Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT logfile


  • Please log in to reply
9 replies to this topic

#1 spillo9

spillo9

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 23 May 2005 - 10:37 AM

Hello everybody,
I use "Antivir" software but it tells that the file
C:\WINDOWS\FONTS\DRVWAVE.DLL is the
Trojan horse TR/Agent.CS.1.
The Antivirus software doesn't manage to repair
the virus, and I don't know how to operate.

I add the Hijackthis logfile:
-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19.22.07, on 22/05/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Programmi\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Programmi\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\explorer.exe
C:\Programmi\wincmd\Wincmd32.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\DC++\DCPlusPlus.exe
C:\Programmi\Mozilla Firefox\firefox.exe
D:\install\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.58.79.221:80
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Fonts\drvwave.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://www.pixaco.it/static/download/iedropupload.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://83.103.65.92/activex/AxisCamControl.cab
O20 - Winlogon Notify: drvwave - C:\WINDOWS\Fonts\drvwave.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programmi\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe (file missing)
----------------------------------------------------------------------------------------

I hope that someone can help me.
Many thanks, Alexander.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:17 AM

Posted 23 May 2005 - 11:11 PM

Hello spillo9 and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download Process Explorer by Sysinternals and unzip it to your desktop. Do not run it yet.

Download Pocket Killbox and unzip it to your desktop. Do not run it yet.

Step #2

Open Notepad and copy/paste the text in the quotebox below into the new document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


Save the document to your desktop as fixvundo.reg and close Notepad.

Step #3

The rest of this fix must be done in safe mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Locate procexp.exe on your desktop and double-click on it to start the program.
  • In the top section of the Process Exlporer screen double-click on WinLogon.exe to bring up the WinLogon.exe Properties Dialog.
    • Click on the Threads tab at the top.
    • Locate each instance of drvwave.dll, click once on the instance and then click the Kill button.
    • If you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
    • After you have killed all of the files shown above under WinLogon click Ok.
  • Next, double-click on Explorer.exe.
    • Click on the Threads tab at the top.
    • Locate each instance of drvwave.dll, click once on the instance and then click the Kill button.
    • If you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
    • After you have killed all of the files shown above under Explorer click Ok.
Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Fonts\drvwave.dll
O20 - Winlogon Notify: drvwave - C:\WINDOWS\Fonts\drvwave.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Locate the fixvundo.reg on your desktop and right-click on it. Choose Merge from the popup menu and answer Yes or Ok to any further prompts.

Step #7

Locate KillBox.exe on your desktop and double-click on it to start the program.
  • Click Delete on Reboot.
  • Paste the line below into the top Full Path of File to Delete box.
    • C:\WINDOWS\Fonts\drvwave.dll
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Delete on Reboot prompt.
  • Click Yes at the Delete next Reboot prompt.
  • If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Step #8

OK. After your computer has rebooted normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 24 May 2005 - 04:36 PM

Dear Oldtimer,
many thanks to suggest me this procedure,
but I incurr in a preliminary problem.

When I want to enter Windows in SafeMode,
I press F8, then I choose Safe Mode with arrows,
but at the moment of digit the password,
the keyboard DOESN'T work at all,
so I cannot enter in Safe Mode.

That is strange because the PC accepts before
both F8 key and the arrows......

Please, I don't know what to do :-)

I have a normal PS/2 keyboard, not USB.

I hope in your help.

Many greetings, Alexander.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:17 AM

Posted 24 May 2005 - 09:07 PM

Hi spillo9. Is this computer on a company network that does not allow a Safe Mode boot?

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 25 May 2005 - 02:40 AM

No, it's my home PC.
I'm not on a network.

I add this: the time between I choose Safe Mode
and the moment in which appears the screen with
(login-password) is rather long, for example 1 minute.

Is that normal?

Isn't that the virus denies to enter in Safe Mode
just with the purpose not to be defeated?

Many thanks, Alessandro.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:17 AM

Posted 25 May 2005 - 10:25 AM

Hi spillo9. I have never heard of a virus that could disallow boot ing to Safe Mode. Let's do this.

