Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multi virus/worms/trojans


  • Please log in to reply
17 replies to this topic

#1 cynde

cynde

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 16 August 2005 - 08:32 PM

Hello and thank you in advance.

rdriv.sys cachecachekit is haunting me. I followed the instructions from norton last night but it's back! I've run registryfix, adaware, ccleaner, Norton (which finds but cannot repair it) trend micro, etrust and panda (which disinfected svchost)
I'm getting sygate messages also about "system.exe" and "ntoskrnl.exe"

here's my hijack this log.

Thanks again, Cynde

Logfile of HijackThis v1.99.1
Scan saved at 8:16:58 PM, on 8/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINNT\system32\S3apphk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\enternet.exe
C:\Program Files\Winamp\Winamp.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MTS Internet Services
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123384971026
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O23 - Service: 31755 - Unknown owner - \\142.161.179.141\Admin$\eraseme_67747.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft Windows - Unknown owner - C:\WINNT\system.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 17 August 2005 - 11:08 AM

Hi again. You can add W32spybot to the list now.

Thanks, Cynde

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 August 2005 - 07:37 AM

Hi Cynde and Welcome to the Bleeping Computer!

Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate these entries

31755
Microsoft Windows


Right Click each entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
  • Unzip it to your desktop.
* Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed exit Ewido.
* CleanUp!
  • Install it.
* Killbox by Option^Explicit
  • Save it to your desktop.
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;<local>

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: 31755 - Unknown owner - \\142.161.179.141\Admin$\eraseme_67747.exe (file missing)

O23 - Service: Microsoft Windows - Unknown owner - C:\WINNT\system.exe

Close HiJackThis.

5.) Run Killbox.exe.

* Select "Delete on Reboot".

Highlight the entries below and press Ctrl+C to Copy

C:\WINNT\system32\rdriv.sys
C:\WINNT\system.exe

In Pocket Killbox-> Click File-> Paste from Clipboard

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

#4 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 22 August 2005 - 05:53 PM

Hello and thanks. I got started but hang up at the "Click Start-> Run-> Type in Services.msc and Click OK!" I have no entry there for "microsoft windows".
I do have "windows installer", "windows management instrumentation" and windows management instrumentation driver extentions"

I have also, since I posted, installed Norton 2005 and spybot.

Thanks, Cynde

Edited by cynde, 22 August 2005 - 06:38 PM.


#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 August 2005 - 04:44 AM

Thats fine,go ahead with the rest of the fix please!

#6 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 24 August 2005 - 07:31 PM

thanks.

I finally got through it all. I should have known I was in for a long haul with the advice for ewido, it took 108 minutes and I did have to babysit it to keep a child from turinig it off :thumbsup: CleanUp found 37470 filed and freed 1.9 Gb. I adjusted the setting in Internet options, temp internet files folder to 500 mb. (it was over 6000) Is this right? I dont think I need to have 1+ Gb's there.


rdrivRem.bat found nothing. here's the logs from hijackthis, ewido and rdriv. Active scan would not complete. It would run for about 2 or 3 minutes and shut down, including the browser. Odd, I've used this recently and this has never happened before. before it shut down, it found 1 dialer. I tried it 4 times including with Norton, Ewido and Sygate turned off, same thing every time.

I sure appreciate this help, Thanks so much.

Cynde

Logfile of HijackThis v1.99.1
Scan saved at 5:41:38 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MTS Internet Services
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Register\NAVBrowser.exe" /r /i "C:\Program Files\Register\NavLoad.ini"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123384971026
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:05:58 PM, 8/24/2005
+ Report-Checksum: 46F03F02

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Preview AdService -> Spyware.BlazeFind : Cleaned with backup
:mozilla.11:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.12:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.13:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.14:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.15:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.16:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.17:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.18:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.19:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.20:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.22:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.23:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.28:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.29:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.134:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.135:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.147:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.190:C:\Documents and Settings\fetherston\Application Data\Netscape\NSB\Profiles\8abr2h86.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\fetherston\Cookies\fetherston@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\fetherston\Cookies\fetherston@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\fetherston\Cookies\fetherston@www.excite[2].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\fetherston\Desktop\Games 2\Pokemon Emerald (U)sa.gba -> Worm.Franvir : Cleaned with backup


::Report End





~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 August 2005 - 05:02 AM

Lets make sure the Hosts File has been corrupted!


