Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Rbot/Sdbott, VW Troj/Crater, etc Damage


  • This topic is locked This topic is locked
11 replies to this topic

#1 ravengirl

ravengirl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 30 July 2005 - 03:05 AM

Very Sick Computer!! Would really appreciate your help

Thankfully this is not my computer, it belongs to a family friend.
They had NO anti-virus program on it and NO Microsoft security updates etc.
It is now up to date and is running Windows XP SP1a Home Edition.

It had been completely compromised and had multiple Guest, Administrators, Owners, Default Users accessing the system.
The entire HD was filled with multiple copies of their files.
I’ve been attempting to rid this beast of multiple viruses, spyware and malware for the past week and removed all the users.
I installed AVG Free Edition, Free Zone Alarm, AdAware, CWShredder, and Search and Destroy.
I even had gotten it to the point that I actually had a couple of clean online scans (Micro Trend and Bitdefender).
AVG Free Edition run in Safe Mode with System Restore off found and cleaned 3 viruses.
Search and Destroy couldn’t eliminate “Alltheinternet” though.
Netlib, Taskbarmngr, Winscmgr just return after trying to eliminate them with Highjack This.

So at least those are still lurking and starting havoc since new Users are appearing again!!
The HD is humming away continuously with files being accessed.
This all occurred after I reactivated System Restore and rebooted from Safe Mode yesterday.

HELP!

Here is my Highjack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:41:15 AM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Desktop\Hijack This\HijackThis1991.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\SPYWAR~1\POPUPA~1\ABG_PL~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122173251158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA64E3BD-3AC7-4437-860D-88A3FEF10FF6}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1EE531D-59AA-4BE4-B59B-40EA140F2BCF}: NameServer = 204.186.0.202 207.44.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Microsoft Registry Viewer (dumpreg) - Unknown owner - C:\WINDOWS\dumpreg.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Service Manager (winmdgr) - Unknown owner - C:\WINDOWS\winsvcmgr.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:16 AM

Posted 30 July 2005 - 03:43 PM

Hello ravengirl and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Now we need to remove some services.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"Netlib")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 10000
objService.ChangeStartMode("Disabled")
wscript.Sleep 2000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Restart the remsvc.vbs file for each of the following services and type or copy/paste the name into the editbox before clicking the Ok button:winmdgr
wtaskbarmngr

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA64E3BD-3AC7-4437-860D-88A3FEF10FF6}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1EE531D-59AA-4BE4-B59B-40EA140F2BCF}: NameServer = 204.186.0.202 207.44.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 69.50.176.156,195.225.176.31

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\Netlib.exe
C:\WINDOWS\winsvcmgr.exe
C:\WINDOWS\taskbarmngr.exe

Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode just stay in Safe Mode until I tell you to reboot normally.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #6

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window.
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 30 July 2005 - 09:30 PM

Hi

Thanks for your response and help. I’ve included my latest HJ This Log.

But between the time of my initial post and your response, I had continued to try a number of things, some successful, some not. I’ll describe them and the response I had.

1.I had made repeated unsuccessful attempts to have HJT remove the Netlib, winmdgr, swtaskbarmngr , so used Autoruns program in Safe Mode to remove them successfully. But upon rebooting discovered the computer was still being accessed (HD continually humming away, new user files visable etc.). Rebooted in Safe Mode and ran Autoruns again – they were definitely gone - had been removed.

2.I also searched unsuccessfully, repeatedly(in Safe Mode) for the
files with show system and hidden files selected.

3.I did a Google search for the 65.50.176.156,195.255.176.31 and was led to Norton’s Information and instructions for repairing the registry after infection by this Trojan – the following a copy of their instructions
------------------------------------------------------------------------------------------------
Once executed, Trojan.Flush.D performs the following actions:
1. Queries all the entries named "Ipconfig" in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters

to get the CLSID references for the net adapters installed on the compromised computer.
2. Adds the value:

"NameServer" = "69.50.176.156,195.225.176.31"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\Interfaces\[adapter_clsid]
Use rededit to fix
a. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\[adapter_clsid]
b. In the right pane, delete the value:

"NameServer" = "69.50.176.156,195.225.176.31"
c. Navigate to the subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP**
*** There was NO MSTCP found** The only name there was JAVASUP* and several items for it in the Right pane, but not what is described below.
d. In the right pane, delete the value:

