Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This _ A Check Up


  • Please log in to reply
14 replies to this topic

#1 winigo

winigo

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 02 January 2006 - 03:09 PM

Did all the usual check -ups,but.... i'm receiveing more unsolicited weird mail,

installed the mfw patch, just in case.
would you have a look at this log, Thankx
:thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 2:10:50 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\program files\QuickTime\qttask.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\Program Files\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
D:\_HijackThis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin9.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095424758007
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

happy new Year to all,
w

Edited by winigo, 02 January 2006 - 03:10 PM.


BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 10 January 2006 - 11:38 PM

Hi winigo,

Your log looks good. If you're having any other problems let me know and we'll look deeper.

It's fairly normal now to get weird mail--I do. Best I can tell you is to not open any spam--ever. They've got web-bugs in them that tracks back to the spammers so they know hey have a live one.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 11 January 2006 - 10:49 AM

Thank you,

i have been scanning my HD wildly the past days, because i get this kind of mail almost everytime i open Outlook, up to 3 mails a session.

1_ the many scans i have performed showed i had tracking cookies (---spyware.Cookie.com---spyware.cookie.207-- and other unidentified malware) I used ewido, trendmicro, adAware, among others.
They were deleted, but they or others reappear the next day.

More info i have submitted to the XP forum (i was not sure what to do, i thought it was a malfunction of some windows program, -the moderators and members told me to wait for HJT response) :



2_ I have noticed (a couple of monthe ago) two entries that show whenever i right-click the desktop for New:

choosing New, I see, among the items, two entries for

--Kudo50 File type
--Kudovw File Type

clicking on the first opens an icon with the same name which is hilighted. Nothing happens.
clicking on the second sends an error message : "unable to create" (the said file)
"the parameter is incorrect"

research on the internet did not give me returns, or any response that i was able to interpret...

usasma member suggested i search my HD for entries, this i what i found:

search for kudovw :

IN FOLDER : regLocal C:\Documents and Settings\All Users\Application Data\Spybot _Search & Destroy\Backups
TYPE : Registration entries DATE MOD : 9/11/2005 SIZE : 12.8 MB

search for kudo50 :

regLocal C:\Documents and Settings\All Users\Application Data\Spybot _Search & Destroy\Backups 13,172 KB Registration entries 9/11/2005

regUsers C:\Documents and Settings\All Users\Application Data\Spybot _Search & Destroy\Backups 10,531 KB Registration entries 9/11/2005



Another question i posted was the following:

3_ I am unable to connect to the internet while in SafeMode With Networking ( i read its best to scan for malware in safemode). I can get mail through Outlook but it won't remember my connection Username & password, i have to type it everytime.
But i can't get Explorer to connect, within or without outlook. I checked the settings with no result.
I tried as administrator, i was able to connect only once. (This computer is not shared)

Oh and a scan with microsoft beta scan showed i have Port 23 open, but i did not see the port by this name and not so familiar with ports, is there something i should do?

thats about it. On my last HJT scan before this one i've been told this mail could be forwarded by other infected computer, not necessarily mine, but the scans detect something which comes back to haunt..

any remedy doctor? God, everything is so polluted out there..
many thanks

PS: sorry for all these details, the moderators asked to submit all questions after your Log analysis

winigo

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 12 January 2006 - 01:11 PM

Well, what I've read about your problem in your various threads and from looking at your log, I think your system is pretty clean and you are worrying too much, or possibly about the wrong things. The only thing that you might have to deal with are those context menu items--it appears Spybot cleaned some old infection--and I'm not finding much information on what that might be either--but there may be some leftover reg entries that you can clean up and it is always possible nowadays you still have something hidden. So let's look a bit closer and see what we can find.

You mention having ewido installed. Please update it and run a scan in safe mode--without networking. I'll explain why you don't need networking in just a bit. And when ewido finds something, don't fix it. I'm more interested in the log and if something needs fixing we'll do that later.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.
Now close ewido security suite and boot back into normal mode.

Perform an onlinescan with Panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together a fresh HijackThis log

Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
So I need to see these logs in your next reply:

1. Ewido
2. Panda
3. PFind
4. HijackThis <--run this last.

----------------
Now as far as your questions...

I thought miekiemoes gave a pretty good explaination about those emails here:
http://www.bleepingcomputer.com/forums/ind...ndpost&p=199425

But perhaps I should elaborate so you might understand how it works more fully.

