PDA

View Full Version : w32 element trojan



po_weber
2006-02-24, 07:12
Hello to all
I'm new here so hope I am posting this in the right spot.

I recently have had problems with Win XP Home freezing and shutting down on me, and it got to the stage where Windows didnt start.

I was finally able to run check disk, and then Avast anti virus which didn't detect anything, however when I ran spybot it came up with w32 element trojan worm as part of a desktop shortcut to a Shockwave game Zuma.

After allowing Spybot to remove the shortcut, I created a new shortcut and when I ran Spybot the Trojan was back, so again I allowed it to be fixed and did not create a new shortcut.

The next time I ran Spybot the Trojan was attached itself to the Spybot shortcut on the desktop and so I allowed SpyBot to remove the shortcut. After all this I re-ran Spybot to find it had attacked a different shortcut.

I dont know if this was the cause of the windows problem as xp is now running ok most of the time but I am unable to get rid of this Element Trojan.


So far I have run the following pieces of software, and the only program that detects anything is Spybot.

* Avast
* Avg
* Norton online scan
* MacFee online scan
* Ad-aware
* Ewido
* Spyware Doctor

One final thing is that I ran Zuma over the network on a laptop that wasn't doing anything strange and it started doing strange things so I'm left wondering if the software developers have planted a trojan/spyware in their application for some unknown purpose.

I am hoping someone may be able to tell me if I have a problem or not. If I do have a problem how can I fix it, as this is driving me nuts and any help would be greatly appreciated.

tashi
2006-02-24, 07:28
Hello.
If you have two resident Anti-Virus programs please uninstall one of them.
http://forums.spybot.info/showthread.php?t=279

It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other

Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.
Regards. :)

po_weber
2006-02-25, 06:49
Hello Tashi
Thank you for a quick response

Maybe I didnt explain this problem very well. I don't usually run more than one anti virus the ones apart from Avast were only run to try and find where the trojan is coming from.

To give you more of what is going on I followed your instructions (hope I got it all right ) then allowed spybot to remove the infected shortcut icon which is the repair method, then organised the report to send to you, then I ran Spybot again,a time delay of less than 30 minutes,and the element trojan was again detected in another shortcut on the desktop.

Spybot is the only program of all those I ran to detect this bug which seems to move straight to another shortcut when fixed by Spybot.

Thanks again for your help I just hope you can find the root of this problem

Po

ps ;this wont all fit in one post so I will have to try 2 replies


--- Search result list ---
Element: Autostart file (File, fixed)
D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to project1.exe.lnk


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-18 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-24 Includes\Cookies.sbi (*)
2006-02-24 Includes\Dialer.sbi (*)
2006-02-24 Includes\Hijackers.sbi (*)
2006-02-24 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-02-24 Includes\Malware.sbi (*)
2006-02-24 Includes\PUPS.sbi (*)
2006-02-24 Includes\Revision.sbi (*)
2006-02-24 Includes\Security.sbi (*)
2006-02-24 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-02-24 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)


--- Startup entries list ---
Located: HK_LM:Run, avast!
command: D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 102448
MD5: 9eb989d83225f2e6d9ecfdccdd0db0ca

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: D:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, Lexmark X1100 Series
command: "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
file: D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
size: 57344
MD5: 8e7939d19e49d071110d780bf1edec21

Located: HK_LM:Run, NeroFilterCheck
command: D:\WINDOWS\system32\NeroCheck.exe
file: D:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: D:\WINDOWS\SOUNDMAN.EXE
size: 77824
MD5: 0a66d1ca518e5f32a18310a74e20ad4a

Located: HK_LM:Run, Startup Cleaner
command: D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
file: D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
size: 114688
MD5: 5d7631df1d7bed347edda97b69f46a42

Located: HK_LM:Run, vsc32cnf.exe
command: D:\Program Files\Roland\VSC32\vsc32cnf.exe
file: D:\Program Files\Roland\VSC32\vsc32cnf.exe
size: 36864
MD5: 939e091564a2d1df9fc185909e0e0592

Located: HK_LM:Run, vscvol.exe
command: D:\Program Files\Roland\VSC32\vscvol.exe
file: D:\Program Files\Roland\VSC32\vscvol.exe
size: 36864
MD5: bb15e7ac61895a9d9aa107a3be5f1612

Located: HK_CU:Run, CTFMON.EXE
command: D:\WINDOWS\system32\ctfmon.exe
file: D:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, Spyware Doctor
command: "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: D:\Program Files\Spyware Doctor\swdoctor.exe
size: 1992928
MD5: 77e67d0857b21573c1a79c05c9c761f3

