Author Topic: CCleaner Trojans  (Read 139800 times)

0 Members and 1 Guest are viewing this topic.

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #15 on: May 17, 2007, 04:52:16 AM »
Hopefully last bit!

2007-04-21 03:12:54         0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-04-21 03:12:34         0 d-------- C:\Documents and Settings
2007-04-21 03:12:33         0 d--hs---- C:\System Volume Information
2007-04-21 03:04:32         0 d-------- C:\WINDOWS
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\WinSxS
2007-04-21 03:04:32         0 dr------- C:\WINDOWS\Web
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\twain_32
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\wins
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\wbem
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\usmt
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\spool
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ShellExt
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\Setup
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ras
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\oobe
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\npp
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\mui
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\inetsrv
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\IME
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\icsxml
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ias
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\export
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-04-21 03:04:32         0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\dhcp
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\config
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\3076
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\2052
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1054
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1042
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1041
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1037
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1033
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1031
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1028
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1025
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\security
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Resources
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\repair
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Provisioning
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\PeerNet
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\pchealth
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\mui
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\msapps
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\msagent
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Media
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\java
2007-04-21 03:04:32         0 d--h----- C:\WINDOWS\inf
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\ime
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Help
2007-04-21 03:04:32         0 dr--s---- C:\WINDOWS\Fonts
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\ehome
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Driver Cache
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\dell
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Debug
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Cursors
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Connection Wizard
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Config
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\AppPatch
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-04-21 20:44:10        40 ---hs---- C:\Documents and Settings\GE\Application Data\.zreglib
2007-04-21 03:13:15        62 --ahs---- C:\Documents and Settings\GE\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}   C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{089FD14D-132B-48FC-8861-0048AE113215}   C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}   C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"adiras"="adiras.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TClockEx"="C:\\Documents and Settings\\GE\\My Documents\\Unzipped\\tclockex\\TCLOCKEX.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=hex:00,00,00,00
"NoSaveSettings"=hex:00,00,00,00
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages   REG_MULTI_SZ      msv1_0\0\0
   Security Packages   REG_MULTI_SZ      kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages   REG_MULTI_SZ      scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter   REG_MULTI_SZ      HTTPFilter\0\0
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
DcomLaunch   REG_MULTI_SZ      DcomLaunch\0TermService\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0
WudfServiceGroup   REG_MULTI_SZ      WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SBAPIFS


-- End of Deckard's System Scanner: finished at 2007-05-17 at 03:15:14 ---------


Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: CCleaner Trojans
« Reply #16 on: May 17, 2007, 06:02:00 AM »
See if you locate these files

C:\WINDOWS\system32\appmgmt.dll

C:\WINDOWS\srchasst.exe

If found, upload them to Virus Total and post the analyses

http://www.virustotal.com/en/indexf.html
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #17 on: May 17, 2007, 01:42:48 PM »
I can't report complete success I'm afraid.

I don't seem to have C:\WINDOWS\System32\appmgmt.dll. In System32 there is a folder named appmgmt. It contains folders called MACHINE and S-1-5-21-11.. Both are empty, so couldn't be submitted, obviously.
I did find appmgmts.dll and appmgr.dll, both of which scanned as virus free.

I don't have C:\WINDOWS\srchasst.exe. There is a folder called srchasst. It contains subfolders called 'char' and 'mui'. Also contains msgr3en.dll, nls302en.lex, srchtls.dll and srchui.dll, all of which scanned virus free. I thought I'd scan them anyway even though I didn't think it was what you were after.

I haven't posted the analyses since they all came back with no virus detected. Sorry if I haven't been able to do exactly what you asked for.

Interesting that they're using Avast 4.7.997.

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #18 on: May 17, 2007, 01:58:01 PM »
As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: CCleaner Trojans
« Reply #19 on: May 17, 2007, 02:13:49 PM »
Other than those 2 possibilities DSS didn't really shed any light in this, but there is another scan I would like you to run.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply, but this time rename hijackthis.exe to hijackthat.exe before running it.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!
I'm not sure about that.  Being color blind if I've ever seen that on a computer I probably wouldn't be able to discern the difference.
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: CCleaner Trojans
« Reply #20 on: May 17, 2007, 06:28:55 PM »
As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!

The hidden folder look paler yellow then regular folders.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #21 on: May 17, 2007, 06:38:24 PM »
 ??? I've looked at the files/folders settings, and 'show hidden ...' was ticked. I did not do that, I'd have absolutely no reason to. I've now ticked to hide them, which is how it should be, I believe. Could the Deckard scanner have done it, because I'm sure I've not noticed those paler files before. Thanks for the info.  :)

I've done the other two scans, I'll post the logs now. The ComboFix one is pretty long so it'll probably be split up.

