Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

clicker.FR - HELP ME!


  • This topic is locked This topic is locked
20 replies to this topic

#1 mixer1991

mixer1991

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 08 August 2005 - 04:56 PM

Hi Grinler...

After 4 mont's good and save working, I have new problem...
AVG detected "Trojan horse Clicker.FR" but can't remove it.

I think lot of people will be interested about this...

Here is my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:46:54, on 08.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] nvstartup
O4 - Global Startup: avgcc.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe
O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F44DE3C-8217-4EDC-8BC2-E00495730AF1}: NameServer = 69.50.184.86 85.255.112.9
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

THANKS IN ADVANCE
MIXER1991

BC AdBot (Login to Remove)

 


m

#2 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 09 August 2005 - 04:42 PM

I don't have answer?

What's wrong???

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 11 August 2005 - 11:56 PM

Hello mixer1991 and welcome to BleepingComputer. Sorry for the delay, the board has been very busy lately.

Looks like you have a DNS hijack.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O17 - HKLM\System\CCS\Services\Tcpip\..\{8F44DE3C-8217-4EDC-8BC2-E00495730AF1}: NameServer = 69.50.184.86 85.255.112.9

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


If you have trouble getting back on the internet after the above, please manually reset your DNS servers:

Open your Control Panel.
- If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
- Double-click the Network Connections icon.
- Right-click the Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.


Download Silent Runners.
- Unzip it into it's own folder.
- Do not run it yet.

Open the folder into which you unzipped SilentRunners.
- Double click to run SilentRunners.vbs.
- If your antivirus complains, tell it to allow this script.
- When asked if you would like to perform 'Supplementary Searches', click YES.
- This script takes a while, please wait until you get an 'All Done' message.

Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply, along with a fresh HJT log please.

(edit:)
After further research, I'd also like to have you run Panda ActiveScan.

Please do an online virus scan at:
Panda ActiveScan <--Scan 'My Computer'.

Post the resulting log please.

Edited by ddeerrff, 12 August 2005 - 10:11 AM.

Derfram
~~~~~~

#4 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 12 August 2005 - 03:27 AM

Hi ddeerrff,

I am at work now and I will be here all day. I will post new reply when i come home.

thanks

#5 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 12 August 2005 - 07:37 PM

Hi ddeerrff,

I am home now and i do all staff you want.
Here is my Silent Runners log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [null data]
"NvCplDaemon" = "nvstartup" [file not found]
"dmvez.exe" = "C:\WINDOWS\system32\dmvez.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView32"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csyov.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PicaView32\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Ljupco Mihajlovski" & "All Users" startup folders:
--------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"avgcc" -> shortcut to: "C:\Program Files\Grisoft\AVG Free\avgcc.exe" ["GRISOFT, s.r.o."]
"WinTasks" -> shortcut to: "C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 24 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 32 seconds.
---------- (total run time: 91 seconds)


Here is my Activescan log:


Incident Status Location

Virus:Trj/Troiram.A Disinfected Operating system
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/hotoffers No disinfected C:\WINDOWS\SYSTEM32\uinc.dll.conf
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Ljupco Mihajlovski\Desktop\l2mfix.exe[Process.exe]
Virus:Exploit/HHelp Disinfected C:\Documents and Settings\Ljupco Mihajlovski\Local Settings\Temporary Internet Files\Content.IE5\ADA7416Z\index[1].htm
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ljupco Mihajlovski\Local Settings\Temporary Internet Files\Content.IE5\ODQRG567\classload[1].jar[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ljupco Mihajlovski\Local Settings\Temporary Internet Files\Content.IE5\ODQRG567\classload[1].jar[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ljupco Mihajlovski\Local Settings\Temporary Internet Files\Content.IE5\ODQRG567\classload[1].jar[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ljupco Mihajlovski\Local Settings\Temporary Internet Files\Content.IE5\ODQRG567\classload[1].jar[Installer.class]
Hacktool:Hacktool/Processor No disinfected C:\My Documents\antivirus\l2mfix\Process.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\system32\dmpet.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\system32\dmrmm.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\ntfsnlpa.exe
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Security Risk:Application/RestartNo disinfected C:\WINDOWS\system32\Tools\Restart.exe
Hacktool:Hacktool/RegPatch.A No disinfected D:\--==INSTALL==--\MasDownloder3.1\Mass.Downloader.3.1.599.Updated_CRK-FFF.zip[Regpatch.exe]
Hacktool:Hacktool/RegPatch.A No disinfected D:\Games\GAMES ZA GOGO\gogo_09-02-2005\Mass.Downloader.3.0.577.SR1.CRKEXE-FFF.zip[Regpatch.exe]
Hacktool:Hacktool/RegPatch.A No disinfected D:\Games\GAMES ZA GOGO\gogo_09-02-2005\Mass.Downloader.3.0.577.SR1.CRKEXE-FFF\Regpatch.exe


and finaly here is my HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 02:33:16, on 13.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] nvstartup
O4 - Global Startup: avgcc.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe
O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F44DE3C-8217-4EDC-8BC2-E00495730AF1}: NameServer = 195.26.152.19 195.26.152.20
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


THANKS IN ADVANCE,
MIXER1991

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 12 August 2005 - 11:45 PM

Download Hoster.zip.
- Unzip hoster.zip into it's own folder.
- Open that folder and run Hoster.
- Press 'Restore Original Hosts' and press 'OK'
- Exit Program.


Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hclean32.exe"=-
"dmvez.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad. This file will be used later.


Reboot into Safe Mode


Double-click on the fix.reg file previously saved to the desktop.
- When it prompts to add or merge, say yes.


Open Windows Explorer (Windows key+e), navigate to and delete the following files (Don't be concerned if they can not be found):

C:\WINDOWS\rdt.ini
C:\WINDOWS\SYSTEM32\loadctr32.exe
C:\WINDOWS\SYSTEM32\uinc.dll.conf
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\dmvez.exe
C:\WINDOWS\system32\csyov.exe


Are you familiar with D:\Games\GAMES ZA GOGO? Panda reports a 'Hacktool' in that folder. If you are not familiar with it and/or you no longer need it, I would recommend you delete the following files:

D:\--==INSTALL==--\MasDownloder3.1\Mass.Downloader.3.1.599.Updated_CRK-FFF.zip
D:\Games\GAMES ZA GOGO\gogo_09-02-2005\Mass.Downloader.3.0.577.SR1.CRKEXE-FFF.zip
D:\Games\GAMES ZA GOGO\gogo_09-02-2005\Mass.Downloader.3.0.577.SR1.CRKEXE-FFF\Regpatch.exe


Reboot normally and please post a new SilentRunners log along with a new HijackThis log. Is AVG still finding "Trojan horse Clicker.FR"?
Derfram
~~~~~~