Located: HK_CU:Run, Yahoo! Pager
command: "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
file: D:\Program Files\Yahoo!\Messenger\ypager.exe
size: 3084288
MD5: 1374e98301bd093b60f93623c313dea2

Located: Startup (common), AudiMax Dual.lnk
command: D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
file: D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
size: 1384448
MD5: 5132d4d5ca2286694ce82c1467737a01

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: D:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 14/12/2004 1:56:50 AM
Date (last access): 25/02/2006 2:15:24 PM
Date (last write): 24/09/2005 3:12:08 PM
Filesize: 63136
Attributes: archive
MD5: B61D5D651ECC6055C29BF826CA7B1141
CRC32: FEF15799
Version: 7.0.5.172

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: D:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/05/2004 1:03:00 AM
Date (last access): 25/02/2006 2:15:24 PM
Date (last write): 31/05/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
BHO name:
CLSID name: PCTools Site Guard
Path: D:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdsg.dll
Short name:
Date (created): 21/02/2006 8:14:10 PM
Date (last access): 25/02/2006 2:15:26 PM
Date (last write): 9/12/2005 4:22:26 PM
Filesize: 786656
Attributes: archive
MD5: 5687E0824D86BCD741FF316B2AAEC223
CRC32: A1216E9B
Version: 3.5.0.65

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: D:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 10/11/2005 1:03:56 PM
Date (last access): 25/02/2006 2:15:26 PM
Date (last write): 10/11/2005 1:22:10 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5

{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
BHO name:
CLSID name: PCTools Browser Monitor
Path: D:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdpb.dll
Short name:
Date (created): 21/02/2006 8:14:10 PM
Date (last access): 25/02/2006 2:15:26 PM
Date (last write): 6/02/2006 2:51:34 PM
Filesize: 848048
Attributes: archive
MD5: 3C209CE58A314E58C3FA8DEF364AE4CD
CRC32: C0E40DE6
Version: 3.5.0.277



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer:
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: D:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 12/01/2006 7:46:36 PM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 19/12/2005 4:05:56 PM
Filesize: 54976
Attributes: archive
MD5: 9EDA5BB8F38D6A1235D93F1A81971928
CRC32: 702383B9
Version: 10.1.0.11

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
Installer: D:\WINDOWS\Downloaded Program Files\avsniff.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: D:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 22/02/2006 1:14:22 PM
Date (last access): 25/02/2006 2:12:28 PM
Date (last write): 22/02/2006 1:14:22 PM
Filesize: 231072
Attributes: archive
MD5: F973B8D3F793FF725DFB7DBF8F541EB4
CRC32: 1C3FBDE3
Version: 2006.2.22.58

{2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object)
DPF name:
CLSID name: CPlayFirstTriJinxControl Object
Installer:
Codebase: http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
Path:
Long name: (value not set)

{4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool)
DPF name:
CLSID name: Malicious Software Removal Tool
Installer:
Codebase: http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
description:
classification: Legitimate
known filename: WebCleaner.dll
info link:
info source: Safer Networking Ltd.
Path:
Long name: (value not set)

{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: D:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
description:
classification: Legitimate
known filename: rufsi.dll
info link:
info source: Safer Networking Ltd.
Path: D:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 22/02/2006 1:14:52 PM
Date (last access): 25/02/2006 2:12:28 PM
Date (last write): 22/02/2006 1:14:52 PM
Filesize: 161480
Attributes: archive
MD5: 7C20EAAD0E25468E0DE0236B71E35327
CRC32: 87F73BD9
Version: 2006.2.15.43

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: D:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 10/11/2005 1:03:56 PM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 10/11/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

po_weber
2006-02-25, 06:52
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer:
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path:
Long name: (value not set)

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: D:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 10/11/2005 1:03:56 PM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 10/11/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: D:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 10/11/2005 1:03:56 PM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 10/11/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer:
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: D:\WINDOWS\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name:
Date (created): 27/08/2005 1:38:56 PM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 27/08/2005 1:38:56 PM
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: D:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase: http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
description:
classification: Open for discussion
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
Path: D:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll
Short name: POPCAP~1.DLL
Date (created): 26/08/2004 12:12:00 PM
Date (last access): 25/02/2006 2:12:28 PM
Date (last write): 26/08/2004 12:12:00 PM
Filesize: 126976
Attributes:
MD5: 57F868A52B9D4153658DC0DB5062E536
CRC32: 35357599
Version: 1.0.0.6

