CCleaner Trojans

Hello all,

Whenever I log off from the internet, I use CCleaner to remove any Temp Internet Files, cookies, etc. Over the past couple of weeks, when I run it, Avast finds a trace of a Trojan when the cleaning is taking place. So far I have in the Chest:
Win32:Agent GYJ[Trj]
" " GKD[Trj] (twice)
" " GWO[Trj]
" " GHL[Trj]
Win32:Nilage-FP[Trj]

I’ve sent them all to Avast from the Chest with an explanation.

I’ve run numerous boot-time scans and normal scans which find nothing, and non of my other anti-malware stuff finds anything.

Is anyone else experiencing this? I’m not visiting any iffy sites (honestly!! ;D). One appeared after being on eBay, here and the Dell Forum.

Does avast mention the name and the path of the infected file?
Did you disable the System Restore before running avast at boot time?

Hi Tech,

This is what I’ve got in the log viewer:

27/04/2007 21:55:41 GE 3024 Sign of “Win32:Agent-GKD [Trj]” has been found in “C:\WINDOWS\WindowsUpdate.log” file.
28/04/2007 00:31:12 GE 1372 Sign of “Win32:Agent-GKD [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\WPSHGFSL\JJJJJJJJJJJJJJJJJJJJJJ.JJ” file.
07/05/2007 00:25:26 GE 1484 Sign of “Win32:Agent-GKD [Trj]” has been found in “C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV” file.
09/05/2007 11:17:35 GE 1488 Sign of “Win32:Agent-GHL [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\86CTQTEM\YYYYYYYYYYYY.YYY” file.
14/05/2007 14:37:05 GE 1512 Sign of “Win32:Agent-GYJ [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat” file.
15/05/2007 12:07:32 GE 1384 Sign of “Win32:Nilage-FP [Trj]” has been found in “C:\WINDOWS\TEMP{19EC4B5E-F950-4F72-ADB6-DEFB2148866C}{EFB7D050-CAD2-11D4-B34D-00105A1C23DD}\XXXXXXXX.XXX” file.
15/05/2007 20:28:29 GE 1412 Sign of “Win32:Agent-GWO [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NTNMGHTF\LoJack%20ReRevised_400k[1].flv” file.
16/05/2007 03:14:09 GE 1412 Sign of “Win32:Agent-GWO [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\9RLOOSBW\IIIIIIII.III” file.
16/05/2007 03:14:26 GE 1412 Sign of “Win32:Agent-GVO [Trj]” has been found in “C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\HNJH4TJO\IIIIIIIIIIII.III” file.

I didn’t disable System Restore before doing the boot scan. Since it didn’t find anything, would disabling it have made any difference? I’ll try it anyway, as my logic has let me down too many times before!!

No. Disabling is a way to avoid reinfection by replication of the virus. If you don’t have any, don’t worry.

Can you submit the files to virus@avast.com and inform a link to this thread in the email body? Thanks.

I did it anyway and it found nothing again.

I’ve sent them all off, linking to this thread, as you said. One of them (#7 in the list) was a biggy (3588096KB).

Just wait and see, I guess. Thanks Tech.

You can use Alwil FTP server as a second way to transfer only big files. Upload them to ftp://ftp.avast.com/incoming (please, note that you won’t have READ access to the ftp server, just write - so you won’t even be able to see what you’ve just uploaded).
Hope they monitor the ftp server and see this thread…

The big one was sent from the chest after I increased the ‘file size to be sent’ thingy.

Better… 8)

Just found another one. That’s after being on here and nowhere else.

16/05/2007 19:24:32 SYSTEM 1428 Sign of “Win32:Agent-GWO [Trj]” has been found in “C:\WINDOWS\TEMP\DDDDDDD.DDD” file.

I’ve sent it off again.