"NameServer" = "69.50.188.180,195.225.176.31"
e. Exit the Registry Editor.
Next I did the following successfully
Windows XP
a. Click Start, and then click Search.
b. Click All files and folders.
c. In the "All or part of the file name" box, type:

rasphone.pbk
d. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
e. Click "More advanced options."
f. Check "Search system folders."
g. Check "Search subfolders."
h. Click Search.
i. Click Find Now or Search Now.
j. If you find rasphone.pbk file, right-click the file, and then click "Open With."
k. Deselect the "Always use this program to open this program" check box.
l. Scroll through the list of programs and double-click Notepad.
m. When the file opens, delete the entries below:

IpDnsAddress = 69.50.176.156
IpDns2Address = 195.225.176.31
IpNameAssign = 2
n. Close Notepad and save your changes when prompted
-----------------------------------------------------------------------------------------

4. I have done 2 clean online scans Bitdefender and MicroTrend House Call and also AVG Free scan several hours ago was clean (in Safe Mode). Adaware shows 0 !! Ran CClean program.

5. I used your Script and none of the 3 services were found.

So now what the heck is STILL RUNNING on this computer ……… it still is busy ….. busy constantly humming away with 3 different User files on it the last I looked and not even an Internet connection ……… begins immediately at boot up!!

After a week of this disaster computer, I’m almost ready to call it quits! Why I agreed to try and fumigate this mess, I don’t know!!

Hope you have a solution. And thanks again for your time and dedication.
Anxiously waiting for your reply. Here is my log.

ravengirl

Logfile of HijackThis v1.99.1
Scan saved at 8:44:37 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Desktop\Hijack This\HijackThis1991.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\SPYWAR~1\POPUPA~1\ABG_PL~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122173251158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#4 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 30 July 2005 - 09:55 PM

Something I forgot to mention. When I was browsing around in the Autoruns program, I noted 2 things that I thought might be suspicious.

Under the EXPLORER Tab:

Display Panning CPL Extension – File not found – deskpan.dll *couldn’t see a path

Hperterminal Icon Ext – File not found – C\windows\system32\hticon.dll

Are these legit?

Thanks
ravengirl

#5 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 31 July 2005 - 12:27 AM

Sorry to post again but somethings I forgot to mention regarding the Users Folders added to this computer.

In Explorer there is and has been (since I’ve been working on that computer the past week) an “owner” folder with 0 bytes that gives you an “access denied” message if you try to delete it. There are no files associated with it. I usually have been able to remove the other User/Guest/Administrator/Default Folders and multiple files that continually appear there. The last time I tried though, I couldn’t with the message “in use”.

The other odd thing is the name of the Folder of the actual owner/administrator of the computer. The computer name is something like “your-zw566666”, but the Windows Explorer Folder name is “owner.your-zw566666”.

Thanks
ravengirl

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:16 AM

Posted 31 July 2005 - 12:52 AM

Hi ravengirl. the log looks perfect, no problems at all. that's Ok that the services couldn't be found, they were hiding but they were removed anyway.

Let's try another scan that will show us some things that HijackThis doesn't and see what we find.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 31 July 2005 - 10:59 AM

OT

Here's my WinPFind results


ravengirl



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 1/24/2005 12:42:36 PM 11505 C:\e.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/4/2004 2:24:28 PM 3906 C:\WINDOWS\dped.dll
UPX! 9/29/2004 1:23:18 PM 13310 C:\WINDOWS\httpfilter.dll
UPX! 9/29/2004 1:23:18 PM 13310 C:\WINDOWS\httpfilter2.dll
PECompact2 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
qoologic 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
SAHAgent 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
aspack 7/24/2005 1:31:46 PM 39936 C:\WINDOWS\shop1004.exe
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
qoologic 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
SAHAgent 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
UPX! 11/2/2004 3:28:20 PM 33760 C:\WINDOWS\winln.exe