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #22 on: May 17, 2007, 06:39:51 PM »
Hijackthis (or rather 'that' in this instance):

Logfile of HijackThis v1.99.1
Scan saved at 17:03:41, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRAM FILES\SITEADVISOR\6066\SITEADV.EXE
C:\PROGRAM FILES\CREATIVE\SB LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\Documents and Settings\GE\Desktop\HijackThat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #23 on: May 17, 2007, 06:42:59 PM »
Combo fix #1

"GE" - 2007-05-17 17:07:19    Service Pack 2 
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\GE\Desktop\"


(((((((((((((((((((((((((((((((   Files Created from 2007-04-05 to 2007-05-17  ))))))))))))))))))))))))))))))))))


2007-05-17 03:09   <DIR>   d--------   C:\Deckard
2007-05-17 00:40   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\The Learning Company
2007-05-17 00:39   274,432   --a------   C:\WINDOWS\TLCUninstall.exe
2007-05-17 00:39   <DIR>   d--------   C:\Program Files\The Learning Company
2007-05-17 00:38   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-05-16 19:16   <DIR>   d--------   C:\Program Files\Registrar Lite
2007-05-15 12:15   208,896   --a------   C:\WINDOWS\system32\NVUNINST.EXE
2007-05-15 12:15   208,896   --a------   C:\WINDOWS\system32\nvudisp.exe
2007-05-15 12:14   <DIR>   d--------   C:\NVIDIA
2007-05-08 01:44   135,936   --a------   C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-05-08 01:42   <DIR>   d--------   C:\Program Files\Spyware Terminator
2007-05-08 01:42   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Spyware Terminator
2007-05-08 01:42   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-05-08 01:39   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-05-08 01:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-08 01:38   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-05-08 01:17   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2007-05-03 15:18   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\ATI
2007-05-03 14:30   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-05-02 22:19   73,216   --a------   C:\WINDOWS\ST6UNST.EXE
2007-05-02 22:19   249,856   ---------   C:\WINDOWS\Setup1.exe
2007-05-02 22:19   <DIR>   d--------   C:\Program Files\Karen's Computer Profiler
2007-05-02 11:11   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\SiteAdvisor
2007-05-02 11:09   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\WinPatrol
2007-05-02 11:09   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-02 11:07   1,048,576   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-02 10:27   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2007-05-01 19:24   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2007-04-24 00:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-04-24 00:03   <DIR>   d--------   C:\WINDOWS\nview
2007-04-23 12:50   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\AdobeUM
2007-04-23 00:11   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\OfficeUpdate12
2007-04-23 00:10   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-04-22 14:40   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Spyware Terminator
2007-04-22 14:22   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-22 14:16   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\SUPERAntiSpyware.com
2007-04-22 14:13   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\Program Files\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-22 14:00   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2007-04-22 13:59   <DIR>   d--------   C:\Program Files\Real
2007-04-22 13:59   <DIR>   d--------   C:\Program Files\Common Files\Real
2007-04-22 13:59   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Real
2007-04-22 13:56   <DIR>   d--------   C:\My Downloads
2007-04-22 12:17   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Apple Computer
2007-04-22 12:16   <DIR>   d--------   C:\Program Files\iTunes
2007-04-22 12:16   <DIR>   d--------   C:\Program Files\iPod
2007-04-22 12:15   <DIR>   d--------   C:\Program Files\QuickTime
2007-04-22 12:14   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-22 12:13   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Roxio
2007-04-22 12:09   <DIR>   d--------   C:\Program Files\Common Files\Napster Shared
2007-04-22 12:08   <DIR>   d--------   C:\Program Files\Napster
2007-04-22 12:08   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Napster
2007-04-22 02:24   0   --a------   C:\WINDOWS\system32\SBRC.dat
2007-04-22 02:24   0   --a------   C:\WINDOWS\system32\SBFC.dat
2007-04-22 02:17   <DIR>   d--------   C:\WINDOWS\system32\ReinstallBackups
2007-04-22 01:57   262,144   --a------   C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-22 01:41   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-04-22 00:42   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-04-22 00:42   <DIR>   d--------   C:\WINDOWS\system32\PreInstall
2007-04-22 00:38   18,200   --a------   C:\WINDOWS\system32\wups2.dll
2007-04-22 00:38   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #24 on: May 17, 2007, 06:43:59 PM »
Combofix #2
2007-04-22 00:37   <DIR>   d--hs----   C:\DOCUME~1\GE\UserData
2007-04-22 00:24   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Lavasoft
2007-04-22 00:23   <DIR>   d--------   C:\Program Files\Lavasoft
2007-04-22 00:23   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\WinPatrol