Wow, you have a lot viruses…where you browse. ;D :stuck_out_tongue:

Oh well that’s really great! I’m infested with traces of Trojans and I’m a pervert!! ;D

Do you have any idea when this started (the malware, not the pervert thing)? Let’s try this:

Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.

What other programs have you tried?

It started on 27th April (see log viewer in earlier post).

It’ll be in the log below I guess, but I use Zone Alarm free, Avast, Counterspy (real-time protection and scanner), Adaware SE (real-time and scanner), WinPatrol, SpywareBlaster, SuperAntispyware (scanner only), Spyware Terminator (real-time and scanner), Spybot (scanner only), AVG antispyware (scanner only). Nothing has been found doing scans with any of them, including Avast.

Here is the main.txt:

Deckard’s System Scanner v20070426.43
Run by GE on 2007-05-17 at 03:10:24
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-05-17 02:10:35 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-17 03:12:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Documents and Settings\GE\My Documents\My Utilities\Deckards System Scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM..\Run: [adiras] adiras.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [AWMON] “C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra ‘Tools’ menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - “C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”
O23 - Service: avast! Antivirus - ALWIL Software - “C:\Program Files\Alwil Software\Avast4\ashServ.exe”
O23 - Service: avast! Mail Scanner - ALWIL Software - “C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service
O23 - Service: avast! Web Scanner - ALWIL Software - “C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: iPod Service - Apple Inc. - “C:\Program Files\iPod\bin\iPodService.exe”
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - “C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe”
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

2nd bit (too many characters for one post):
– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AVG Anti-Spyware Driver - c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - c:\program files\spyware terminator\sp_rsser.exe <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