Checking %System% folder...
PEC2 8/3/2002 8:15:28 PM 59252 C:\WINDOWS\SYSTEM32\ansi.cfg
PEC2 7/21/2001 5:15:34 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 7/24/2005 1:37:36 PM 1368576 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/24/2005 1:37:36 PM 1368576 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 9/16/2004 1:10:58 PM 62682 C:\WINDOWS\SYSTEM32\msbar.exe
aspack 10/15/2004 1:13:32 PM 146432 C:\WINDOWS\SYSTEM32\mssys.exe
UPX! 1/27/2005 2:29:36 PM 10752 C:\WINDOWS\SYSTEM32\od.exe
FSG! 1/27/2005 2:29:36 PM 10752 C:\WINDOWS\SYSTEM32\od.exe
aspack 11/2/2004 3:40:08 PM 20480 C:\WINDOWS\SYSTEM32\OutLook.exe
Umonitor 2/12/2002 6:14:12 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg(2)(3).dll
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 7/24/2005 1:38:18 PM 9216 C:\WINDOWS\SYSTEM32\rexece32.exe
UPX! 10/6/2004 12:58:34 PM 7168 C:\WINDOWS\SYSTEM32\sex.exe
FSG! 7/18/2005 12:47:36 PM 1329 C:\WINDOWS\SYSTEM32\sprestrst.exe
winsync 7/21/2001 5:23:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/8/2005 6:25:32 AM 54156 C:\WINDOWS\QTFont.qfn
7/15/2005 2:26:50 PM 50688 C:\WINDOWS\cache329(3)\Thumbs.db
7/23/2005 10:48:10 PM 0 C:\WINDOWS\INF\oem21.inf
7/26/2005 1:41:36 PM 0 C:\WINDOWS\INF\oem22.inf
7/26/2005 11:56:22 AM 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
7/26/2005 1:43:08 PM 26173 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
7/26/2005 1:43:12 PM 25959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
7/26/2005 1:43:12 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
7/26/2005 1:43:14 PM 25566 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
7/26/2005 1:43:14 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
7/26/2005 1:43:14 PM 25530 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
7/26/2005 1:43:14 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
7/26/2005 1:43:16 PM 26317 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
7/26/2005 1:43:16 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
7/26/2005 1:43:16 PM 26387 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
7/26/2005 1:43:16 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
7/26/2005 1:43:18 PM 26657 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
7/26/2005 1:43:18 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
7/26/2005 1:43:18 PM 26652 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
7/26/2005 1:43:18 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
7/26/2005 1:43:20 PM 26255 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
7/26/2005 1:43:20 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
7/26/2005 1:43:20 PM 26108 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
7/26/2005 1:43:20 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
7/26/2005 1:43:20 PM 26449 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
7/26/2005 1:43:22 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
7/26/2005 1:43:22 PM 25853 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
7/26/2005 1:43:22 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
7/26/2005 1:43:22 PM 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
7/26/2005 1:43:24 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
7/26/2005 1:43:24 PM 26383 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
7/26/2005 1:43:24 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
7/26/2005 1:43:24 PM 26291 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
7/26/2005 1:43:26 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
7/26/2005 1:43:26 PM 25896 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
7/26/2005 1:43:26 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
7/26/2005 1:43:26 PM 26494 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
7/26/2005 1:43:28 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
7/26/2005 1:43:28 PM 26229 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
7/26/2005 1:43:28 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
7/26/2005 1:43:28 PM 26467 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
7/26/2005 1:43:30 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
7/26/2005 1:43:30 PM 26283 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
7/26/2005 1:43:30 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
7/26/2005 1:43:30 PM 26320 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
7/26/2005 1:43:32 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
7/26/2005 1:43:32 PM 26284 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
7/26/2005 1:43:32 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
7/26/2005 1:43:32 PM 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
7/26/2005 1:43:34 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_55.cab
7/26/2005 1:43:34 PM 26126 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_56.cab
7/26/2005 1:43:34 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_57.cab
7/31/2005 11:15:02 AM 31767 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/28/2005 12:53:04 PM 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
7/15/2005 2:28:36 PM 24576 C:\WINDOWS\SYSTEM32\AdCache(7)\Thumbs.db
7/31/2005 11:26:48 AM 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
7/31/2005 11:27:12 AM 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
7/31/2005 11:27:00 AM 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
7/31/2005 11:28:08 AM 94208 C:\WINDOWS\SYSTEM32\config\software.LOG
7/31/2005 11:27:02 AM 925696 C:\WINDOWS\SYSTEM32\config\system.LOG
7/27/2005 8:11:28 PM 8192 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
7/24/2005 12:04:14 AM 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\NTUSER.DAT.LOG
7/26/2005 10:55:24 AM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\2b03da42-ae9e-470d-889b-25cbb4449344
7/26/2005 10:55:24 AM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/4/2005 2:17:40 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\751d5175-b98c-46db-8631-8d6c61894da2
7/4/2005 2:17:40 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/31/2005 11:26:00 AM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/7/2003 1:52:58 PM 541 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\dm.ini
7/24/2005 1:00:06 PM 77824 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\DownloadPlus.exe
5/20/2002 8:43:26 PM 12358 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\PFP100JCM.{PB
5/20/2002 8:43:26 PM 61678 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/31/2005 11:40:00 AM