2007-04-22 00:22   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2007-04-22 00:22   <DIR>   d--------   C:\Program Files\BillP Studios
2007-04-22 00:20   15,544   --a------   C:\WINDOWS\system32\drivers\sbhr.sys
2007-04-22 00:20   <DIR>   d--------   C:\Program Files\Sunbelt Software
2007-04-22 00:20   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-04-22 00:15   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-04-22 00:15   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-22 00:15   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-22 00:15   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-22 00:15   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-22 00:15   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-22 00:14   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-04-22 00:14   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2007-04-22 00:14   <DIR>   d--------   C:\Program Files\Alwil Software
2007-04-22 00:10   75,512   --a------   C:\WINDOWS\zllsputility.exe
2007-04-22 00:10   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-04-22 00:10   11,264   --a------   C:\WINDOWS\system32\SpOrder.dll
2007-04-22 00:09   1,087,216   --a------   C:\WINDOWS\system32\zpeng24.dll
2007-04-22 00:09   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2007-04-22 00:09   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-04-22 00:00   53,248   --a------   C:\WINDOWS\setFireWall.exe
2007-04-21 23:59   50,007   --a------   C:\WINDOWS\system32\drivers\adildr.sys
2007-04-21 23:59   46,892   --a------   C:\WINDOWS\system32\adadix16.dll
2007-04-21 23:59   4,981   --a------   C:\WINDOWS\system32\adadix2k.dll
2007-04-21 23:59   22,395   --a------   C:\WINDOWS\system32\drivers\fpga.bin
2007-04-21 23:59   184   --a------   C:\setuplog.exe
2007-04-21 23:59   155,648   --a------   C:\WINDOWS\system32\adadix32.dll
2007-04-21 23:59   127,456   --a------   C:\WINDOWS\system32\ipdetect.exe
2007-04-21 23:59   127,065   --a------   C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-04-21 23:59   114,688   --a------   C:\WINDOWS\system32\unaddrv.exe
2007-04-21 23:59   106,496   --a------   C:\WINDOWS\system32\coclassfast.dll
2007-04-21 23:59   <DIR>   d--------   C:\Program Files\SAGEM
2007-04-21 23:58   <DIR>   d--------   C:\Program Files\Tiscali Broadband
2007-04-21 23:38   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 23:36   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-04-21 23:34   <DIR>   d--------   C:\Program Files\Google
2007-04-21 23:34   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Google
2007-04-21 23:30   <DIR>   d--------   C:\Program Files\CCleaner
2007-04-21 23:29   <DIR>   d--------   C:\Program Files\PrivacyEraser Computing
2007-04-21 23:22   <DIR>   d--------   C:\Program Files\Veoh Networks
2007-04-21 20:45   <DIR>   d--------   C:\Program Files\Elaborate Bytes
2007-04-21 20:43   <DIR>   d--------   C:\Program Files\SlySoft
2007-04-21 20:41   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-04-21 20:39   23,856   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-04-21 20:39   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-04-21 20:39   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-04-21 20:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-21 20:38   <DIR>   d--------   C:\Program Files\IrfanView
2007-04-21 20:38   <DIR>   d--------   C:\Program Files\Atomic Clock Sync
2007-04-21 20:10   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-21 20:10   <DIR>   d--------   C:\Program Files\hp deskjet 3320 series
2007-04-21 20:09   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-04-21 20:02   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Ahead
2007-04-21 20:01   <DIR>   d--------   C:\Program Files\Nero
2007-04-21 20:01   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-04-21 10:20   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\CyberLink
2007-04-21 10:19   <DIR>   d--------   C:\Program Files\CyberLink
2007-04-21 10:19   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-21 10:13   <DIR>   d--------   C:\Program Files\Jasc Software Inc
2007-04-21 10:05   24,816   --a------   C:\WINDOWS\system32\mdimon.dll
2007-04-21 10:05   <DIR>   d--------   C:\Program Files\Common Files\L&H
2007-04-21 10:04   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2007-04-21 10:04   <DIR>   d--------   C:\Program Files\Microsoft Works
2007-04-21 10:04   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2007-04-21 10:03   <DIR>   dr-h-----   C:\MSOCache
2007-04-21 10:02   <DIR>   d--------   C:\IUware Online
2007-04-21 09:56   90,112   ---------   C:\WINDOWS\Updreg.EXE
2007-04-21 09:56   840,960   --a------   C:\WINDOWS\system32\drivers\P17.sys
2007-04-21 09:56   84,992   ---------   C:\WINDOWS\system32\SFCVRT32.DLL
2007-04-21 09:56   82,432   ---------   C:\WINDOWS\system32\CTWFLT32.DLL
2007-04-21 09:56   65,536   --a------   C:\WINDOWS\system32\A3d.dll
2007-04-21 09:56   60,928   --a------   C:\WINDOWS\system32\P17.dll
2007-04-21 09:56   54,784   ---------   C:\WINDOWS\system32\INETWH32.DLL
2007-04-21 09:56   53,552   ---------   C:\WINDOWS\CTCCW.DLL
2007-04-21 09:56   53,248   --a------   C:\WINDOWS\system32\P17CPI.dll
2007-04-21 09:56   49,152   --a------   C:\WINDOWS\MIDIDEF.EXE
2007-04-21 09:56   41,984   ---------   C:\WINDOWS\Ctregrun.exe
2007-04-21 09:56   40,960   ---------   C:\WINDOWS\system32\AC3API.DLL
2007-04-21 09:56   36,864   --a------   C:\WINDOWS\system32\sfman32.dll
2007-04-21 09:56   26,768   ---------   C:\WINDOWS\system32\CTL3D.DLL