– Files created between 2007-04-17 and 2007-05-17 -----------------------------

2007-05-17 00:40:06 0 d-------- C:\Documents and Settings\All Users\Application Data\The Learning Company
2007-05-17 00:39:22 0 d-------- C:\Program Files\The Learning Company
2007-05-17 00:35:20 0 dr-h----- C:\Documents and Settings\GE\Recent
2007-05-16 19:16:02 0 d-------- C:\Program Files\Registrar Lite
2007-05-15 12:14:56 0 d-------- C:\NVIDIA
2007-05-08 01:42:38 0 d-------- C:\Documents and Settings\GE\Application Data\Spyware Terminator
2007-05-08 01:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-05-08 01:42:31 0 d-------- C:\Program Files\Spyware Terminator
2007-05-08 01:39:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-05-08 01:39:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-05-08 01:38:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-08 01:17:42 0 d-------- C:\WINDOWS\system32\appmgmt
2007-05-03 15:18:45 0 d-------- C:\Documents and Settings\GE\Application Data\ATI
2007-05-03 14:30:55 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-05-02 22:19:54 0 d-------- C:\Program Files\Karen’s Computer Profiler
2007-05-02 11:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-05-02 11:09:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-05-02 11:09:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2007-05-02 11:08:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-02 11:07:53 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-05-02 11:07:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-02 11:07:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-02 11:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-05-02 11:07:53 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-02 11:07:53 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-05-02 11:07:53 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-02 11:07:53 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-02 11:07:53 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-05-02 11:07:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-02 11:07:53 0 d–hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-02 11:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-02 11:07:53 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-02 10:27:56 0 d-------- C:\WINDOWS\system32\URTTemp
2007-04-24 00:09:33 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-04-24 00:03:53 0 d-------- C:\WINDOWS\nview
2007-04-23 12:52:05 0 d-------- C:\WINDOWS\Sun
2007-04-23 12:52:05 0 d-------- C:\Documents and Settings\GE\Application Data\Sun
2007-04-23 12:50:39 0 d-------- C:\Documents and Settings\GE\Application Data\AdobeUM
2007-04-23 00:11:24 0 d-------- C:\Documents and Settings\GE\Application Data\OfficeUpdate12
2007-04-23 00:10:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-22 14:40:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Spyware Terminator
2007-04-22 14:16:57 0 d-------- C:\Documents and Settings\GE\Application Data\SUPERAntiSpyware.com
2007-04-22 14:13:15 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-04-22 14:13:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-04-22 14:12:48 0 d-------- C:\Program Files\SiteAdvisor
2007-04-22 14:12:40 0 d-------- C:\Documents and Settings\GE\Application Data\SiteAdvisor
2007-04-22 14:12:40 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-04-22 14:12:40 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-22 14:00:55 0 d-------- C:\Program Files\Common Files\xing shared
2007-04-22 13:59:57 0 d-------- C:\Program Files\Common Files\Real
2007-04-22 13:59:55 0 d-------- C:\Program Files\Real
2007-04-22 13:59:37 0 d-------- C:\Documents and Settings\GE\Application Data\Real
2007-04-22 13:56:44 0 d-------- C:\My Downloads
2007-04-22 12:17:07 0 d-------- C:\Documents and Settings\GE\Application Data\Apple Computer
2007-04-22 12:16:38 0 d-------- C:\Program Files\iPod
2007-04-22 12:16:33 0 d-------- C:\Program Files\iTunes
2007-04-22 12:15:15 0 d-------- C:\Program Files\QuickTime
2007-04-22 12:14:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-04-22 12:13:37 0 d-------- C:\Documents and Settings\GE\Application Data\Roxio
2007-04-22 12:09:04 0 d-------- C:\Program Files\Common Files\Napster Shared
2007-04-22 12:08:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Napster
2007-04-22 12:08:14 0 d-------- C:\Program Files\Napster
2007-04-22 03:27:15 0 d-------- C:\Documents and Settings\GE\Application Data\Macromedia
2007-04-22 02:17:56 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-04-22 00:42:33 0 d-------- C:\WINDOWS\system32\PreInstall
2007-04-22 00:42:30 0 d–h----- C:\WINDOWS$hf_mig$
2007-04-22 00:38:12 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-22 00:37:17 0 d–hs---- C:\Documents and Settings\GE\UserData
2007-04-22 00:24:13 0 d-------- C:\Documents and Settings\GE\Application Data\Lavasoft
2007-04-22 00:23:47 0 d-------- C:\Program Files\Lavasoft
2007-04-22 00:23:01 0 d-------- C:\Documents and Settings\GE\Application Data\WinPatrol
2007-04-22 00:22:55 0 d-------- C:\Program Files\BillP Studios
2007-04-22 00:22:41 0 d-------- C:\WINDOWS\Downloaded Installations
2007-04-22 00:20:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-04-22 00:20:10 0 d-------- C:\Program Files\Sunbelt Software
2007-04-22 00:14:47 0 d-------- C:\Program Files\Alwil Software
2007-04-22 00:09:56 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-22 00:09:12 0 d-------- C:\WINDOWS\Internet Logs
2007-04-21 23:59:19 0 d-------- C:\Program Files\SAGEM

3rd bit:

2007-04-21 23:59:19 0 d-------- C:\Program Files\SAGEM
2007-04-21 23:58:36 0 d-------- C:\Program Files\Tiscali Broadband
2007-04-21 23:38:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-21 23:36:38 0 d-------- C:\Program Files\SpywareBlaster
2007-04-21 23:34:59 0 d-------- C:\Documents and Settings\GE\Application Data\Google
2007-04-21 23:34:32 0 d-------- C:\Program Files\Google
2007-04-21 23:30:36 0 d-------- C:\Program Files\CCleaner
2007-04-21 23:29:19 0 d-------- C:\Program Files\PrivacyEraser Computing
2007-04-21 23:28:16 0 d-------- C:\Program Files\Java
2007-04-21 23:28:14 0 d-------- C:\Program Files\Common Files\Java
2007-04-21 23:27:03 0 d-------- C:\Documents and Settings\GE\Application Data\Adobe
2007-04-21 23:26:41 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-21 23:26:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-21 23:22:51 0 d-------- C:\Program Files\Veoh Networks
2007-04-21 20:45:30 0 d-------- C:\Program Files\Elaborate Bytes
2007-04-21 20:43:12 0 d-------- C:\Program Files\SlySoft
2007-04-21 20:41:03 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-21 20:39:53 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-21 20:39:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-21 20:39:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-04-21 20:38:36 0 d-------- C:\Program Files\Atomic Clock Sync
2007-04-21 20:38:01 0 d-------- C:\Program Files\IrfanView
2007-04-21 20:10:29 0 d-------- C:\Program Files\hp deskjet 3320 series
2007-04-21 20:09:06 0 d-------- C:\Program Files\Hewlett-Packard
2007-04-21 20:02:59 0 d-------- C:\Documents and Settings\GE\Application Data\Ahead
2007-04-21 20:01:37 0 d-------- C:\Program Files\Nero
2007-04-21 20:01:37 0 d-------- C:\Program Files\Common Files\Ahead
2007-04-21 10:20:00 0 d-------- C:\Documents and Settings\GE\Application Data\CyberLink
2007-04-21 10:19:24 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-04-21 10:19:20 0 d-------- C:\Program Files\CyberLink
2007-04-21 10:13:13 0 d-------- C:\Program Files\Jasc Software Inc
2007-04-21 10:05:06 0 d-------- C:\Program Files\Common Files\L&H
2007-04-21 10:04:56 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-04-21 10:04:47 0 d-------- C:\WINDOWS\SHELLNEW
2007-04-21 10:04:28 0 d-------- C:\Program Files\Microsoft Works
2007-04-21 10:03:18 0 dr-h----- C:\MSOCache
2007-04-21 10:02:50 0 d-------- C:\IUware Online
2007-04-21 09:56:30 0 d-------- C:\WINDOWS\system32\Defaults
2007-04-21 09:56:09 0 d-------- C:\WINDOWS\system32\Data
2007-04-21 09:54:12 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-04-21 09:54:12 0 d-------- C:\Program Files\Creative
2007-04-21 09:54:09 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-21 08:56:58 0 d-------- C:\Documents and Settings\GE\Application Data\Identities
2007-04-21 08:56:49 0 d–h----- C:\Documents and Settings\GE\Templates
2007-04-21 08:56:49 0 dr------- C:\Documents and Settings\GE\Start Menu
2007-04-21 08:56:49 0 dr-h----- C:\Documents and Settings\GE\SendTo
2007-04-21 08:56:49 0 d–h----- C:\Documents and Settings\GE\PrintHood
2007-04-21 08:56:49 0 d–h----- C:\Documents and Settings\GE\NetHood
2007-04-21 08:56:49 0 dr------- C:\Documents and Settings\GE\My Documents
2007-04-21 08:56:49 0 d–h----- C:\Documents and Settings\GE\Local Settings
2007-04-21 08:56:49 0 dr------- C:\Documents and Settings\GE\Favorites
2007-04-21 08:56:49 0 d-------- C:\Documents and Settings\GE\Desktop
2007-04-21 08:56:49 0 d–hs---- C:\Documents and Settings\GE\Cookies
2007-04-21 08:56:49 0 dr-h----- C:\Documents and Settings\GE\Application Data
2007-04-21 08:51:40 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-04-21 08:51:38 0 d—s---- C:\WINDOWS\system32\Microsoft