{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
DPF name:
CLSID name: McFreeScan Class
Installer: D:\WINDOWS\Downloaded Program Files\mcfscan.inf
Codebase: http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4703/mcfscan.cab
description:
classification: Legitimate
known filename: mcfscan.dll
info link:
info source: Safer Networking Ltd.
Path: D:\WINDOWS\McAfee.com\FreeScan\
Long name: mcfscan.dll
Short name:
Date (created): 22/02/2006 9:50:32 AM
Date (last access): 25/02/2006 2:32:10 PM
Date (last write): 22/02/2006 9:50:32 AM
Filesize: 116288
Attributes: archive
MD5: D4E31BADBA19D51C9D6F0174D51E4793
CRC32: B6EC6A2D
Version: 2.1.0.4703



--- Process list ---
PID: 0 ( 0) [System]
PID: 712 ( 4) \SystemRoot\System32\smss.exe
PID: 888 ( 712) \??\D:\WINDOWS\system32\csrss.exe
PID: 912 ( 712) \??\D:\WINDOWS\system32\winlogon.exe
PID: 976 ( 912) D:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 988 ( 912) D:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1184 ( 976) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1280 ( 976) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1392 ( 976) D:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1448 ( 976) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1596 ( 976) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 124 ( 976) D:\WINDOWS\system32\LEXBCES.EXE
size: 303104
MD5: 027D03D9D8AB95194A115A999E960AC0
PID: 176 ( 976) D:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 144 ( 124) D:\WINDOWS\system32\LEXPPS.EXE
size: 174592
MD5: 8D836E60877ED79C409712B9BE2DFC3B
PID: 388 ( 316) D:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1424 ( 388) D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
size: 57344
MD5: 8E7939D19E49D071110D780BF1EDEC21
PID: 1508 ( 388) D:\WINDOWS\SOUNDMAN.EXE
size: 77824
MD5: 0A66D1CA518E5F32A18310A74E20AD4A
PID: 1548 ( 388) D:\Program Files\Roland\VSC32\vsc32cnf.exe
size: 36864
MD5: 939E091564A2D1DF9FC185909E0E0592
PID: 1564 ( 388) D:\Program Files\Roland\VSC32\vscvol.exe
size: 36864
MD5: BB15E7AC61895A9D9AA107A3BE5F1612
PID: 1680 ( 388) D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 102448
MD5: 9EB989D83225F2E6D9ECFDCCDD0DB0CA
PID: 1696 (1424) D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
size: 53248
MD5: 9C2991D06E1F40ADBDED988B013828C8
PID: 1716 ( 388) D:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1744 ( 388) D:\Program Files\Spyware Doctor\swdoctor.exe
size: 1992928
MD5: 77E67D0857B21573C1A79C05C9C761F3
PID: 1760 ( 388) D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
size: 1384448
MD5: 5132D4D5CA2286694CE82C1467737A01
PID: 1884 (1728) D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
size: 90112
MD5: BED117A8BAB5D2C85D50E44F8E90705C
PID: 484 ( 976) D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 53248
MD5: 435D862E96FE19612093177CF6618F4E
PID: 492 ( 976) D:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 102448
MD5: 0839B8BFDF17DAC8C9B083009768400E
PID: 564 ( 976) D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
size: 159744
MD5: 72AB5A8F5C69FBFA346DBC551E92069C
PID: 596 ( 976) D:\Program Files\ewido anti-malware\ewidoctrl.exe
size: 13888
MD5: 26830B750372AB1BF29C95DEEBEB802F
PID: 624 ( 976) D:\Program Files\ewido anti-malware\ewidoguard.exe
size: 151616
MD5: 34A50717AD686900F078F5208F8E908E
PID: 840 ( 976) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
size: 1368064
MD5: 37F2DECEBEDC9179A149CC40968CDF5A
PID: 1204 ( 976) D:\Program Files\Spyware Doctor\sdhelp.exe
size: 870624
MD5: 186EE3B89521257C480E55063A91DE77
PID: 1724 ( 840) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
size: 2617344
MD5: 34D8182F75D145FD5C1B0384400E588B
PID: 1348 ( 976) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3312 ( 976) D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 241712
MD5: A7A61A9FFE49102C0ECDC259C915BDB9
PID: 3536 ( 840) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
size: 2617344
MD5: 34D8182F75D145FD5C1B0384400E588B
PID: 3580 ( 976) D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 364592
MD5: 1E898FA5EA0C8CB3BF053997516BB2C0
PID: 720 ( 976) D:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1788 ( 388) D:\Program Files\Winamp3\Studio.exe
size: 62240
MD5: 2EAE2A97F7575289C8BEA9D22AAA767E
PID: 2388 ( 388) D:\Program Files\Windows NT\Accessories\wordpad.exe
size: 214528
MD5: F0543ACEEB5CD8821469958C9F3DD9A4
PID: 1104 ( 388) D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 25/02/2006 2:43:19 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 10: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D0BD8BF-FA79-4726-83AB-AEAF7CCF4994}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D0BD8BF-FA79-4726-83AB-AEAF7CCF4994}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C40029FE-8B4D-4223-839E-3628C16A26C5}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C40029FE-8B4D-4223-839E-3628C16A26C5}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F35A677E-8B46-4966-B556-AAD8C409564F}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F35A677E-8B46-4966-B556-AAD8C409564F}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02BDAA4A-77ED-4C00-8BFA-27C0EE648E41}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02BDAA4A-77ED-4C00-8BFA-27C0EE648E41}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0AF14869-9E12-41A9-8321-0251C9EEDA33}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0AF14869-9E12-41A9-8321-0251C9EEDA33}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*