#7 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 13 August 2005 - 05:52 AM

hi ddeerrff,

I do all things, but I can't find files to delete:

C:WINDOWSsystem32hclean32.exe
C:WINDOWSsystem32dmvez.exe
C:WINDOWSsystem32csyov.exe

AVG is NOT reporting anymore Clicker.FR because after yesterday update AVG found and remove them.
But now AVG found four more Trojans or somethings like that:

Trojan horse Java/ClassLoader - inside arhive and cannot be healed

Virus identified Java/ByteVerify - inside arhive and cannot be healed (two places)

Trojan horse Java/ClassLoader - infected, Arhive

I don't know what is this.

Very often my Windows Explorer is going down!!!

Here is my new Silent Runners log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "nvstartup" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView32"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PicaView32\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Ljupco Mihajlovski" & "All Users" startup folders:
--------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"avgcc" -> shortcut to: "C:\Program Files\Grisoft\AVG Free\avgcc.exe" ["GRISOFT, s.r.o."]
"WinTasks" -> shortcut to: "C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 59 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 137 seconds)


And here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:56, on 13.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] nvstartup
O4 - Global Startup: avgcc.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe
O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks in advance,
MIXER1991

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 13 August 2005 - 09:35 AM

But now AVG found four more Trojans or somethings like that:

Trojan horse Java/ClassLoader - inside arhive and cannot be healed

Virus identified Java/ByteVerify - inside arhive and cannot be healed (two places)

Trojan horse Java/ClassLoader - infected, Arhive

These quite likely are in you JAVA cache.

Open Control Panel, then double click the JAVA icon.
- For the latest version: On the General tab, click on "Delete Files" near the bottom. Be sure all 3 boxes in the popup are checked and click 'OK'.
- Earlier versions: Open the Cache tab and click on 'Clear'.

Very often my Windows Explorer is going down!!!

Can you explain this further? Do you mean Internet Explorer or the window I asked you to open to find and delete files? In what way is it "going down"?


Both the Silent Runners and HJT log are clean. Let's try another online scanner and see what it finds.


Please do an online scan with Kaspersky WebScanner
Next Click on Kaspersky Anti-Virus Web Scanner. 'Accept' the user agreement.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while (a number of hours) so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by ddeerrff, 13 August 2005 - 06:03 PM.

