOWS\SYSTEM32\amlbfhec.dll
C:\WINDOWS\SYSTEM32\quijdsnk.dll
C:\WINDOWS\SYSTEM32\vjmyqmcn.dll
C:\WINDOWS\SYSTEM32\couchsyd.dll
C:\WINDOWS\system32\pqqyelhq.dll
C:\WINDOWS\system32\lvdaemwx.dll
C:\WINDOWS\system32\qeijthwr.dll
C:\WINDOWS\system32\hkydgqqx.dll
C:\WINDOWS\system32\hoxxlvyn.dll
C:\WINDOWS\system32\yljntmni.dll
C:\WINDOWS\system32\swvgtmen.dll
C:\WINDOWS\system32\afnyytke.dll
C:\WINDOWS\system32\biiqmmlc.dll
C:\WINDOWS\system32\tuhnopwu.dll
C:\WINDOWS\system32\svaqacgi.dll
C:\WINDOWS\system32\ukowvnky.dll
C:\WINDOWS\system32\jxkogenm.dll
C:\WINDOWS\system32\vkveqtge.dll
C:\WINDOWS\system32\beojbtxn.dll
C:\WINDOWS\system32\unrlodib.dll
C:\WINDOWS\system32\mmirkygg.dll
C:\WINDOWS\system32\pidtujub.dll
C:\WINDOWS\system32\wmgdaufy.dll
C:\WINDOWS\system32\cuvnxjcp.dll
C:\WINDOWS\system32\hndlfntf.dll
C:\WINDOWS\system32\xbnjxxak.dll
C:\WINDOWS\system32\siwjrfsp.dll
C:\WINDOWS\system32\ldtsoyeq.dll
C:\WINDOWS\system32\ghhbpjeu.dll
C:\WINDOWS\system32\hoyqcgiq.dll


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6cw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Debdxsu]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSafe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSafeFree]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERScw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inub]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mav_startupmon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAS_Check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDR6_Check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UERScw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpsellTool]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wa7pcw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\was_check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiVirus Pro 2007]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

In your next reply I would like to see a new Combofix log along with the Vundofix report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 05 September 2007 - 10:52 AM

ok

Well killbox seems to have done its thing
Fix reg did it's thing.
Vundo fix came back clean, good thing?

Here are the two logs:

ComboFix 07-08-30.3 - "Valerie" 2007-09-04 19:02:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.262 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-04 18:54 <DIR> d-------- C:\VundoFix Backups
2007-09-04 18:49 <DIR> d-------- C:\!KillBox
2007-09-04 13:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 10:32 <DIR> d-------- C:\DOCUME~1\Hilary\APPLIC~1\SUPERAntiSpyware.com
2007-08-30 18:25 <DIR> d-------- C:\DOCUME~1\Mylee\APPLIC~1\SUPERAntiSpyware.com
2007-08-30 14:48 <DIR> d-------- C:\DOCUME~1\Valerie\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 11:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 10:32 <DIR> d-------- C:\WINDOWS\SysbckUp
2007-08-17 16:17 <DIR> d-------- C:\PUC
2007-08-13 17:51 2,560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2007-08-13 17:51 2,432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-08-13 17:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\IOSUBSYS
2007-08-13 17:50 <DIR> d-------- C:\Program Files\Google
2007-08-09 18:40 <DIR> d-------- C:\DOCUME~1\Hilary\APPLIC~1\Leadertech


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 18:24 --------- d-------- C:\DOCUME~1\Mylee\APPLIC~1\Skype
2007-08-30 14:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-28 19:14 --------- d-------- C:\Program Files\QuickTime
2007-08-28 19:13 --------- d-------- C:\Program Files\Picasa2
2007-08-28 19:13 --------- d-------- C:\Program Files\iTunes
2007-08-21 17:54 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-21 12:05 --------- d-------- C:\Program Files\shaw
2007-08-13 23:36 --------- d-------- C:\DOCUME~1\Valerie\APPLIC~1\Skype
2007-08-09 18:48 --------- d-------- C:\DOCUME~1\Hilary\APPLIC~1\Sonic
2007-08-08 17:16 --------- d-------- C:\DOCUME~1\Hilary\APPLIC~1\Skype
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((( snapshot_2007-09-04_140050.50 )))))))))))))))))))))))))))))))))))))))))