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #25 on: May 17, 2007, 06:45:06 PM »
Combofix #3

2007-04-21 09:56   24,976   ---------   C:\WINDOWS\CTRES.DLL
2007-04-21 09:56   24,576   --a------   C:\WINDOWS\INRES.DLL
2007-04-21 09:56   20,480   --a------   C:\WINDOWS\P17DEF.EXE
2007-04-21 09:56   178,672   --a------   C:\WINDOWS\system32\drivers\ctoss2k.sys
2007-04-21 09:56   177,488   --a------   C:\WINDOWS\system32\drivers\CTOSS9X.SYS
2007-04-21 09:56   172,032   --a------   C:\WINDOWS\system32\sfms32.dll
2007-04-21 09:56   159,744   --a------   C:\WINDOWS\system32\OPENAL32.DLL
2007-04-21 09:56   149,504   ---------   C:\WINDOWS\system32\MFCANS32.DLL
2007-04-21 09:56   139,264   --a------   C:\WINDOWS\system32\EAX.DLL
2007-04-21 09:56   136,704   --a------   C:\WINDOWS\system32\P17res.dll
2007-04-21 09:56   131,072   --a------   C:\WINDOWS\system32\CtDvInst.dll
2007-04-21 09:56   130,192   --a------   C:\WINDOWS\system32\drivers\ctsfm2k.sys
2007-04-21 09:56   108,032   ---------   C:\WINDOWS\system32\MFCUIA32.DLL
2007-04-21 09:56   1,048,576   ---------   C:\WINDOWS\system32\SFMAN.DAT
2007-04-21 09:56   <DIR>   d--------   C:\WINDOWS\system32\Defaults
2007-04-21 09:56   <DIR>   d--------   C:\WINDOWS\system32\Data
2007-04-21 09:55   62,976   --a------   C:\WINDOWS\system32\CTDetres.dll
2007-04-21 09:55   44,032   ---------   C:\WINDOWS\system32\CTSVCCDA.EXE
2007-04-21 09:55   331,776   ---------   C:\WINDOWS\system32\CTMEDENG.DLL
2007-04-21 09:55   25,088   ---------   C:\WINDOWS\system32\CTSVCCTL.EXE
2007-04-21 09:55   24,576   --a------   C:\WINDOWS\system32\CTMERes.DLL
2007-04-21 09:54   15,840   --a------   C:\WINDOWS\system32\drivers\Pfmodnt.sys
2007-04-21 09:54   <DIR>   d--h-----   C:\Program Files\InstallShield Installation Information
2007-04-21 09:54   <DIR>   d--------   C:\Program Files\Creative
2007-04-21 09:54   <DIR>   d--------   C:\Program Files\Common Files\InstallShield
2007-04-21 09:18   <DIR>   d--hs----   C:\RECYCLER
2007-04-21 09:04   377,984   --a------   C:\WINDOWS\system32\ati2dvaa.dll
2007-04-21 09:04   295,168   --a------   C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-04-21 08:56   4,718,592   --ah-----   C:\DOCUME~1\GE\NTUSER.DAT
2007-04-21 08:51   262,144   --ah-----   C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-04-21 08:51   <DIR>   d--------   C:\WINDOWS\SoftwareDistribution
2007-04-21 08:51   <DIR>   d--------   C:\WINDOWS\Prefetch
2007-04-21 08:50   262,144   --ah-----   C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-04-21 08:46   262,144   --ah-----   C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-04-21 08:46   112,128   --a------   C:\WINDOWS\system32\mapi32.dll
2007-04-21 08:46   0   -rahs----   C:\MSDOS.SYS
2007-04-21 08:46   0   -rahs----   C:\IO.SYS
2007-04-21 08:46   0   --a------   C:\CONFIG.SYS
2007-04-21 08:46   0   --a------   C:\AUTOEXEC.BAT
2007-04-21 08:46   <DIR>   d--------   C:\WINDOWS\system32\xircom
2007-04-21 08:46   <DIR>   d--------   C:\Program Files\microsoft frontpage
2007-04-21 08:46   <DIR>   d--------   C:\DELL
2007-04-21 08:44   <DIR>   dr-------   C:\WINDOWS\Offline Web Pages
2007-04-21 08:44   <DIR>   d--hs----   C:\DOCUME~1\ALLUSE~1\DRM
2007-04-21 08:44   <DIR>   d--h-----   C:\Program Files\WindowsUpdate
2007-04-21 08:44   <DIR>   d---s----   C:\WINDOWS\Downloaded Program Files
2007-04-21 08:44   <DIR>   d--------   C:\WINDOWS\system32\DirectX
2007-04-21 08:43   81,920   --a------   C:\WINDOWS\system32\isign32.dll
2007-04-21 08:43   81,920   --a------   C:\WINDOWS\system32\ils.dll
2007-04-21 08:43   8,192   --a------   C:\WINDOWS\system32\bitsprx2.dll
2007-04-21 08:43   73,728   --a------   C:\WINDOWS\system32\icwdial.dll
2007-04-21 08:43   73,472   --a------   C:\WINDOWS\system32\drivers\sr.sys
2007-04-21 08:43   7,168   --a------   C:\WINDOWS\system32\bitsprx3.dll
2007-04-21 08:43   69,632   --a------   C:\WINDOWS\system32\msconf.dll
2007-04-21 08:43   679,424   --a------   C:\WINDOWS\system32\inetcomm.dll
2007-04-21 08:43   67,584   --a------   C:\WINDOWS\system32\srclient.dll
2007-04-21 08:43   65,536   --a------   C:\WINDOWS\system32\icwphbk.dll
2007-04-21 08:43   64,512   --a------   C:\WINDOWS\system32\acctres.dll
2007-04-21 08:43   6,656   --a------   C:\WINDOWS\system32\wuauserv.dll
2007-04-21 08:43   48,128   --a------   C:\WINDOWS\system32\inetres.dll
2007-04-21 08:43   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2007-04-21 08:43   45,568   --a------   C:\WINDOWS\system32\safrslv.dll
2007-04-21 08:43   43,520   --a------   C:\WINDOWS\system32\safrcdlg.dll
2007-04-21 08:43   43,520   --a------   C:\WINDOWS\system32\racpldlg.dll
2007-04-21 08:43   41,240   --a------   C:\WINDOWS\system32\wups.dll
2007-04-21 08:43   382,464   --a------   C:\WINDOWS\system32\qmgr.dll