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Check the checkbox for List minor sections (full)
  • Check the checkbox for List empty sections (complete)
  • Click on the Generate StartupList Log button
  • Click the Yes button to create the list
Save the Notepad document because I will need you to include the information into your next post.
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 25 May 2005 - 11:56 AM

Hi Oldtimer, I made what you requested.

I attach the logfile that you requested.
-------------------------------------------------

StartupList report, 25/05/2005, 18.53.08
StartupList version: 1.52.2
Started from : D:\install\HijackThis.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Programmi\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Programmi\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Programmi\Mozilla Firefox\firefox.exe
D:\install\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\a\Menu Avvio\Programmi\Esecuzione automatica]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Menu Avvio\Programmi\Esecuzione automatica]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "C:\Programmi\QuickTime\qttask.exe" -atboottime
AWMON = "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} = C:\Programmi\Gmail Notifier\G001-1.0.24.0\gnotify.exe
Synchronization Manager = mobsync.exe /logon

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

MMTray = MMTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[KeyMaestro]
FirstRun = 
RepeatFlag =
PowerEnable = 
BTCplayEnable = 

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINDOWS\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINDOWS\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*No subkeys found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Editor del Registro di sistema'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\Fonts\drvwave.dll - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Avvio dell'Ottimizzazione.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Programmi\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[PIXACO upload plugin]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IEDROP~1.OCX
CODEBASE = http://www.pixaco.it/static/download/iedropupload.cab