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:16 AM

Posted 31 July 2005 - 01:52 PM

Hi ravengirl. Ok, let's remove some of these files.

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\dped.dll
      C:\WINDOWS\httpfilter.dll
      C:\WINDOWS\httpfilter2.dll
      C:\WINDOWS\shop1004.exe
      C:\WINDOWS\winln.exe
      C:\WINDOWS\SYSTEM32\ansi.cfg
      C:\WINDOWS\SYSTEM32\msbar.exe
      C:\WINDOWS\SYSTEM32\mssys.exe
      C:\WINDOWS\SYSTEM32\rexece32.exe
      C:\WINDOWS\SYSTEM32\sex.exe
      C:\WINDOWS\SYSTEM32\sprestrst.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Your system will reboot now.

Post back a new HijackThis log and a new WinPFind log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 31 July 2005 - 04:14 PM

Hi OT

Here are my HJT and WinPFind logs post using Killbox.


The computer is still humming away .......... busy people having fun or whatever they are doing!! There are Local and Network Folders with files still in Explorer. Also the "owner" Folder continues to "Access Denied".


I hope they are enjoying themselves!!


What's next?

Thanks
ravengirl


Logfile of HijackThis v1.99.1
Scan saved at 4:26:45 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJack This\HijackThis1991.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\SPYWAR~1\POPUPA~1\ABG_PL~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122173251158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-----------------------------------------------------------------------------------------------