2007-04-21 08:43   34,560   --a------   C:\WINDOWS\system32\mnmdd.dll
2007-04-21 08:43   32,768   --a------   C:\WINDOWS\system32\mnmsrvc.exe
2007-04-21 08:43   32,768   --a------   C:\WINDOWS\system32\isrdbg32.dll
2007-04-21 08:43   29,696   --a------   C:\WINDOWS\system32\safrdm.dll
2007-04-21 08:43   28,672   --a------   C:\WINDOWS\system32\nmmkcert.dll
2007-04-21 08:43   274,944   --a------   C:\WINDOWS\system32\mstask.dll
2007-04-21 08:43   274,432   --a------   C:\WINDOWS\system32\inetcfg.dll
2007-04-21 08:43   252,928   --a------   C:\WINDOWS\system32\msoeacct.dll
2007-04-21 08:43   239,104   --a------   C:\WINDOWS\system32\srrstr.dll
2007-04-21 08:43   23,040   --a------   C:\WINDOWS\system32\fltmc.exe
2007-04-21 08:43   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2007-04-21 08:43   190,976   --a------   C:\WINDOWS\system32\schedsvc.dll
2007-04-21 08:43   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2007-04-21 08:43   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2007-04-21 08:43   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2007-04-21 08:43   170,496   --a------   C:\WINDOWS\system32\srsvc.dll
2007-04-21 08:43   16,896   --a------   C:\WINDOWS\system32\fltlib.dll
2007-04-21 08:43   16,384   --a------   C:\WINDOWS\system32\icfgnt5.dll
2007-04-21 08:43   128,896   --a------   C:\WINDOWS\system32\drivers\fltmgr.sys
2007-04-21 08:43   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2007-04-21 08:43   124,184   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-04-21 08:43   12,288   --a------   C:\WINDOWS\system32\nmevtmsg.dll
2007-04-21 08:43   12,288   --a------   C:\WINDOWS\system32\mstinit.exe
2007-04-21 08:43   11,264   --a------   C:\WINDOWS\system32\atrace.dll
2007-04-21 08:43   105,984   --a------   C:\WINDOWS\system32\msoert2.dll
2007-04-21 08:43   1,343,768   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-04-21 08:43   <DIR>   d---s----   C:\WINDOWS\Tasks
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\system32\Restore
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\system32\Macromed
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\srchasst
2007-04-21 08:43   <DIR>   d--------   C:\Program Files\Movie Maker
2007-04-21 08:43   <DIR>   d--------   C:\Program Files\Common Files\MSSoap
2007-04-21 08:42   21,640   --a------   C:\WINDOWS\system32\emptyregdb.dat
2007-04-21 08:42   <DIR>   d--------   C:\WINDOWS\Registration
2007-04-21 08:41   97,792   --a------   C:\WINDOWS\system32\comrepl.dll
2007-04-21 08:41   93,696   --a------   C:\WINDOWS\system32\tscfgwmi.dll
2007-04-21 08:41   9,728   --a------   C:\WINDOWS\system32\reset.exe
2007-04-21 08:41   80,384   --a------   C:\WINDOWS\system32\charmap.exe
2007-04-21 08:41   73,216   --a------   C:\WINDOWS\system32\avwav.dll
2007-04-21 08:41   655,360   --a------   C:\WINDOWS\system32\mstscax.dll
2007-04-21 08:41   605,696   --a------   C:\WINDOWS\system32\getuname.dll
2007-04-21 08:41   60,416   --a------   C:\WINDOWS\system32\remotepg.dll
2007-04-21 08:41   56,832   --a------   C:\WINDOWS\system32\sol.exe
2007-04-21 08:41   55,296   --a------   C:\WINDOWS\system32\freecell.exe
2007-04-21 08:41   54,272   --a------   C:\WINDOWS\system32\stclient.dll
2007-04-21 08:41   538,624   --a------   C:\WINDOWS\system32\spider.exe
2007-04-21 08:41   5,632   --a------   C:\WINDOWS\system32\write.exe
2007-04-21 08:41   5,120   --a------   C:\WINDOWS\system32\dcomcnfg.exe
2007-04-21 08:41   44,544   --a------   C:\WINDOWS\system32\hticons.dll
2007-04-21 08:41   407,552   --a------   C:\WINDOWS\system32\mstsc.exe
2007-04-21 08:41   4,096   --a------   C:\WINDOWS\system32\rdpcfgex.dll
2007-04-21 08:41   4,096   --a------   C:\WINDOWS\system32\mtxex.dll
2007-04-21 08:41   35,328   --a------   C:\WINDOWS\system32\winchat.exe
2007-04-21 08:41   347,136   --a------   C:\WINDOWS\system32\hypertrm.dll
2007-04-21 08:41   343,040   --a------   C:\WINDOWS\system32\mspaint.exe
2007-04-21 08:41   33,792   --a------   C:\WINDOWS\system32\regini.exe
2007-04-21 08:41   25,600   --a------   C:\WINDOWS\system32\comaddin.dll
2007-04-21 08:41   25,088   --a------   C:\WINDOWS\system32\mtxlegih.dll
2007-04-21 08:41   227,840   --a------   C:\WINDOWS\system32\avtapi.dll
2007-04-21 08:41   22,016   --a------   C:\WINDOWS\system32\qwinsta.exe
2007-04-21 08:41   21,896   --a------   C:\WINDOWS\system32\drivers\tdtcp.sys
2007-04-21 08:41   20,992   --a------   C:\WINDOWS\system32\msg.exe
2007-04-21 08:41   20,480   --a------   C:\WINDOWS\system32\mtxdm.dll
2007-04-21 08:41   183,808   --a------   C:\WINDOWS\system32\accwiz.exe
2007-04-21 08:41   16,896   --a------   C:\WINDOWS\system32\tsshutdn.exe
2007-04-21 08:41   16,896   --a------   C:\WINDOWS\system32\qappsrv.exe