Download the Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Unzip and Extract All Files!

Press "Restore Original Hosts" and press "OK"!!
Exit Program!


Now lets see what else is lurking inside there!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Restart Normal and try this Online Scan
http://support.f-secure.com/enu/home/ols.shtml

Save the Report it generates


Post back with a fresh HijackThis log and the reports from F-Secure and WinPFind!

#8 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 25 August 2005 - 09:38 AM

Thanks again and here it all is. Cynde

Hoster says "HOSTS file does not exist"

FSecure...
Scanned files: 50447 Warning: 24 file(s) still infected!
C:\Program Files\Norton AntiVirus\Quarantine\042F2184 Worm.Win32.VB.an <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Worm.Win32.VB.an>

C:\Program Files\Norton AntiVirus\Quarantine\11550409 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\17400A2A Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\1833757E Rootkit.Win32.Agent.p <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Rootkit.Win32.Agent.p>

C:\Program Files\Norton AntiVirus\Quarantine\189742B1 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\1A9B2C79 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\1BE0532A.exe Trojan-Proxy.Win32.Ranky.bp <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Trojan-Proxy.Win32.Ranky.bp>

C:\Program Files\Norton AntiVirus\Quarantine\300C265A.sys Rootkit.Win32.Agent.p <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Rootkit.Win32.Agent.p>

C:\Program Files\Norton AntiVirus\Quarantine\306F11C1 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\31B061FE Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\32840B14 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\32913306 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\33111019 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\3409016C Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\401F6FE6 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\41FB1554 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\4BB4483F.sys Rootkit.Win32.Agent.p <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Rootkit.Win32.Agent.p>

C:\Program Files\Norton AntiVirus\Quarantine\4F547916 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\604F6058 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\6218785F Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\6B1B626D Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\6B8A75F3 Backdoor.Win32.Rbot.gen <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Backdoor.Win32.Rbot.gen>

C:\Program Files\Norton AntiVirus\Quarantine\6FCE1EBA Trojan.Win32.Qhost <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Trojan.Win32.Qhost>

C:\Program Files\Norton AntiVirus\Quarantine\7ACF4FC2 Trojan.Win32.Qhost <http://cgi.f-secure.com/cgi-bin/search.cgi?q=Trojan.Win32.Qhost>



Logfile of HijackThis v1.99.1
Scan saved at 9:32:46 AM, on 8/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINNT\system32\S3apphk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\enternet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MTS Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Register\NAVBrowser.exe" /r /i "C:\Program Files\Register\NavLoad.ini"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123384971026
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 25 August 2005 - 05:31 PM

PS I'm getting notices from Sygate about blocking ntoskrnl. hmmm

Thanks, Cynde

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 August 2005 - 06:13 PM

I need to see the log from WinPFind please!

#11 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 26 August 2005 - 09:59 AM

Oops.

Here's the WinPFind.