Let's say you have three people whose email addresses are:

joeblow@isp1
johndoe@isp1
janedoe@isp2

joeblow corresponds with johndoe via email but not with janedoe. Johndoe corresponds with both joeblow and janedoe, so both email addresses are in his address book.

Johndoe becomes infected with a worm. The worm installs its own mailer daemon. That means program files similar to Outlook or any other email client and gives the worm the ability to send and receive mail thru the infected machine. Altho it's not much interested in recieving mail, just sending out spam or spreading the itself.

The worm will open johndoe's address book, where it finds the email addresses of joeblow and jandoe. Not only will emails be sent To: those addresses, but it also has the ability to use a stolen email address in the From: field. Therefor janedoe may receive an unsolicited email and think it is from joeblow, when it was actually sent from johndoe's machine.

That method to avoid being tracked back to the infected machine is usually used by worms trying to spread the infection--but not always. Spammers have a lot of other tricks up their sleeve, first to obtain valid email addresses and subsequently to get by spam filters, etc. I just know that the emails I get are wierd, but there is an obvious method to their madness. It will contain text that sounds like it comes from the Bible and has nothing to do with what is trying to be sold at all--makes no sense at first glance, but I think that's just so there is some valid text to defeat spam filters. The actual spam is in an image file, which can't really be filtered effectively. And the image file is usually a .gif, any of which can be pinged to see if your address is valid, so there's your web bug. And they'll use valid names picked randomly from a list or completely random test to defeat any filter's database of known spammers.

Point being that you don't even have to have an infected friend to get these emails. It's just something you unfortunately have to live with on the internet. To prevent it from escalating, just delete them and/or set your email client to plain text only. Or if you're curious as to who really sent the mail, open it in Message Source and examine the headers and you can look at the email body in plain text also that way. As I said earlier, never open these with html enabled while connected to the net.

Another point being that you shouldn't be worried by the fact that you are receiving mail. What's causing you to receive mail is not because there is something on your system that is sending it. I think you're confusing the two.

Nevertheless I'm a bit concerned that Port 23 is open on your system. I'm not real good with ports and stuff, but I do know it could be open for a legitimate program or an illegitimate one. As far as I know , the only legitimate use for port 23 is for Telnet. So do you use Telnet or a Telnet client?

As far as Safe Mode with Networking--that is only to be used in very special circumstances and kind of defeats the purpose of running a system in safe mode. At the moment I can't even think of a reason to want to use it with networking. Even if you do have something on your system that is sending out mail, there are files responsible for that and you don't have to be connected to find and remove them. It's true that scanning for malware is better done in safe mode so that the bad files that could be running in normal mode that could interfere with the scan aren't running. In safe mode basic drivers and processes are loaded. So networking is not needed and will actually start some processes running, which is unnecssary to find the bad files.

Also only certain systems and configurations can get connected this way. There may be some more, so don't quote me on this, but the last time I looked into it, Safe Mode with Networking was only available to XP Pro and that only if with a DSL connection. What are you running?

Bottom line, it's more trouble than it's worth. And uneeded.Let's see what the logs report so we can tell if anything needs to be cleaned up. Otherwise I think you can pat yourself on the back for keeping your system relatively secure.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 12 January 2006 - 06:28 PM

hi papakid,
thank you, your explanations helped me understand the cryptic (bible and such) references and how it works.


--i was not able to run Panda, the system would'nt let the Active-X be downloaded. I checked & changed settings in IE security levels and custom levels, closed antivirus & firewall even, restarted Xtimes, just can't do it, sorry don't know whats happening. It used to be no problem...

--running xP pro (with Safe mode with networking ), but you explained why i don't really need it, thanks, although it bugs

----Port 23, no i don't use Telnet (according to the definition i found), i will try to find info.

Thanx for everything,
Here are the scans : (except for Panda..)

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:19:46 PM, 1/12/2006
+ Report-Checksum: 584CC02C

+ Scan result:

No infected objects found.