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #26 on: May 17, 2007, 06:47:08 PM »
Combofix #4

2007-04-21 08:41   16,384   --a------   C:\WINDOWS\system32\tskill.exe
2007-04-21 08:41   16,384   --a------   C:\WINDOWS\system32\avmeter.dll
2007-04-21 08:41   15,872   --a------   C:\WINDOWS\system32\rwinsta.exe
2007-04-21 08:41   15,872   --a------   C:\WINDOWS\system32\cdmodem.dll
2007-04-21 08:41   15,360   --a------   C:\WINDOWS\system32\logoff.exe
2007-04-21 08:41   147,456   --a------   C:\WINDOWS\system32\comsnap.dll
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\tsdiscon.exe
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\tscon.exe
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\shadow.exe
2007-04-21 08:41   139,528   --a------   C:\WINDOWS\system32\drivers\rdpwd.sys
2007-04-21 08:41   138,752   --a------   C:\WINDOWS\system32\sndvol32.exe
2007-04-21 08:41   131,584   --a------   C:\WINDOWS\system32\sndrec32.exe
2007-04-21 08:41   126,976   --a------   C:\WINDOWS\system32\mshearts.exe
2007-04-21 08:41   123,392   --a------   C:\WINDOWS\system32\mplay32.exe
2007-04-21 08:41   12,040   --a------   C:\WINDOWS\system32\drivers\tdpipe.sys
2007-04-21 08:41   119,808   --a------   C:\WINDOWS\system32\winmine.exe
2007-04-21 08:41   114,688   --a------   C:\WINDOWS\system32\calc.exe
2007-04-21 08:41   102,912   --a------   C:\WINDOWS\system32\clipbrd.exe
2007-04-21 08:41   1,161   --a------   C:\WINDOWS\system32\usrlogon.cmd
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Windows NT
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Online Services
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\MSN Gaming Zone
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Messenger
2007-04-21 08:40   956,416   --a------   C:\WINDOWS\system32\msdtctm.dll
2007-04-21 08:40   91,136   --a------   C:\WINDOWS\system32\mtxoci.dll
2007-04-21 08:40   87,176   --a------   C:\WINDOWS\system32\rdpwsx.dll
2007-04-21 08:40   85,504   --a------   C:\WINDOWS\system32\catsrvps.dll
2007-04-21 08:40   67,072   --a------   C:\WINDOWS\system32\rdshost.exe
2007-04-21 08:40   625,152   --a------   C:\WINDOWS\system32\catsrvut.dll
2007-04-21 08:40   62,464   --a------   C:\WINDOWS\system32\rdpclip.exe
2007-04-21 08:40   60,416   --a------   C:\WINDOWS\system32\colbact.dll
2007-04-21 08:40   6,144   --a------   C:\WINDOWS\system32\msdtc.exe
2007-04-21 08:40   58,880   --a------   C:\WINDOWS\system32\msdtclog.dll
2007-04-21 08:40   58,880   --a------   C:\WINDOWS\system32\licwmi.dll
2007-04-21 08:40   56,320   --a------   C:\WINDOWS\system32\servdeps.dll
2007-04-21 08:40   540,160   --a------   C:\WINDOWS\system32\comuid.dll
2007-04-21 08:40   498,688   --a------   C:\WINDOWS\system32\clbcatq.dll
2007-04-21 08:40   44,544   --a------   C:\WINDOWS\system32\tscupgrd.exe
2007-04-21 08:40   426,496   --a------   C:\WINDOWS\system32\msdtcprx.dll
2007-04-21 08:40   40,840   --a------   C:\WINDOWS\system32\drivers\termdd.sys
2007-04-21 08:40   38,912   --a------   C:\WINDOWS\system32\cfgbkend.dll
2007-04-21 08:40   295,424   --a------   C:\WINDOWS\system32\termsrv.dll
2007-04-21 08:40   225,792   --a------   C:\WINDOWS\system32\catsrv.dll
2007-04-21 08:40   20,480   --a------   C:\WINDOWS\system32\qprocess.exe
2007-04-21 08:40   196,864   --a------   C:\WINDOWS\system32\drivers\rdpdr.sys
2007-04-21 08:40   19,968   --a------   C:\WINDOWS\system32\rdpsnd.dll
2007-04-21 08:40   185,344   --a------   C:\WINDOWS\system32\cmprops.dll
2007-04-21 08:40   17,408   --a------   C:\WINDOWS\system32\mmfutil.dll
2007-04-21 08:40   161,280   --a------   C:\WINDOWS\system32\msdtcuiu.dll
2007-04-21 08:40   147,968   --a------   C:\WINDOWS\system32\rdchost.dll