[Java Plug-in 1.4.2_05]
InProcServer32 = C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://83.103.65.92/activex/AxisCamControl.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Programmi\JavaSoft\JRE\1.3.1\bin\npjpi131.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in 1.4.2_05]
InProcServer32 = C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\rnr20.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
Protocol #1: C:\WINDOWS\system32\msafd.dll
Protocol #2: C:\WINDOWS\system32\msafd.dll
Protocol #3: C:\WINDOWS\system32\msafd.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\msafd.dll
Protocol #7: C:\WINDOWS\system32\msafd.dll
Protocol #8: C:\WINDOWS\system32\msafd.dll
Protocol #9: C:\WINDOWS\system32\msafd.dll
Protocol #10: C:\WINDOWS\system32\msafd.dll
Protocol #11: C:\WINDOWS\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Driver ACPI Microsoft: System32\DRIVERS\ACPI.sys (system)
Ambiente supporto di rete AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Avvisi: %SystemRoot%\System32\services.exe (autostart)
AntiVir Service: C:\Programmi\AVPersonal\AVGUARD.EXE (manual start)
Gestione applicazione: %SystemRoot%\system32\services.exe (manual start)
Driver per supporti asincroni RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controller disco rigido IDE/ESDI standard: System32\DRIVERS\atapi.sys (system)
Protocollo client ARP ATM: System32\DRIVERS\atmarpc.sys (manual start)
Driver stub audio: System32\DRIVERS\audstub.sys (manual start)
avgntdd: \??\C:\Programmi\AVPersonal\AVGNTDD.SYS (manual start)
AntiVir Update: "C:\Programmi\AVPersonal\AVWUPSRV.EXE" (autostart)
Servizio trasferimento intelligente in background: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Browser di computer: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Driver del CD-ROM: System32\DRIVERS\cdrom.sys (system)
Servizio di indicizzazione: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.exe (autostart)
Porta giochi per Creative SB Live!: System32\DRIVERS\ctljystk.sys (manual start)
Client DHCP: %SystemRoot%\System32\services.exe (autostart)
Driver del disco: System32\DRIVERS\disk.sys (system)
Servizio amministrativo di Gestione disco logico: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Driver Gestione disco logico: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestione disco logico: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
Client DNS: %SystemRoot%\System32\services.exe (autostart)
ElbyCDFL: System32\Drivers\ElbyCDFL.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Creative SB Live! Value (WDM): system32\drivers\emu10k1f.sys (manual start)
Driver di Creative Interface Manager (WDM): System32\drivers\ctlface.sys (manual start)
Registro eventi: %SystemRoot%\system32\services.exe (autostart)
Sistema di eventi COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Servizio Microsoft Fax: %systemroot%\system32\faxsvc.exe (manual start)
Driver controller disco floppy: System32\DRIVERS\fdc.sys (manual start)
Driver disco floppy: System32\DRIVERS\flpydisk.sys (manual start)
Driver archiviazione volumi: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Utilitą di classificazione pacchetti generica: System32\DRIVERS\msgpc.sys (manual start)
Driver di classe HID Microsoft: System32\DRIVERS\hidusb.sys (autostart)
HPFECP13: \SystemRoot\System32\drivers\HPFECP13.SYS (autostart)
Driver di porta mouse PS/2 e tastiera i8042: System32\DRIVERS\l8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
Driver filtro traffico IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Driver tunnel IP in IP: System32\DRIVERS\ipinip.sys (manual start)
Traduttore indirizzi di rete IP: System32\DRIVERS\ipnat.sys (manual start)
Driver IPSEC: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Driver bus PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Driver classe tastiera: System32\DRIVERS\kbdclass.sys (system)
KeyMaestro: \??\C:\WINDOWS\System32\drivers\Maestro0.sys (manual start)
Mixer wave audio del kernel Microsoft: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
Driver Class Filter per tastiera Logitech: System32\DRIVERS\lkbdfltr.sys (system)
Servizio guida TCP/IP NetBIOS: %SystemRoot%\System32\services.exe (autostart)
Driver Class Filter per mouse Logitech: System32\DRIVERS\lmoufltr.sys (system)
Driver per mouse seriale Logitech: System32\DRIVERS\lsermous.sys (system)
Messenger: %SystemRoot%\System32\services.exe (autostart)
Condivisione desktop remoto di NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Driver classe mouse: System32\DRIVERS\mouclass.sys (system)
Driver di mouse HID: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\MsiExec.exe /V (manual start)
Proxy di servizio di flusso Microsoft: system32\drivers\MSKSSRV.sys (manual start)
Proxy clock di flusso Microsoft: system32\drivers\MSPCLOCK.sys (manual start)
Proxy di gestione qualitą di flusso Microsoft: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Driver TAPI NDIS di accesso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Driver WAN NDIS di accesso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interfaccia NetBIOS : System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
DDE di rete: %SystemRoot%\system32\netdde.exe (manual start)
DDE DSDM di rete: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Accesso rete: %SystemRoot%\System32\lsass.exe (manual start)
Connessioni di rete: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver monitor di rete: System32\DRIVERS\NMnt.sys (manual start)
Provider supporto protezione LM NT: %SystemRoot%\System32\lsass.exe (manual start)
Gestione archivi rimovibili: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Driver filtro traffico IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Driver inoltratore traffico IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Driver di classe parallela: System32\DRIVERS\parallel.sys (manual start)
Driver della porta parallela: System32\DRIVERS\parport.sys (system)
Driver bus PCI: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Agente criteri IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Archiviazione protetta: %SystemRoot%\system32\services.exe (autostart)
Driver Direct Parallel Link: System32\DRIVERS\ptilink.sys (manual start)
Driver connessione automatica Accesso remoto: System32\DRIVERS\rasacd.sys (system)
Auto Connection Manager di Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Connection Manager di Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Accesso Raw Channel rete streaming Microsoft: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Driver filtro riproduzione CD-ROM audio digitale: System32\DRIVERS\redbook.sys (system)
Routing e Accesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Servizio Registro di sistema remoto: %SystemRoot%\system32\regsvc.exe (autostart)
RPC Locator: %SystemRoot%\System32\locator.exe (manual start)
RPC (Remote Procedure Call): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Gestione protezione account: %SystemRoot%\system32\lsass.exe (autostart)
Helper smart card: %SystemRoot%\System32\SCardSvr.exe (manual start)
smart card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Utilitą di pianificazione: %SystemRoot%\system32\MSTask.exe (autostart)
ScsiAccess: C:\Programmi\ProShowGold\ScsiAccess.exe (autostart)
Servizio RunAs: %SystemRoot%\system32\services.exe (autostart)
Notifica eventi di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Driver filtro Serenum: System32\DRIVERS\serenum.sys (manual start)
Driver della porta seriale: System32\DRIVERS\serial.sys (system)
Driver di Creative SoundFont Manager (WDM): System32\drivers\sfman.sys (manual start)
Condivisione connessione Internet: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe (manual start)
Spooler di stampa: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Driver bus software: System32\DRIVERS\swenum.sys (manual start)
Sintetizzatore Wavetable GS kernel Microsoft: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Programmi\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Periferica audio di sistema Microsoft: system32\drivers\sysaudio.sys (manual start)
Avvisi e registri di prestazioni: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telefonia: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver protocollo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Manutenzione collegamenti distribuiti client: %SystemRoot%\system32\services.exe (autostart)
Driver host controller Universal USB Microsoft: System32\DRIVERS\uhcd.sys (manual start)
Driver aggiornamento microcodice: System32\DRIVERS\update.sys (manual start)
Gruppo di continuitą: %SystemRoot%\System32\ups.exe (manual start)
Driver hub USB standard Microsoft: System32\DRIVERS\usbhub.sys (manual start)
Driver scanner USB: System32\DRIVERS\usbscan.sys (manual start)
Motorola USB Modem Driver: System32\DRIVERS\usbser.sys (manual start)
Driver archiviazione di massa USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Ora di Windows: %SystemRoot%\System32\services.exe (manual start)
Driver ARP IP di accesso remoto: System32\DRIVERS\wanarp.sys (manual start)
Driver di compatibilitą audio Microsoft WINMM WDM: system32\drivers\wdmaud.sys (manual start)
Strumentazione gestione Windows: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Servizio Numero di serie per dispositivi multimediali portatili: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Estensioni driver Strumentazione gestione Windows: %SystemRoot%\system32\Services.exe (manual start)
Ambiente di supporto del provider del Servizio Non-IFS di Windows Socket 2.0: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Aggiornamenti automatici: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Texas Instruments XDS560 Device Driver: System32\DRIVERS\xds560.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 29.104 bytes
Report generated in 0,371 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only