2007-04-21 08:51:38 0 d-------- C:\WINDOWS\Prefetch
2007-04-21 08:51:37 0 d–h----- C:\Documents and Settings\LocalService\Local Settings
2007-04-21 08:51:37 0 d–hs---- C:\Documents and Settings\LocalService\Cookies
2007-04-21 08:51:37 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-04-21 08:51:37 0 d—s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-04-21 08:50:47 0 d–h----- C:\Documents and Settings\NetworkService\Local Settings
2007-04-21 08:50:47 0 d—s---- C:\Documents and Settings\NetworkService\Cookies
2007-04-21 08:50:47 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-04-21 08:50:47 0 d—s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-04-21 08:46:58 0 d-------- C:\WINDOWS\system32\xircom
2007-04-21 08:46:58 0 d-------- C:\Program Files\microsoft frontpage
2007-04-21 08:46:37 0 d-------- C:\DELL
2007-04-21 08:44:58 0 d–hs---- C:\Documents and Settings\All Users\DRM
2007-04-21 08:44:44 0 dr------- C:\WINDOWS\Offline Web Pages
2007-04-21 08:44:44 0 d—s---- C:\WINDOWS\Downloaded Program Files
2007-04-21 08:44:29 0 d–h----- C:\Program Files\WindowsUpdate
2007-04-21 08:44:06 0 d-------- C:\WINDOWS\system32\DirectX
2007-04-21 08:43:33 0 d—s---- C:\WINDOWS\Tasks
2007-04-21 08:43:32 0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-21 08:43:29 0 d-------- C:\WINDOWS\srchasst
2007-04-21 08:43:28 0 d-------- C:\WINDOWS\system32\Macromed
2007-04-21 08:43:21 0 d-------- C:\Program Files\Movie Maker
2007-04-21 08:43:13 0 d-------- C:\WINDOWS\system32\Restore
2007-04-21 08:42:00 0 d-------- C:\WINDOWS\Registration
2007-04-21 08:41:52 0 d-------- C:\Program Files\Online Services
2007-04-21 08:41:42 0 d-------- C:\Program Files\Messenger
2007-04-21 08:41:39 0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-21 08:41:01 0 d-------- C:\Program Files\Windows NT
2007-04-21 08:40:58 0 d-------- C:\WINDOWS\system32\MsDtc
2007-04-21 08:40:57 0 d-------- C:\WINDOWS\system32\Com
2007-04-21 03:13:48 0 d–hs---- C:\WINDOWS\Installer
2007-04-21 03:13:47 0 d-------- C:\Program Files\Common Files\ODBC
2007-04-21 03:13:44 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-21 03:13:43 0 dr------- C:\Program Files
2007-04-21 03:13:15 0 d–h----- C:\Documents and Settings\Default User\Templates
2007-04-21 03:13:15 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-04-21 03:13:15 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-04-21 03:13:15 0 d–h----- C:\Documents and Settings\Default User\Recent
2007-04-21 03:13:15 0 d–h----- C:\Documents and Settings\Default User\PrintHood
2007-04-21 03:13:15 0 d–h----- C:\Documents and Settings\Default User\NetHood
2007-04-21 03:13:15 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-04-21 03:13:15 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-04-21 03:13:15 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-04-21 03:13:15 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-04-21 03:13:15 0 d—s---- C:\Documents and Settings\Default User\Cookies
2007-04-21 03:13:15 0 d–h----- C:\Documents and Settings\All Users\Templates
2007-04-21 03:13:15 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-04-21 03:13:15 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-04-21 03:13:15 0 dr------- C:\Documents and Settings\All Users\Documents
2007-04-21 03:13:15 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-04-21 03:13:00 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-04-21 03:13:00 0 d-------- C:\WINDOWS\system32\CatRoot
2007-04-21 03:12:55 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-04-21 03:12:55 0 d—s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-04-21 03:12:54 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-04-21 03:12:54 0 d—s---- C:\Documents and Settings\All Users\Application Data\Microsoft