2007-04-21 08:40   140,800   --a------   C:\WINDOWS\system32\sessmgr.exe
2007-04-21 08:40   13,824   --a------   C:\WINDOWS\system32\rdsaddin.exe
2007-04-21 08:40   110,080   --a------   C:\WINDOWS\system32\clbcatex.dll
2007-04-21 08:40   11,776   --a------   C:\WINDOWS\system32\xolehlp.dll
2007-04-21 08:40   11,264   --a------   C:\WINDOWS\system32\icaapi.dll
2007-04-21 08:40   1,267,200   --a------   C:\WINDOWS\system32\comsvcs.dll
2007-04-21 08:40   <DIR>   d--------   C:\WINDOWS\system32\MsDtc
2007-04-21 08:40   <DIR>   d--------   C:\WINDOWS\system32\Com
2007-04-21 03:17   6,400   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2007-04-21 03:17   54,272   --a------   C:\WINDOWS\system32\drivers\swmidi.sys
2007-04-21 03:17   142,464   --a------   C:\WINDOWS\system32\drivers\aec.sys
2007-04-21 03:16   82,944   --a------   C:\WINDOWS\system32\drivers\wdmaud.sys
2007-04-21 03:16   7,552   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-04-21 03:16   60,800   --a------   C:\WINDOWS\system32\drivers\sysaudio.sys
2007-04-21 03:16   57,472   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2007-04-21 03:16   52,864   --a------   C:\WINDOWS\system32\drivers\DMusic.sys
2007-04-21 03:16   5,376   --a------   C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-04-21 03:16   4,992   --a------   C:\WINDOWS\system32\drivers\MSPQM.sys
2007-04-21 03:16   3,072   --a------   C:\WINDOWS\system32\drivers\audstub.sys
2007-04-21 03:16   2,944   --a------   C:\WINDOWS\system32\drivers\drmkaud.sys
2007-04-21 03:16   172,416   --a------   C:\WINDOWS\system32\drivers\kmixer.sys
2007-04-21 03:15   96,256   --a------   C:\WINDOWS\system32\drivers\ac97intc.sys
2007-04-21 03:15   74,240   --a------   C:\WINDOWS\system32\usbui.dll
2007-04-21 03:15   66,591   --a------   C:\WINDOWS\system32\drivers\el90xbc5.sys
2007-04-21 03:15   60,288   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2007-04-21 03:15   42,368   --a------   C:\WINDOWS\system32\drivers\AGP440.SYS
2007-04-21 03:15   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2007-04-21 03:15   145,792   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2007-04-21 03:13   9,936   --a------   C:\WINDOWS\system\LZEXPAND.DLL
2007-04-21 03:13   9,008   --a------   C:\WINDOWS\system\VER.DLL
2007-04-21 03:13   85,020   --a------   C:\WINDOWS\system32\dgsetup.dll
2007-04-21 03:13   82,944   --a------   C:\WINDOWS\system\OLECLI.DLL
2007-04-21 03:13   8,704   --a------   C:\WINDOWS\system32\batt.dll
2007-04-21 03:13   8,192   -ra------   C:\WINDOWS\system32\kbdhept.dll
2007-04-21 03:13   74,752   --a------   C:\WINDOWS\system32\storprop.dll
2007-04-21 03:13   7,168   -ra------   C:\WINDOWS\system32\kbdcz.dll
2007-04-21 03:13   69,584   --a------   C:\WINDOWS\system\AVICAP.DLL
2007-04-21 03:13   69,120   --a------   C:\WINDOWS\NOTEPAD.EXE
2007-04-21 03:13   68,768   --a------   C:\WINDOWS\system\MMSYSTEM.DLL
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdycl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdsl1.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdsl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdpl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdhu.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdhela3.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcz2.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcz1.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcr.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\KBDAL.DLL
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdtuq.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdtuf.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdlv1.dll