::Report End
-------------------------------------

winPFind

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\LPT$VPN.985
qoologic 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\LPT$VPN.985
SAHAgent 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\LPT$VPN.985
UPX! 12/1/2005 6:18:04 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\VPTNFILE.985
qoologic 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\VPTNFILE.985
SAHAgent 12/6/2005 1:34:10 PM 16693765 C:\WINDOWS\VPTNFILE.985
UPX! 12/6/2005 1:34:12 PM 1077328 C:\WINDOWS\vsapi32.dll
aspack 12/6/2005 1:34:12 PM 1077328 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
qoologic 4/10/2005 7:47:58 PM 10117710 C:\WINDOWS\SYSTEM32\ACTIVESCANPAV.SIG
aspack 4/10/2005 7:47:58 PM 10117710 C:\WINDOWS\SYSTEM32\ACTIVESCANPAV.SIG
SAHAgent 4/10/2005 7:47:58 PM 10117710 C:\WINDOWS\SYSTEM32\ACTIVESCANPAV.SIG
winsync 4/10/2005 7:47:58 PM 10117710 C:\WINDOWS\SYSTEM32\ACTIVESCANPAV.SIG
UPX! 12/20/2005 7:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 10/4/2001 2:13:42 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 4/11/2001 8:13:46 PM 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll
PECompact2 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
qoologic 4/10/2005 8:32:14 PM 10117710 C:\WINDOWS\SYSTEM32\pav.sig
aspack 4/10/2005 8:32:14 PM 10117710 C:\WINDOWS\SYSTEM32\pav.sig
SAHAgent 4/10/2005 8:32:14 PM 10117710 C:\WINDOWS\SYSTEM32\pav.sig
winsync 4/10/2005 8:32:14 PM 10117710 C:\WINDOWS\SYSTEM32\pav.sig
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 10/4/2001 2:16:34 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/12/2006 5:30:56 PM S 2048 C:\WINDOWS\bootstat.dat
1/9/2006 9:44:32 PM HS 7168 C:\WINDOWS\Thumbs.db
1/8/2006 2:17:54 PM S 64 C:\WINDOWS\CSC\00000001
11/29/2005 11:01:44 AM S 64 C:\WINDOWS\CSC\00000002
11/30/2005 9:35:56 PM H 10820 C:\WINDOWS\Help\update.GID
1/9/2006 9:44:56 PM HS 5120 C:\WINDOWS\ShellNew\Thumbs.db
1/9/2006 9:44:58 PM HS 8704 C:\WINDOWS\system32\Thumbs.db
1/12/2006 5:36:16 PM H 35870 C:\WINDOWS\system32\vsconfig.xml
12/1/2005 4:39:58 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/12/2006 5:37:20 PM H 1024 C:\WINDOWS\system32\config\default.LOG
1/12/2006 5:31:08 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/12/2006 5:41:06 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
1/12/2006 5:40:04 PM H 1024 C:\WINDOWS\system32\config\software.LOG
1/12/2006 5:40:06 PM H 1024 C:\WINDOWS\system32\config\system.LOG
1/11/2006 10:56:12 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/12/2006 5:31:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 10/4/2001 2:14:58 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 10/4/2001 2:15:22 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 2:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 10/4/2001 2:15:34 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 8:20:50 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Wacom Technology, Corp. 4/5/2001 7:42:04 AM 872448 C:\WINDOWS\SYSTEM32\Tablet.cpl
Microsoft Corporation 10/4/2001 2:16:20 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 10/4/2001 2:14:58 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 10/4/2001 2:15:22 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 10/4/2001 2:15:34 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 10/4/2001 2:16:20 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 7/28/2003 2:19:00 PM 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/11/2006 11:35:38 AM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
9/3/2005 1:30:40 PM 1609 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/20/2003 7:20:44 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/20/2003 7:34:46 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/20/2003 3:06:46 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/20/2003 7:20:44 PM HS 84 C:\Documents and Settings\JC\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/3/2005 1:13:14 PM 2103 C:\Documents and Settings\JC\Application Data\AdobeDLM.log
8/20/2003 3:06:46 PM HS 62 C:\Documents and Settings\JC\Application Data\desktop.ini
9/3/2005 1:13:14 PM 0 C:\Documents and Settings\JC\Application Data\dm.ini
12/28/2004 12:03:28 PM 20328 C:\Documents and Settings\JC\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PicaView
{68f32140-2ca3-11d0-acc1-444553540000} = D:\PROGRA~1\PicaView\PicaView.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = D:\PROGRA~1\A2FREE~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= D:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = D:\Program Files\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : D:\Program Files\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
QuickTime Task "D:\program files\QuickTime\qttask.exe" -atboottime
Zone Labs Client D:\Program Files\ZoneAlarm\zlclient.exe
SunJavaUpdateSched D:\Program Files\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
updateMgr C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\WINDOWS\system32\wmfhotfix.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/12/2006 5:47:47 PM

