Ever changing filenames: (?!)

Discussion in 'other security issues & news' started by SG1, Aug 28, 2005.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Recently, HijackThis! had reported:

    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll

    I ran LSPFix utility from cexx.org, crossed my fingers, and it seemed to have worked as thereafter HJT gave me a clean bill of health.

    But now, it seems that DRWEB AV finds ever changing file names - executables - that are "probably a winscript virus." However, said files often have the same icon as does HJT (or the icon seen on this PC) but have names like like xyq.exe and so on and are normally in the Temp DIR but are also sometimes listed as being c:\abc.exe (for example). And, I do have icons on the Desktop that change, now and then.

    Well, take a look please at the below HJT report, and tell me what it indicates if anything. (There are to my eye, some things that bode ill and yes I can of
    course be wrong). The "rename" section may or may not have to do with CCleaner - but I rather doubt it.

    Then, too, WinPatrol keeps throwing up Alerts that odd named or no name files, wish to join the Startup apps. Oh, you bet; if they don't ID themselves properly, I can't see letting them run. What's going on, here?!

    And other than DRWEB AV crying wolf, none of the security apps do, like HJT or Spybot, or TrojanHunter or AdAware SE Plus. What am I missing?

    Thanks for your help,
    Best, SG1 (Pat)
    ==============================
    {From HijackThis! generated Startup log}

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden
    ===================================
    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)
    ===================================
    Checking for EXPLORER.EXE instances:

    C:\WINDOWS.000\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS.000\Explorer\Explorer.exe: not present
    C:\WINDOWS.000\System\Explorer.exe: not present
    C:\WINDOWS.000\System32\Explorer.exe: not present
    C:\WINDOWS.000\Command\Explorer.exe: not present
    C:\WINDOWS.000\Fonts\Explorer.exe: not present
    ====================================
    C:\WINDOWS.000\WININIT.INI listing:

    *File not found*
    ====================================
    C:\WINDOWS.000\WININIT.BAK listing:
    (Created 27/8/2005, 21:9:36)

    [rename]
    C:\WINDOWS.000\SYSTEM\Msvcrt.dll=C:\WINDOWS.000\SYSTEM\MSVCD2C5.RRA
    NUL=C:\WINDOWS.000\TEMP\{5A0C8~1\
    ====================================
    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS.000\SYSTEM\rnr20.dll
    Protocol #1: C:\WINDOWS.000\SYSTEM\mswsosp.dll
    Protocol #2: C:\WINDOWS.000\SYSTEM\msafd.dll
    Protocol #3: C:\WINDOWS.000\SYSTEM\msafd.dll
    Protocol #4: C:\WINDOWS.000\SYSTEM\msafd.dll
    Protocol #5: C:\WINDOWS.000\SYSTEM\rsvpsp.dll
    Protocol #6: C:\WINDOWS.000\SYSTEM\rsvpsp.dll
    ======================================
     
Loading...
Thread Status:
Not open for further replies.