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #27 on: May 17, 2007, 06:48:09 PM »
Combofix #5

2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdlv.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdhela2.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdgkl.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdest.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdro.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdpl1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdmon.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdlt1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdlt.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdkyr.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhu1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe319.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe220.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdazel.dll
2007-04-21 03:13   5,120   --a------   C:\WINDOWS\system\SHELL.DLL
2007-04-21 03:13   32,816   --a------   C:\WINDOWS\system\COMMDLG.DLL
2007-04-21 03:13   24,661   --a------   C:\WINDOWS\system32\spxcoins.dll
2007-04-21 03:13   24,064   --a------   C:\WINDOWS\system\OLESVR.DLL
2007-04-21 03:13   19,200   --a------   C:\WINDOWS\system\TAPI.DLL
2007-04-21 03:13   176,157   --a------   C:\WINDOWS\system32\dgrpsetu.dll
2007-04-21 03:13   15,360   --a------   C:\WINDOWS\TASKMAN.EXE
2007-04-21 03:13   13,312   --a------   C:\WINDOWS\system32\irclass.dll
2007-04-21 03:13   126,912   --a------   C:\WINDOWS\system\MSVIDEO.DLL
2007-04-21 03:13   11,264   --a------   C:\WINDOWS\system32\drivers\irenum.sys
2007-04-21 03:13   109,456   --a------   C:\WINDOWS\system\AVIFILE.DLL
2007-04-21 03:13   103,424   --a------   C:\WINDOWS\system32\EqnClass.Dll
2007-04-21 03:13   <DIR>   dr-------   C:\Program Files
2007-04-21 03:13   <DIR>   dr-------   C:\DOCUME~1\ALLUSE~1\Documents
2007-04-21 03:13   <DIR>   d--hs----   C:\WINDOWS\Installer
2007-04-21 03:13   <DIR>   d--------   C:\WINDOWS\system32\CatRoot2
2007-04-21 03:13   <DIR>   d--------   C:\WINDOWS\system32\CatRoot
2007-04-21 03:13   <DIR>   d--------   C:\Program Files\Common Files\SpeechEngines
2007-04-21 03:13   <DIR>   d--------   C:\Program Files\Common Files\ODBC
2007-04-21 03:12   <DIR>   d--hs----   C:\System Volume Information
2007-04-21 03:12   <DIR>   d--------   C:\Documents and Settings
2007-04-21 03:04   <DIR>   dr-hsc---   C:\WINDOWS\system32\dllcache
2007-04-21 03:04   <DIR>   dr--s----   C:\WINDOWS\Fonts
2007-04-21 03:04   <DIR>   dr-------   C:\WINDOWS\Web
2007-04-21 03:04   <DIR>   d--h-----   C:\WINDOWS\inf
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\WinSxS
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\twain_32
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\wins
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\wbem
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\usmt
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\spool
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ShellExt
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\Setup
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ras
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\oobe
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\npp
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\mui
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\inetsrv
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\IME
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\icsxml
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ias
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\export
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers\etc
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers\disdn
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\dhcp
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\config
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\3com_dmi
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\3076
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\2052
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1054
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1042
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1041
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1037
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1033
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1031
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1028
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1025
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\security
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Resources
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\repair
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Provisioning
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\PeerNet
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\pchealth
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\mui
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\msapps
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\msagent
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Media
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\ime
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Help
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\ehome
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Driver Cache
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\dell
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Debug
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Cursors
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Connection Wizard
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Config
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\AppPatch
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\addins
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS


Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #28 on: May 17, 2007, 06:49:04 PM »
Combofix #6

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-15 01:57:34   267,776   ----a-w   C:\WINDOWS\system32\ati2dvag.dll
2007-03-15 01:57:15   1,986,560   ----a-w   C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-15 01:40:10   2,820,544   ----a-w   C:\WINDOWS\system32\ati3duag.dll
2007-03-15 01:29:47   1,315,712   ----a-w   C:\WINDOWS\system32\ativvaxx.dll
2007-03-15 01:10:28   356,352   ----a-w   C:\WINDOWS\system32\ati2cqag.dll
2007-03-14 18:38:24   524,288   ----a-w   C:\WINDOWS\opuc.dll
2007-03-09 08:57:40   27,376   ----a-w   C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-03-05 12:34:28   676,224   ----a-w   C:\WINDOWS\system32\OGACheckControl.DLL
2007-02-05 20:17:02   185,344   ----a-w   C:\WINDOWS\system32\upnphost.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 20:12]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 16:41]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adiras"="adiras.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 18:33]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-10-12 11:14]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:18]
"TClockEx"="C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE" [2000-03-09 01:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=hex:00,00,00,00
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   msv1_0 
Security Packages   kerberos msv1_0 schannel wdigest 
Notification Packages   scecli 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter   HTTPFilter 
LocalService   Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV 
NetworkService   DnsCache 
DcomLaunch   DcomLaunch TermService 
rpcss   RpcSs 
imgsvc   StiSvc 
termsvcs   TermService 
WudfServiceGroup   WUDFSvc 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
   
*newlycreated* -PROCEXP90
*newlycreated* -SBAPIFS

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 17:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-17 17:16:16
C:\ComboFix-quarantined-files.txt ... 2007-05-17 17:16


   --- E O F ---

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #29 on: May 17, 2007, 06:50:21 PM »
That's the lot  :P