..............................
HijackThis


Logfile of HijackThis v1.99.1
Scan saved at 5:53:44 PM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\program files\QuickTime\qttask.exe
D:\Program Files\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\_HijackThis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin9.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095424758007
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


That's iT

:thumbsup:

after my reply,
i rescanned with A-squared :found 2 malware filed (eliminated)
in C\ Doc & Settings\JC\Cookies

----jc@realmedia[1].txt
----jc@statcounter[2].txt

winigo

Edited by winigo, 13 January 2006 - 11:09 AM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 16 January 2006 - 01:11 AM

Hi winigo, sorry for the delay in getting back to you.

I don't see anything in your logs. Try this tho.

Download and Save Blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
*Double-click blbeta.exe then accept the agreement.
*Leave [X]scan through windows explorer checked,
*Click Scan then Next.
*When the scan is complete you'll see a list of all items found. Don't choose rename yet! I want to see the log first, because legit items such as "wbemtest.exe"can also be present.
*There will be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

Kudo50
Kudovw


- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply.

I can understand how safe mode with networking can bug you, but I don't have much of an idea what is wrong. Do you have a DSL connection?

Don't worry about those cookies. Like spam everyone gets em and they are pretty harmless.

To find out what's using port 23, download TCPView:

http://www.sysinternals.com/Utilities/TcpView.html

Unzip and run it. The numbers are port numbers. In the left hand column you'll see file/process name. So you need to look for the number 23. The port may not be open all the time, so if it's not there, let it run and watch it for a while. Changes will be highlited in different colors. If you see port 23 open, quickly go to File>Save, give the file a name and save it to your desktop as a .txt file. Copy and paste the one line having to do with port 23 and post it here. It's not a good idea to post the whole list.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 17 January 2006 - 02:17 PM

hi, thank you.

download link failure : i'm using Iexplorer 6.0.2900....sp2, this is the message i get everytime i clicked the link :

404 ERROR: Page Not Found!
The requested page http://www.bleepingcomputer.com/files/misc/regsearch.zip could not be found on this server.


BLACKLIGHT report :

01/16/06 18:06:24 [Info]: BlackLight Engine 1.0.30 initialized
01/16/06 18:06:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/16/06 18:06:24 [Note]: 7019 4
01/16/06 18:06:24 [Note]: 7005 0
01/16/06 18:09:07 [Note]: 7006 0
01/16/06 18:09:07 [Note]: 7011 3620
01/16/06 18:09:07 [Note]: FSRAW library version 1.7.1014
01/16/06 18:10:27 [Note]: 7007 0

Reg search report:
REGEDIT4

; Registry Search by Bobbi Flekman 2005
; Version: 1.0.2.4

; Results at 1/17/2006 1:27:08 PM for strings:
; 'kudo50'
; 'kudovw'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.*]
@="KudovwFileType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hsn]
@="Kudo50HashFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.kdn]
@="Kudo50FileType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9322A7C1-2824-11D0-9FA5-00001B169E24}]
@="Kudo50 File Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9322A7C1-2824-11D0-9FA5-00001B169E24}\ProgID]
@="Kudo50FileType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9322A7C2-2824-11D0-9FA5-00001B169E24}]
@="Kudo50FileType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DataTransferObject32]
@="Kudo50 File Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType]
@="Kudo50 File Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\open\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\print]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\print\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\printto]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50FileType\shell\printto\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50HashFile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50HashFile]
@="Kudo50Hash File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50HashFile\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kudo50HashFile\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType]
@="Kudovw File Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\DefaultIcon]
@="f:\\win_kudo\\program\\KUDOVW50.EXE,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\open\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\open\command]
@="f:\\win_kudo\\program\\KUDOVW50.EXE \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\print]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\print\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\print\command]
@="f:\\win_kudo\\program\\KUDOVW50.EXE /p \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\printto]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\printto\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KudovwFileType\shell\printto\command]
@="f:\\win_kudo\\program\\KUDOVW50.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_USERS\S-1-5-21-2000478354-746137067-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\fnd]
"a"="C:\\Documents and Settings\\JC\\My Documents\\Files containing text Kudovw.fnd"

[HKEY_USERS\S-1-5-21-2000478354-746137067-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\fnd]
"b"="C:\\Documents and Settings\\JC\\My Documents\\Files containing text Kudo50.fnd"

[HKEY_USERS\S-1-5-21-2000478354-746137067-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdn\OpenWithProgids]
"Kudo50FileType"=hex(0):

; End Of The Log...


i also looked at Tcp View (port 23):
all instances of numbers/ ports were of the 700 to 1034 range.
I let it run a while yesterday & today, i did not find any 23 or close.