Hopefully last bit!

2007-04-21 03:12:54 0 d—s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-04-21 03:12:34 0 d-------- C:\Documents and Settings
2007-04-21 03:12:33 0 d–hs---- C:\System Volume Information
2007-04-21 03:04:32 0 d-------- C:\WINDOWS
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\WinSxS
2007-04-21 03:04:32 0 dr------- C:\WINDOWS\Web
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\twain_32
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\wins
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\wbem
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\usmt
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\spool
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\ShellExt
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\Setup
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\ras
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\oobe
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\npp
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\mui
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\inetsrv
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\IME
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\icsxml
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\ias
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\export
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\drivers
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-04-21 03:04:32 0 dr-hs–c- C:\WINDOWS\system32\dllcache
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\dhcp
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\config
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\3076
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\2052
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1054
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1042
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1041
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1037
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1033
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1031
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1028
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system32\1025
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\system
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\security
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Resources
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\repair
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Provisioning
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\PeerNet
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\pchealth
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\mui
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\msapps
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\msagent
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Media
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\java
2007-04-21 03:04:32 0 d–h----- C:\WINDOWS\inf
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\ime
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Help
2007-04-21 03:04:32 0 dr–s---- C:\WINDOWS\Fonts
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\ehome
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Driver Cache
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\dell
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Debug
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Cursors
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Connection Wizard
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\Config
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\AppPatch
2007-04-21 03:04:32 0 d-------- C:\WINDOWS\addins

– Find3M Report ---------------------------------------------------------------

2007-04-21 20:44:10 40 —hs---- C:\Documents and Settings\GE\Application Data.zreglib
2007-04-21 03:13:15 62 --ahs---- C:\Documents and Settings\GE\Application Data\desktop.ini

– Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{089FD14D-132B-48FC-8861-0048AE113215} C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“adiras”=“adiras.exe”
“ZoneAlarm Client”=“"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“SBCSTray”=“C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe”
“WinPatrol”=“C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe”
“AWMON”=“"C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“nwiz”=“nwiz.exe /install”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
“TClockEx”=“C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoActiveDesktop”=hex:00,00,00,00
“NoSaveSettings”=hex:00,00,00,00
“ClearRecentDocsOnExit”=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“”

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=“”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“CloneCDTray”=“"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s”
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe”
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe”
“RemoteControl”=“"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"”
“SunJavaUpdateSched”=“"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"”
“UpdReg”=“C:\WINDOWS\UpdReg.EXE”
“iTunesHelper”=“"C:\Program Files\iTunes\iTunesHelper.exe"”
“QuickTime Task”=“"C:\Program Files\QuickTime\qttask.exe" -atboottime”
“TkBellExe”=“"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

newlycreated - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SBAPIFS

– End of Deckard’s System Scanner: finished at 2007-05-17 at 03:15:14 ---------

See if you locate these files

C:\WINDOWS\system32\appmgmt.dll

C:\WINDOWS\srchasst.exe

If found, upload them to Virus Total and post the analyses

http://www.virustotal.com/en/indexf.html

I can’t report complete success I’m afraid.

I don’t seem to have C:\WINDOWS\System32\appmgmt.dll. In System32 there is a folder named appmgmt. It contains folders called MACHINE and S-1-5-21-11… Both are empty, so couldn’t be submitted, obviously.
I did find appmgmts.dll and appmgr.dll, both of which scanned as virus free.

I don’t have C:\WINDOWS\srchasst.exe. There is a folder called srchasst. It contains subfolders called ‘char’ and ‘mui’. Also contains msgr3en.dll, nls302en.lex, srchtls.dll and srchui.dll, all of which scanned virus free. I thought I’d scan them anyway even though I didn’t think it was what you were after.

I haven’t posted the analyses since they all came back with no virus detected. Sorry if I haven’t been able to do exactly what you asked for.

Interesting that they’re using Avast 4.7.997.

As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it’s always been like that and I’ve never noticed. :-[ Sorry, I know this isn’t a general information forum!

Other than those 2 possibilities DSS didn’t really shed any light in this, but there is another scan I would like you to run.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply, but this time rename hijackthis.exe to hijackthat.exe before running it.

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

I’m not sure about that. Being color blind if I’ve ever seen that on a computer I probably wouldn’t be able to discern the difference.