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 1/24/2005 12:42:36 PM 11505 C:\e.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
qoologic 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
SAHAgent 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\LPT$VPN.747
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\LPT$VPN.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
qoologic 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
SAHAgent 7/26/2005 2:14:02 PM 15453763 C:\WINDOWS\VPTNFILE.747
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 7/21/2001 5:15:34 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 7/24/2005 1:37:36 PM 1368576 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/24/2005 1:37:36 PM 1368576 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 1/27/2005 2:29:36 PM 10752 C:\WINDOWS\SYSTEM32\od.exe
FSG! 1/27/2005 2:29:36 PM 10752 C:\WINDOWS\SYSTEM32\od.exe
aspack 11/2/2004 3:40:08 PM 20480 C:\WINDOWS\SYSTEM32\OutLook.exe
Umonitor 2/12/2002 6:14:12 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg(2)(3).dll
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 7/21/2001 5:23:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 7/28/2005 2:03:08 PM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/8/2005 6:25:32 AM 54156 C:\WINDOWS\QTFont.qfn
7/15/2005 2:26:50 PM 50688 C:\WINDOWS\cache329(3)\Thumbs.db
7/23/2005 10:48:10 PM 0 C:\WINDOWS\INF\oem21.inf
7/26/2005 1:41:36 PM 0 C:\WINDOWS\INF\oem22.inf
7/26/2005 11:56:22 AM 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
7/26/2005 1:43:08 PM 26173 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
7/26/2005 1:43:12 PM 25959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
7/26/2005 1:43:12 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
7/26/2005 1:43:14 PM 25566 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
7/26/2005 1:43:14 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
7/26/2005 1:43:14 PM 25530 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
7/26/2005 1:43:14 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
7/26/2005 1:43:16 PM 26317 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
7/26/2005 1:43:16 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
7/26/2005 1:43:16 PM 26387 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
7/26/2005 1:43:16 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
7/26/2005 1:43:18 PM 26657 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
7/26/2005 1:43:18 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
7/26/2005 1:43:18 PM 26652 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
7/26/2005 1:43:18 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
7/26/2005 1:43:20 PM 26255 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
7/26/2005 1:43:20 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
7/26/2005 1:43:20 PM 26108 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
7/26/2005 1:43:20 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
7/26/2005 1:43:20 PM 26449 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
7/26/2005 1:43:22 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
7/26/2005 1:43:22 PM 25853 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
7/26/2005 1:43:22 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
7/26/2005 1:43:22 PM 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
7/26/2005 1:43:24 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
7/26/2005 1:43:24 PM 26383 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
7/26/2005 1:43:24 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
7/26/2005 1:43:24 PM 26291 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
7/26/2005 1:43:26 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
7/26/2005 1:43:26 PM 25896 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
7/26/2005 1:43:26 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
7/26/2005 1:43:26 PM 26494 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
7/26/2005 1:43:28 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
7/26/2005 1:43:28 PM 26229 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
7/26/2005 1:43:28 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
7/26/2005 1:43:28 PM 26467 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
7/26/2005 1:43:30 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
7/26/2005 1:43:30 PM 26283 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
7/26/2005 1:43:30 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
7/26/2005 1:43:30 PM 26320 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
7/26/2005 1:43:32 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
7/26/2005 1:43:32 PM 26284 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
7/26/2005 1:43:32 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
7/26/2005 1:43:32 PM 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
7/26/2005 1:43:34 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_55.cab
7/26/2005 1:43:34 PM 26126 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_56.cab
7/26/2005 1:43:34 PM 10470 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_57.cab
7/31/2005 4:14:48 PM 31767 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/28/2005 12:53:04 PM 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
7/15/2005 2:28:36 PM 24576 C:\WINDOWS\SYSTEM32\AdCache(7)\Thumbs.db
7/31/2005 4:34:56 PM 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
7/31/2005 4:35:18 PM 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
7/31/2005 4:35:08 PM 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
7/31/2005 4:36:16 PM 94208 C:\WINDOWS\SYSTEM32\config\software.LOG
7/31/2005 4:35:12 PM 917504 C:\WINDOWS\SYSTEM32\config\system.LOG
7/27/2005 8:11:28 PM 8192 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
7/24/2005 12:04:14 AM 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\NTUSER.DAT.LOG
7/26/2005 10:55:24 AM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\2b03da42-ae9e-470d-889b-25cbb4449344
7/26/2005 10:55:24 AM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/4/2005 2:17:40 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\751d5175-b98c-46db-8631-8d6c61894da2
7/4/2005 2:17:40 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/31/2005 4:34:24 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/7/2003 1:52:58 PM 541 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\dm.ini
7/24/2005 1:00:06 PM 77824 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\DownloadPlus.exe
5/20/2002 8:43:26 PM 12358 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\PFP100JCM.{PB
5/20/2002 8:43:26 PM 61678 C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/31/2005 4:47:37 PM

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:16 AM

Posted 31 July 2005 - 08:32 PM

Hi ravengirl. Well, both of those logs are squeaky clean so I don't think we are dealing with an infection at this point.

The hard drive running might or might not be a valid process running. It has to be using CPU cycles so you should be able to see what process is using the most CPU cycles through Task Manager.

As for the 'owner' folder, the ability to do anything with it would depend on what rights the user has when logged on. If the user does not have administrative rights and the 'owner' folder does not belong to them then they will not be able to access it. That is just a part of the NTFS security.

Do a little checking and find out what processes are running. As for the 'owner' folder, log on with an adminstrative account and take ownership if you want to be able to do anything with it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 ravengirl

ravengirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 01 August 2005 - 10:18 PM

OT

Sorry it took so long to get back to thank you for all your help. I really, really appreciate it!

I've been working on all the mess with the User accounts and xxxxx rated files etc that were dropped on that computer. Finally got into that Owner Folder ........ oh my!! I also did some more online scans, just to be sure. Comes back CLEAN!

HD is still being acccessed most of the time and it files, progams still open very slow, but 10 days of this is enough. As I've mentioned this is not my computer, so this is as far as I go!

Thank you again. So glad there are good people out there, willing to help. I'll be giving a donation shortly.

Thank you, Thank you

ravengirl

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:16 AM

Posted 02 August 2005 - 08:52 AM

You're very welcome ravengirl. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users