----a-w 53,436 2007-09-04 19:01:03 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-09-04 19:01:03 C:\WINDOWS\SYSTEM32\PERFH009.DAT

----a-w 53,436 2007-09-04 18:51:36 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-09-04 18:51:36 C:\WINDOWS\SYSTEM32\PERFH009.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-04 01:03]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 12:04]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-01-26 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 15:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 16:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-02-06 13:49]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []

C:\DOCUME~1\Hilary\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Mylee\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Valerie\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 8.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\AOL 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CompanionWizard]

S0 fsflt;fsflt;C:\WINDOWS\system32\Drivers\fsflt.sys
S2 PMJ151NM;Panasonic DVC Web Camera;C:\WINDOWS\system32\DRIVERS\PMJ151NM.sys
S3 MTDVC;Panasonic DVC USB-SERIAL Driver for NT Technology;C:\WINDOWS\system32\DRIVERS\mtdv2ku1.sys
S3 MTDVC_ENUM;Panasonic DVC COM Driver for NT Technology;C:\WINDOWS\system32\DRIVERS\mtdv2ks1.sys


Contents of the 'Scheduled Tasks' folder
2007-09-05 00:04:00 C:\WINDOWS\Tasks\ ().job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-09-05 00:04:00 C:\WINDOWS\Tasks\ (D48L2051-Mylee).job
2007-09-05 00:03:00 C:\WINDOWS\Tasks\ (D48L2051-Valerie).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-09-04 23:54:00 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job - C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 19:03:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 19:04:59
C:\ComboFix ... 2007-09-04 19:04
C:\ComboFix-quarantined-files ...
C:\ComboFix-quarantined-files.txt ... 2007-09-04 19:04

--- E O F ---



VundoFix V6.5.8

Checking Java version...

Scan started at 6:54:19 PM 9/4/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



Question though why does Combofix show that superantispyware and mcafee are there when they have been unistalled and don't exist

Thanks for your help

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 05 September 2007 - 11:30 AM

Hmm, are you sure those folders don't exist anymore? Although the programs have been uninstalled, they often leave some leftovers that can be manually removed.
Aside from this, how do things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 05 September 2007 - 12:02 PM

There are no folders for either one, even showing hidden files.

The machine seems to be running fine.

In check the registry Wintools_ESIES is still there, it does not seem to have anything in it, but it still will not let me delete it.

Again thanks for you help.

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 05 September 2007 - 04:50 PM

Download Bobbi Flekman's RegSearch.
  • Create a folder for RegSearch on the C:\ drive called C:\RegSearch.
    • You can do this by going to My Computer then double clicking on C:\
    • Then right click and select New | Folder
    • Change the name to RegSearch.
  • Extract all the files from the zip archive into that folder.
  • Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
  • Copy and paste the following line into the Search box:
    • Wintools_ESIES
  • Then hit OK.
  • After completion Notepad will be opened with all the found instances of the string. This file is saved in the folder we created earlier.
I would like to see that log in your reply, please.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 05 September 2007 - 09:15 PM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 9/5/2007 6:53:25 PM for strings:
; 'wintools'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinTools_ESIES"

; End Of The Log.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 06 September 2007 - 04:36 AM

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot your computer and it should be gone, please let me know if this is the case.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 06 September 2007 - 12:19 PM

I hate to say it's still there :thumbsup:

Would it be fair to say that if nothing is in there that there is
nothing to worry about?

Thanks

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 06 September 2007 - 03:05 PM

You are correct that it is only a leftover, but I would still like to remove it.
Please try running the reg script in Safe Mode for me.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 The ELF

The ELF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 07 September 2007 - 05:55 PM

After going into safe mode and doing the fix.reg

In the registry I now have:

Under
My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Last Key=My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES

and also under
My Computer\HKEY_USERS\S-1-5-21-1754244709-2636666984-1291362831-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

the same thing

and still have the other

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users