Thank you, Cynde


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINNT\choice.exe
UPX! 5/28/2005 1:22:18 PM 188935 C:\WINNT\filename.exe
PECompact2 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
qoologic 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
SAHAgent 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
UPX! 8/24/2005 6:10:22 PM 170053 C:\WINNT\tsc.exe
PECompact2 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
qoologic 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
SAHAgent 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
UPX! 8/24/2005 6:10:22 PM 1044560 C:\WINNT\vsapi32.dll
aspack 8/24/2005 6:10:22 PM 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
aspack 6/30/2005 3:07:56 PM 282768 C:\WINNT\SYSTEM32\trjscan.trb
aspack 7/1/2005 7:50:10 PM 353416 C:\WINNT\SYSTEM32\trupd.trb
winsync 7/26/2000 7:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/25/2005 8:18:00 AM H 1106110 C:\WINNT\ShellIconCache
8/25/2005 8:18:24 AM S 64 C:\WINNT\CSC\00000001
8/15/2005 8:18:42 PM S 64 C:\WINNT\CSC\00000002
8/13/2005 8:16:56 PM S 64 C:\WINNT\CSC\csc1.tmp
7/21/2005 7:12:06 PM H 0 C:\WINNT\inf\oem19.inf
8/7/2005 6:49:10 PM H 0 C:\WINNT\inf\oem20.inf
7/20/2005 9:27:10 PM H 21416 C:\WINNT\system32\mlfcache.dat
8/25/2005 8:15:42 AM H 1024 C:\WINNT\system32\config\DEFAULT.LOG
8/25/2005 8:22:38 AM H 1024 C:\WINNT\system32\config\SAM.LOG
8/25/2005 8:20:46 AM H 1024 C:\WINNT\system32\config\SECURITY.LOG
8/25/2005 8:28:00 AM H 1024 C:\WINNT\system32\config\SOFTWARE.LOG
8/24/2005 2:08:10 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\723eb714-7d34-463c-9e86-a9c694333f8d
8/24/2005 2:08:10 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
7/21/2005 4:41:42 PM H 8628 C:\WINNT\system32\spool\drivers\w32x86\3\E_QI021E.GID
8/25/2005 8:18:26 AM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 7/26/2000 7:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 9:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
11/19/1999 1:54:12 PM 155648 C:\WINNT\SYSTEM32\PPPoEService.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/18/2005 3:28:38 PM 1643 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/24/2005 6:03:34 PM 2313 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
6/8/2005 6:45:10 AM 1568 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk
7/12/2005 7:16:18 AM 654 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Photo Loader supervisory.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/3/2005 3:46:48 PM H 58 C:\Documents and Settings\All Users.WINNT\Application Data\Ts_infos.ini

Checking files in %USERPROFILE%\Startup folder...
8/25/2005 8:28:02 AM 561 C:\Documents and Settings\fetherston\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
4/3/2005 7:15:36 PM 0 C:\Documents and Settings\fetherston\Application Data\dm.ini
4/23/2005 1:08:30 PM 1024 C:\Documents and Settings\fetherston\Application Data\WavCodec.wff

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\system32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EPSON Stylus Photo R200 Series C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Stylus Photo R200 Series (Copy 2) C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
NeroCheck C:\WINNT\system32\\NeroCheck.exe
S3apphk S3apphk.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
WinampAgent C:\Program Files\Winamp\winampa.exe
TrojanScanner C:\Program Files\Trojan Remover\Trjscan.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Corel Reminder "C:\Program Files\Register\NAVBrowser.exe" /r /i "C:\Program Files\Register\NavLoad.ini"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
EPSON Stylus Photo R200 Series (Copy 2) C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/25/2005 8:33:47 AM

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 August 2005 - 06:16 AM

Sorry for the delay!

The WinPFind log isnt showing me much either!

Locate and Delete

C:\WINNT\filename.exe

C:\Documents and Settings\All Users.WINNT\Application Data\Ts_infos.ini


Post back with a fresh HijackThis log and Update me about the System!

#13 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 28 August 2005 - 01:10 PM

Hello,

I deleted the filename.exe but couldnt find the ts_infos.ini.

The computer is very, very slow. feels like too much is happening. for instance, when nothing else is open and I'm playing minesweeper, there will be a delay after I click and sometimes the hourglass. Winamp buffers occasionally when nothing else is open and Sygate is always busy. The logs there are incredible. I can copy these for you if they might help.

Here's the hijack this log.

Thank you, Cynde

Logfile of HijackThis v1.99.1
Scan saved at 11:40:54 AM, on 8/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINNT\system32\S3apphk.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\enternet.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Broadband Networking\MSBNUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MTS Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Register\NAVBrowser.exe" /r /i "C:\Program Files\Register\NavLoad.ini"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series (Copy 2)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123384971026
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 August 2005 - 05:17 PM

Go ahead and Update Ewido and Scan in Safe Mode once more,save the report!

While in Safe Mode,Scan with WinPFind once more!

Before you restart back into Normal Mode,go back to msconfig and reconfigure it so whatever you dont need at startup is disabled!


Once back in Normal Mode,Remove Ewido from Add\Remove Programs!

Lets have a look at those logs and see if there is more we can do to reduce the load on the PC!

#15 cynde

cynde
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 01 September 2005 - 10:43 AM

Good Morning.

Here are the logs again.

Before I did the scans I ran spybot and adaware. I dont think Spybot is working right, It only found one excite cookie but adaware found several and also found malware "favoriteman" at C:|WINNT|ion6002.exe and removed it. How do these things get in here?

