Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Help!


  • Please log in to reply
13 replies to this topic

#1 joeman123

joeman123

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 14 October 2005 - 01:04 PM

a time ago you helped to me to kick some malware (troyan.downloader.agent.bq)

now i realize that another malware like Spyware.PSGuard and Exploit.(what ever) is getting slow and slower my PC

my platform is Win XP SP2 (home edition) i haven't SP1 b'cause i reconnected my pc to internet only in august.

the 'sintomas'(i'm from chile) i have are: slow start and slower shut down, the text cursor is wider than normal in windows text boxes and note pad (in firefox, messenger and office look normal)

i have bitdefender 8 professional plus, ewido security suite, ad-aware, trend micro, microsoft antispyware beta and Spyware Blaster.
here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 15:03:37, on 14-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\Archivos de programa\Softwin\BitDefender8\bdnagent.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\archiv~1\softwin\bitdef~2\bdswitch.exe
C:\WINDOWS\System32\snmp.exe
C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe
C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\ARCHIV~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Scan Server\bdss.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Softwin\BitDefender8\vsserv.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Nueva carpeta\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Archivos de programa\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] c:\archiv~1\softwin\bitdef~2\bdswitch.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CXMon] "C:\Archivos de programa\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [BDOESRV] C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D506BC5-C330-4B7D-B3A2-3BEEC2BD20F5}: NameServer = 200.28.4.129 200.28.4.130
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Archivos de programa\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Communicator\xcommsvr.exe

thanx

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 15 October 2005 - 09:47 AM

Looks normal to me.

Download Silentrunners.zip from:

http://www.silentrunners.org/

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

#3 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 15 October 2005 - 03:02 PM

here is the reply, please helpme. PS: would be that something is gone in windows?


"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BDNewsAgent" = ""c:\archivos de programa\softwin\bitdefender8\bdnagent.exe"" [null data]
"BDSwitchAgent" = "c:\archiv~1\softwin\bitdef~2\bdswitch.exe" [null data]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"SpeedTouch USB Diagnostics" = ""C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"Share-to-Web Namespace Daemon" = "C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"Omnipage" = "C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"LVCOMS" = "C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
"IMJPMIG8.1" = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"DeviceDiscovery" = "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"CXMon" = ""C:\Archivos de programa\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"" ["Hewlett-Packard Company"]
"BDOESRV" = "C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe" ["SOFTWIN SRL"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorador de escritorios"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Carpeta de carga de Share-to-Web"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wns.dll" ["Hewlett-Packard"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "sockspy.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitDefender Antivirus v7\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Felicidad.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\ = "&Investigador de Encarta" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Consola de Sun Java"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Investigador"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Archivos de programa\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BitDefender Communicator, XCOMM, "C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Communicator\xcommsvr.exe /service" ["Softwin"]
BitDefender Scan Server, bdss, "C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Scan Server\bdss.exe /service" [null data]
BitDefender Virus Shield, VSSERV, "C:\Archivos de programa\Softwin\BitDefender8\vsserv.exe /service" ["SOFTWIN S.R.L."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite guard, ewido security suite guard, "C:\Archivos de programa\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
adimon\Driver = "C:\WINDOWS\System32\adimon.dll" ["Autodesk, Inc."]
EPSON STM3 2KMonitor37\Driver = "E_SL2037.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt08\Driver = "hpzlnt08.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 60 seconds, including 18 seconds for message boxes)

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 16 October 2005 - 03:49 PM

I still do not see anything at all wrong here. I would suggest you make it so some of your startup programs dont start automatically which will free up some resources an dpossibly make your machine operate faster.

You should compare your list of startup items to http://www.bleepingcomputer.com/startups and find the ones that are not necessary to start automatically.

#5 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 16 October 2005 - 09:39 PM

i encountered that a file called deskpan.dll is missing is this something

PD: What i do with Autoruns?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 17 October 2005 - 10:52 AM

When did you get the error about deskpan.dll?