Derfram
~~~~~~

#9 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 13 August 2005 - 03:05 PM

Hi ddeerrff,

I cannot find Control Panel/JAVA ICON?!
Where is it?

About Windows Explorer, I think maybe is not some kind of virus, maybe some bug inside Windows?!

In our slang "going down" means "stop responding"...
Problem is next:
In the middle of working Windows Explorer stop responding end I get an error message:

"Windows Explorer has encountered a problem and needs
to close. We are sorry for inconvenience."

After about 15 seconds desktop icons disappears for 2-3 seconds end after that everything is OK?!

I take 3 pics of error reports but i don't know how to send them to you?!

I will do on line scan with Kaspersky WebScanner but later tonight.

Sorry for my English,
Thanks in advance,

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 13 August 2005 - 05:59 PM

The Control Panel can be found by:

Click on Start, then Settings, then Control Panel
or
Click Start, then Run, type in Control and click 'OK'.

The JAVA icon looks like a steaming coffee cup.


In the middle of working Windows Explorer stop responding end I get an error message:

"Windows Explorer has encountered a problem and needs
to close. We are sorry for inconvenience."

After about 15 seconds desktop icons disappears for 2-3 seconds end after that everything is OK?!

Explorer is exiting then restarting. Let's see what Kaspersky finds.
Derfram
~~~~~~

#11 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 13 August 2005 - 09:24 PM

Hi,

There is no java icon???
I look everywhere and i cannot find that?!

I started Kaspersky WebScanner, download all, but scanning will need more than 10 hours.
(I have expensive end slow connection.. )

Kaspersky WebScanner RUN about 1 hour and found some viruses.
Here is report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, August 14, 2005 04:06:03
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/08/2005
Kaspersky Anti-Virus database records: 143433
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 35930
Number of viruses found: 4
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 3274 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\l2mfix.exe/l2mfix/Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\l2mfix.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11\EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11\EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11\EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11\EyeFlex 1.1 SetUp.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11.zip/EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11.zip/EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11.zip/EyeFlex 1.1 SetUp.exe/VVSN_JAZM1042Inst.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11.zip/EyeFlex 1.1 SetUp.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Desktop\R A Z N O\13-05-2005\eyeflex11.zip Infected: not-a-virus:AdWare.SaveNow.z
C:\Documents and Settings\Ljupco Mihajlovski\Favorites\old\08-06-2004\Desktop\Uninstall.2.14.0000c.exe/UnInit.dll Infected: not-a-virus:AdWare.DelphinMediaViewer.a
C:\Documents and Settings\Ljupco Mihajlovski\Favorites\old\08-06-2004\Desktop\Uninstall.2.14.0000c.exe Infected: not-a-virus:AdWare.DelphinMediaViewer.a
C:\My Documents\antivirus\l2mfix\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Program Files\DAP\DAP.exe Infected: not-a-virus:AdWare.BHO.Dap.b

Scan was interrupted by user!


Here is my new Silent Runners log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "nvstartup" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView32"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PicaView32\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PICAVI~1\PicaView32.dll" ["ACD Systems, Ltd."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Ljupco Mihajlovski" & "All Users" startup folders:
--------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"avgcc" -> shortcut to: "C:\Program Files\Grisoft\AVG Free\avgcc.exe" ["GRISOFT, s.r.o."]
"WinTasks" -> shortcut to: "C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 70 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 51 seconds.
---------- (total run time: 175 seconds)


And here is my new HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 04:20:56, on 14.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] nvstartup
O4 - Global Startup: avgcc.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe
O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F44DE3C-8217-4EDC-8BC2-E00495730AF1}: NameServer = 195.26.152.19 195.26.152.20
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

thaks again,

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 13 August 2005 - 11:08 PM

I'm not seeing anything that should be causing any problems here. Let's look in a different way.


Download F-Secure Blacklight (blbeta.exe) to your desktop.
- Double click on blbeta.exe to run the program. Accept the user agreement.
- Leave "Scan through windows explorer" checked.
- Click Scan.
After the scan finishes, click on Next.

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log". Please post that log.

Edited by ddeerrff, 14 August 2005 - 12:05 AM.

Derfram
~~~~~~

#13 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 14 August 2005 - 03:13 PM

Hi ddeerrff,

I have downloaded blbeta and done the scan, but I cannot open log file, I receive message:

"ACCESS IS DENIED".

Then I have imported file "fsbl-20050814195655.log" in QuarkXpress and here is contents:

08/14/05 21:56:55 [Info]: BlackLight Engine 1.0.23 initialized
08/14/05 21:56:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/14/05 21:56:55 [Note]: 4019 0
08/14/05 21:56:55 [Note]: 4019 1
08/14/05 21:56:55 [Note]: 4019 2
08/14/05 21:56:55 [Note]: 4019 3
08/14/05 21:56:55 [Note]: 4019 4
08/14/05 21:56:55 [Note]: 4005 0
08/14/05 21:57:03 [Note]: 4006 0
08/14/05 21:57:03 [Note]: 4011 1212
08/14/05 21:57:05 [Note]: FSRAW library version 1.7.1011
08/14/05 21:58:11 [Note]: 4007 0

THANKS!

#14 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:44 AM

Posted 14 August 2005 - 04:39 PM

No malware shows up there either.

Download WinPFind.zip
- Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Reboot your computer into Safe Mode.

Open the C:\WinPFind folder and double-click on WinPFind.exe.
(- Add any desire config changes here)
- Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file at C:\WinPFind\WinPFind.txt. Pleased copy that log to your next reply.
Derfram
~~~~~~