I'm having a dense moment. How do I do the msconfig?

Thanks again, Cynde

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINNT\choice.exe
PECompact2 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
qoologic 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
SAHAgent 8/24/2005 6:10:20 PM 15666129 C:\WINNT\LPT$VPN.797
UPX! 8/24/2005 6:10:22 PM 170053 C:\WINNT\tsc.exe
PECompact2 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
qoologic 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
SAHAgent 8/24/2005 6:10:20 PM 15666129 C:\WINNT\VPTNFILE.797
UPX! 8/24/2005 6:10:22 PM 1044560 C:\WINNT\vsapi32.dll
aspack 8/24/2005 6:10:22 PM 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
aspack 6/30/2005 3:07:56 PM 282768 C:\WINNT\SYSTEM32\trjscan.trb
aspack 7/1/2005 7:50:10 PM 353416 C:\WINNT\SYSTEM32\trupd.trb
winsync 7/26/2000 7:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/31/2005 10:38:14 PM H 553458 C:\WINNT\ShellIconCache
8/31/2005 10:38:50 PM S 64 C:\WINNT\CSC\00000001
8/15/2005 8:18:42 PM S 64 C:\WINNT\CSC\00000002
8/13/2005 8:16:56 PM S 64 C:\WINNT\CSC\csc1.tmp
7/21/2005 7:12:06 PM H 0 C:\WINNT\inf\oem19.inf
8/7/2005 6:49:10 PM H 0 C:\WINNT\inf\oem20.inf
8/31/2005 2:08:40 PM H 41968 C:\WINNT\system32\mlfcache.dat
8/31/2005 10:36:44 PM H 1024 C:\WINNT\system32\config\DEFAULT.LOG
8/31/2005 10:42:20 PM H 1024 C:\WINNT\system32\config\SAM.LOG
8/31/2005 10:40:28 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
9/1/2005 5:31:14 AM H 1024 C:\WINNT\system32\config\SOFTWARE.LOG
8/24/2005 2:08:10 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\723eb714-7d34-463c-9e86-a9c694333f8d
8/24/2005 2:08:10 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
7/21/2005 4:41:42 PM H 8628 C:\WINNT\system32\spool\drivers\w32x86\3\E_QI021E.GID
8/31/2005 10:38:50 PM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 7/26/2000 7:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 9:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
11/19/1999 1:54:12 PM 155648 C:\WINNT\SYSTEM32\PPPoEService.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 2:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/18/2005 3:28:38 PM 1643 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/31/2005 10:34:20 PM 2313 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
6/8/2005 6:45:10 AM 1568 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk
7/12/2005 7:16:18 AM 654 C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Photo Loader supervisory.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/3/2005 3:46:48 PM H 58 C:\Documents and Settings\All Users.WINNT\Application Data\Ts_infos.ini

Checking files in %USERPROFILE%\Startup folder...
8/31/2005 10:57:22 PM 561 C:\Documents and Settings\fetherston\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
4/3/2005 7:15:36 PM 0 C:\Documents and Settings\fetherston\Application Data\dm.ini
4/23/2005 1:08:30 PM 1024 C:\Documents and Settings\fetherston\Application Data\WavCodec.wff

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\system32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EPSON Stylus Photo R200 Series C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Stylus Photo R200 Series (Copy 2) C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /O6 "USB001" /M "Stylus Photo R200"
NeroCheck C:\WINNT\system32\\NeroCheck.exe
S3apphk S3apphk.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
WinampAgent C:\Program Files\Winamp\winampa.exe
TrojanScanner C:\Program Files\Trojan Remover\Trjscan.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Corel Reminder "C:\Program Files\Register\NAVBrowser.exe" /r /i "C:\Program Files\Register\NavLoad.ini"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
EPSON Stylus Photo R200 Series (Copy 2) C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 2)" /M "Stylus Photo R200" /EF "HKCU"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/1/2005 5:40:33 AM



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:28:32 AM, 9/1/2005
+ Report-Checksum: BBDBBF67

+ Scan result:

C:\Documents and Settings\fetherston\Cookies\fetherston@excite[1].txt -> Spyware.Cookie.Excite : Ignored
C:\Documents and Settings\fetherston\Cookies\fetherston@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users