In reference to Safe mode (with networking) i use cable (hi speed)

lots of kudos...
bye

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:38 AM

Posted 18 January 2006 - 11:03 AM

Wingo,

Papakid is going away and asked that I pick up your log. I am assuming you want to remove the KUDOVW50.EXE from showing up when you opt to make a file?

If so download the attached reg file and save it your desktop. Then double-click on fix.reg and merge the data into your registry. It should be gone now.

As for port 23, if tcpview is not seeing its open, then that port isnt open.

Attached Files

  • Attached File  fix.reg   602bytes   11 downloads


#9 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 19 January 2006 - 10:58 AM

thanks
the fix worked well,
the entry seems to have disappeared entirely.

w

:thumbsup:

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:38 AM

Posted 19 January 2006 - 01:19 PM

Does the computer feel back to normal?

#11 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 19 January 2006 - 01:36 PM

its been fine for 24 hrs now,

the -kudown- files have been deleted apparently,
the entries no more visible on the destop items to clik

i still get the spam mail, it seems i should just get used to it.
from what i've been told, its a fact of digital life..
what if one accidently opens one, no fun.

has it really gone that bad ...thanks

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 20 January 2006 - 12:53 AM

Hi winigo,

I had to go to an out of town funeral, so thanks to Grinler for covering for me.

You're all clean, and as you may have noticed I've reopened some of your threads in the other forums to help out with some of the question you've asked here that aren't malware related.

There are a couple of loose ends to tie up.

Your problem with Panda. Did you have a problem with the ActiveX downloading? If so was it just the Panda ActiveX or do you have problems with other ActiveX? You may have it blocked with Zone Alarm if you're running ZA Pro.

The reason I ask is because you still have the unofficial WMF patch running on your system. If you have the Windows WMF patch installed, you don't need the unofficial one, and should uninstall it thru Add/Remove programs.

But you need to be sure you have all the latest updates for Windows first. And you need ActiveX to get the updates. So have you updated yet and if so, did you have any problems?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#13 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 20 January 2006 - 04:55 PM

thanks, i had forgotten about the patch, and uninstalled it now.

I haven't had an active-X download problem before, and things seem normal. i have Zone alarm Free, I'm not sure it has control over that;
i usually give it the permissions as they occur.

The settings were even too permissive ( i gave more latitude to see if it helped THEN and Zone alarm reminded me yesterday that i should restore them to a more secure level..

I find it a bit ambiguous the way the setting is presented in Custom Level (IE options):

"automatic prompting for ActiveX control-- unable -disable"
(You enable/diable the prompting in this case, not the Active X)

maybe its me..

i should test the Panda scan later again, just to see,
need a break now..

thanx
winigo

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 20 January 2006 - 08:45 PM

OK, well, I'm not sure if there' much of anything to be done for Panda. Different people seem to have problems with different online scanners--I can't seem to get Housecall to run. You seem to be on your toes enough that you probably don't need to run more than one or two online scans as a second opinion for Avast more than once a week. And there are plenty out there to choose from.

You've probably already seen this, but you can see the recommended ActiveX and other Custom settings here:
http://www.bleepingcomputer.com/forums/ind...?showtopic=1628

You should really consider running Firefox. You have to use a plugin to run ActiveX, but it's much safer without it. More features than IE and you can use it most of the time and just use IE when you need it.

Something else you should know. You've done a good job if you're only getting two or three spam emails a day. Most people get much more than that, even over 100. If you keep your system updated and secure, 90% of the time you won't get infected from just opening a dodgy email. The worst that can happen is that a web bug will phone home so that the spammers know to send more spam. And I know you know not to open executable attachments. :thumbsup:

So I think we're about done here. If there is nothing else I'll close this thread. :flowers:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#15 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 21 January 2006 - 11:38 AM

thanx !! i' will study and meditate on your advice (s),
my cup is full from the past week,
take it easy
bye




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users