#15 mixer1991

mixer1991
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Skopje Macedonia
  • Local time:05:44 AM

Posted 14 August 2005 - 07:09 PM

Hi,

Here is the log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 20.06.2004 01:37:00 61440 C:\WINDOWS\SYSTEM32\APCORE.DLL
aspack 22.02.2004 22:23:02 509440 C:\WINDOWS\SYSTEM32\context.dll
PEC2 23.08.2001 14:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 01.02.2005 17:02:24 96768 C:\WINDOWS\SYSTEM32\libsndfile.dll
UPX! 13.01.2005 21:41:48 11254 C:\WINDOWS\SYSTEM32\locate.com
UPX! 06.12.2004 17:25:04 40448 C:\WINDOWS\SYSTEM32\mpgaout.dll
UPX! 06.12.2004 17:25:04 47616 C:\WINDOWS\SYSTEM32\mpgmux.dll
UPX! 06.12.2004 17:25:06 204288 C:\WINDOWS\SYSTEM32\mpgvout.001
UPX! 06.12.2004 17:25:08 204288 C:\WINDOWS\SYSTEM32\mpgvout.002
UPX! 06.12.2004 17:25:10 205312 C:\WINDOWS\SYSTEM32\mpgvout.003
UPX! 06.12.2004 17:25:12 205312 C:\WINDOWS\SYSTEM32\mpgvout.004
UPX! 06.12.2004 17:25:12 5632 C:\WINDOWS\SYSTEM32\mpgvout.dll
PECompact2 05.08.2005 03:31:38 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 05.08.2005 03:31:38 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 01:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 06.12.2004 17:25:12 6144 C:\WINDOWS\SYSTEM32\pcmaout.dll
Umonitor 04.08.2004 01:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 11.10.2003 11:24:44 89088 C:\WINDOWS\SYSTEM32\Shreder.dll
aspack 16.07.2004 23:53:12 37888 C:\WINDOWS\SYSTEM32\SuperMenuHook.dll
winsync 23.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 31.07.2005 23:06:14 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 31.07.2005 23:06:14 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 31.07.2005 23:06:14 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 03.08.2004 23:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 15.08.2005 01:24:20 2048 C:\WINDOWS\bootstat.dat
H 03.08.2005 01:49:20 0 C:\WINDOWS\inf\oem8.inf
S 08.07.2005 16:23:18 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
S 30.06.2005 09:06:34 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
S 19.07.2005 19:18:10 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
S 30.06.2005 13:42:18 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
S 30.06.2005 14:21:10 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
S 30.06.2005 08:46:18 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
S 28.06.2005 19:12:56 11845 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
S 02.07.2005 10:18:16 9445 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat
H 15.08.2005 01:24:12 8192 C:\WINDOWS\system32\config\default.LOG
H 15.08.2005 01:24:50 1024 C:\WINDOWS\system32\config\SAM.LOG
H 15.08.2005 01:24:24 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 15.08.2005 01:24:52 65536 C:\WINDOWS\system32\config\software.LOG
H 15.08.2005 01:24:52 901120 C:\WINDOWS\system32\config\system.LOG
H 10.08.2005 00:16:14 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
SH 31.07.2005 14:51:32 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0579e0f1-939c-4e70-9548-bb93a2fda05d
SH 31.07.2005 14:51:32 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 15.08.2005 01:23:10 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 01:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 01:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 01:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 01:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 01:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 01:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 01:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 01:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 23.08.2001 14:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 01:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 01:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 01:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 15.07.2004 12:42:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 23.08.2001 14:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 01:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 01:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 01:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 01:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 01:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23.08.2001 14:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23.08.2001 14:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26.05.2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
02.08.2005 18:14:34 777 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\avgcc.lnk
08.08.2005 16:03:16 764 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTasks.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
23.12.2004 04:43:14 4713 C:\Documents and Settings\Ljupco Mihajlovski\Application Data\wo.tmp

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PicaView32
{68f32140-2ca3-11d0-acc1-444553540000} = C:\PROGRA~1\PICAVI~1\PicaView32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinExpert
{19741013-C829-11D1-8233-0020AF3E97A9} = C:\WINDOWS\system32\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinExpert
{19741013-C829-11D1-8233-0020AF3E97A9} = C:\WINDOWS\system32\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon nvstartup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 15.08.2005 01:35:22

P.S.
What abouth Control Panel / JAVA ICON?

THANKS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users