Run autoruns and look at its output . Compare the files names to the files in the startup database. The database will tell you if you should disbale that startup or not.

#7 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 17 October 2005 - 11:53 PM

looks like a infection: what can i do?
i encountered that svchost.exe is in


MS_Update Check
wdfmgr.exe X

Added by the W32/Agobot-TB worm. When started, this infections connects to a remote IRC server where it waits for commands to execute.

'crss' is with a High priority in the task manager. has 13 sub processes(the only one process)
lsass has 18 subprocesses
and svchost is 6 times in the list and 1 of them has 60 subprocesses
is this bad?

please guide me.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 18 October 2005 - 09:14 AM

Is it crss or csrss.exe?

Svchost is normal.

wdfmgr.exe if its in the c:\windows\system32 directory

When does the error message about deskpan.dll come up?

#9 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 18 October 2005 - 02:16 PM

the deskpan.dll error appears when I try to look the properties of the file in Autoruns, this appears with a checkmark, but when i want to view the properties appears an error window that shows a file not found message.

-is 'crss.exe'
-i encountered tasks called:

:thumbsup: - 'smss.exe' is in C:\WINDOWS\system32
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\I386\SYSTEM32 (SMSS.EXE)
C:\I386\SYSTEM32 (SMSS.EXE)
- 'snmp.exe' is in C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
- 'services.exe' is in C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$

- 'lsass.exe' is in C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
- 'wdfmgr.exe' is in 'C:\WINDOWS\system32' and
C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}

and svchost is in C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$

other:
nvsvc32.exe is in
C:\WINDOWS\system32
C:\hp\drivers\video\Nforce
C:\hp\drivers\video\nvidia

Edited by joeman123, 18 October 2005 - 02:18 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 18 October 2005 - 02:58 PM

The deskpan.dll error can probably be resolved by reinstalling your nvidia display adapter drivers.

All those are files are legit. Dont focus on those.

Focus more on these and whether or not the database says they need to be running:

O4 - HKLM\..\Run: [BDNewsAgent] "C:\Archivos de programa\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] c:\archiv~1\softwin\bitdef~2\bdswitch.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CXMon] "C:\Archivos de programa\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [BDOESRV] C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

#11 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 23 October 2005 - 10:44 AM

sorry for the delay. I don´t know but my text cursors of windows are still "BLACKIE"( | ) in execute menu, windows explorer, well, in all text fields on windows.

i have read an article about SP2 in windows xp, i installed it in august, but i didn´t knew about the existence of SP1.


I HAVEN'T THAT. I need it first to install sp2?
:thumbsup:


Pd: my pc is still slow and i see iMeshBar in the view menu but not see it in hjt.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 23 October 2005 - 07:58 PM

Post a new log

#13 joeman123

joeman123
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:chile
  • Local time:01:51 PM

Posted 25 October 2005 - 06:50 AM

here is the log, ineed the sp1?
each 5 days Bdefender detects some 'exploit' and a 'trojan.downloader.javastream' or something else.


Logfile of HijackThis v1.99.1
Scan saved at 8:45:52, on 25-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Archivos de programa\Softwin\BitDefender8\bdnagent.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Scan Server\bdss.exe
C:\Archivos de programa\Softwin\BitDefender8\vsserv.exe
c:\archivos de programa\softwin\bitdefender8\bdmcon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Archivos de programa\Softwin\BitDefender8\bdoesrv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D506BC5-C330-4B7D-B3A2-3BEEC2BD20F5}: NameServer = 200.28.4.129 200.28.4.130
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Archivos de programa\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Archivos de programa\Archivos comunes\Softwin\BitDefender Communicator\xcommsvr.exe

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 PM

Posted 25 October 2005 - 11:48 AM

You still look clean to me. You alkready have SP2 , so you do not need SP1 (which is an older update).

Follow these prevention steps and lets see what happens:

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users