Many greetings, by spillo9.

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:17 AM

Posted 25 May 2005 - 01:32 PM

Hi spillo9. There is nothing in the startup list that is not normal. Does your password include numbers and if so is the Num Lock key on? There is no reason that the keyboard would not work unless it is a special keyboard and you need a special driver for it. If it is a normal ps2 keyboard then that would no be the case.

The other thing that you could try is to update your operating system. It is quite out of date and that should not matter but you never know. Windows 2000's latest Service Pack is SP4. Go to the MS Update site and install that and then see if it makes a difference.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 26 May 2005 - 11:29 AM

Hi Oldtimer,
I tried to solve the keyboard problem, but
without results.

I tried with my office keyboard (normal PS/2 keyboard)
but nothing.
I tried to set the access to Win2000 without login-password,
but when I enter in Safe Mode I only see the "Safe mode"
writing at the 4 sides of the screen, but the desktop
is totally black, so I cannot do nothing.
That is a general problem: I cannot enter in SafeMode.

I ask you something: can I follow your removal
procedure entering in Normal Mode instead
of Safe Mode?
Can I obtain the same results?
For removal procedure, I mean, that one you
described in your first reply.

Cheers, Alessandro.

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:17 AM

Posted 26 May 2005 - 04:54 PM

Hi spillo9. Unfortunately you will not be able to change the registry keys or delete the file when started in normal mode. The infection will not allow it.

The only other thing that you can do is boot with a Windows 2000 CD and go into the Recovery Console. Navigate to C:\WINDOWS\Fonts\ and delete the file manually. If it is not visible then type the following to make it visible:

attrib -s -h -r drvwave.dll.

Then delete the file.

Before attempting the above backup all of your important files because this process can render your computer unstable or inoperable!.

Once you have completed the above boot into safe mode and do the steps in my previous post. You can skip steps #4 and #7 because the file will be gone already.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users