Looks like I'm trying to send to much info so I hope it all works out

Thanks again Po

LonnyRJones
2006-02-25, 10:09
D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to project1.exe.lnk
that is a Shockwave game called Zuma ?
Unfortunate name project1.exe
We have to show discretion when SpyBot detects shortcuts, meaning if you know it to be a good program ignore it.
I don't see any malware/spyware in your logs
If SSD continues to find that or similar item post the Top most part of the log again please.

po_weber
2006-02-25, 11:09
Hello LonnyRJones
Thanks for your reply

No Project1.exe is not Zuma it is a shortcut to a program written by my son

It seems I am not explaining properly so I'll try again

I run Spybot it detects element Spybot details show shortcut as infected file

I then click fix selected problems

Spybot then deletes shortcut icon Spybot doesn't only detect shortcut it detects element infection in shortcut

If I run Spybot again (which I have) it will again detect element again in a totally different shortcut because I dont re-create the deleted shortcut

That can happen when no programs are running except Windows xp and Spybot

No other program I have run detects this Trojan

Hope this explains better
Thanks again for your help

Po

LonnyRJones
2006-02-25, 21:15
Can we see another SSD report please, just the top part that shows "element" pointing to a differant shortcut, Thanks.

po_weber
2006-02-26, 03:32
Hello LonnyRJones

Thanks for your reply

This is the info you asked for


--- Search result list ---
Element: Autostart file (File, nothing done)
D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to Lyndell (Newtop).lnk

This is a shortcut to a home network laptop computer owned by my daughter

This is other shortcuts detected as infected by element stored in Spybot recovery folder

The first Zuma shortcut infection was detected when I was having serious problems with Windows xp

Zuma, Zuma, Search and Destroy, Solitaire, Zuma, Simplifying Chord Progression, Recolored, Project1.exe

I haven't deleted the shortcut to Lyndell because she is away from home at the moment so that shortcut will not be used

Thanks again for taking the time to look into this for me
Po

LonnyRJones
2006-02-26, 05:32
Hi

Would you please right click on "Lyndell (Newtop).lnk" and see if it is pointing to the correct program, if not what does it point to ?

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

po_weber
2006-02-26, 07:21
Hello LonnyRJones

Thanks for your reply

The right click on this shortcut seems to be ok "Lyndell (Newtop).lnk"

Thanks again for your interest here

Po

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Lexmark X1100 Series" = ""D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"vsc32cnf.exe" = "D:\Program Files\Roland\VSC32\vsc32cnf.exe" ["Roland"]
"vscvol.exe" = "D:\Program Files\Roland\VSC32\vscvol.exe" ["Roland"]
"Startup Cleaner" = "D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe" ["CM DiskCleaner"]
"avast!" = "D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Default executables:
--------------------

.HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
INFECTION WARNING! "Default" = "NOTEPAD.EXE %1" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\ViPo.KG2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "ViPo" & "All Users" startup folders:
------------------------------------------------------

D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"AudiMax Dual" -> shortcut to: "D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Diskeeper, Diskeeper, ""D:\Program Files\Executive Software\DiskeeperLite\DKService.exe"" ["Executive Software International, Inc."]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Sunbelt Kerio Personal Firewall 4, KPF4, ""D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 48 seconds)

LonnyRJones
2006-02-26, 10:29
Those Logs look fine

If you would put all the desktop shortcuts in a folder then over the next few days let us know if SSD still detects that item

po_weber
2006-02-27, 02:58
Thanks again LonnyRJones

I followed your instuctions and moved everything to a folder which I put on the desktop,this also included the last shortcut detected as infected, and have now scanned twice with Spybot and nothing has been detected.

I'll leave it a few days and let you know if it comes up somewhere else.

Thanks for your help I hope problem is solved.

Po