Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trace.registry_question & Hjthis Log


  • Please log in to reply
7 replies to this topic

#1 winigo

winigo

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 17 July 2006 - 08:31 PM

Hello,

I am everyday finding 6 so-called malware files : Trace.Registry.Remote-Anything
they are detected and removed by A-squared daily scan and back the next day. I wonder if i should do anything about it,
Search on the matter says:

Registry traces are known references of Spyware/Adware which are stored in the Windows registry database. Traces may be autorun keys which make Spyware/Adware run automatically on Windows startup. Traces may also be registrations of Spyware/Adware DLL files which are registered to hijack the Windows Explorer or the web browser.

Important:Traces can not be harmful by definition. They are only some kind of helpers to enable Malware to be installed and run on your computer.

the scan report says:

Filename Diagnosis
Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Slave\Enum --> 0 Trace.Registry.Remote-Anything
Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Slave\Enum --> Count Trace.Registry.Remote-Anything
Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Slave\Enum --> NextInstance Trace.Registry.Remote-Anything
Value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Slave\Enum --> 0 Trace.Registry.Remote-Anything
Value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Slave\Enum --> Count Trace.Registry.Remote-Anything
Value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Slave\Enum --> NextInstance Trace.Registry.Remote-Anything

What would you advise?
I included a Hijack this scan below in case you asked..

Thank you very much
winigo

Logfile of HijackThis v1.99.1
Scan saved at 9:17:21 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
D:\_HijackThis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095424758007
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://abletranslations.webex.com/client/T...ort/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Bye
:thumbsup:

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 PM

Posted 28 July 2006 - 05:18 PM

Hello winigo and welcome to the BC HijackThis forum. The log looks good. I do not see any signs of viruses or malware in it.

A2 occasionally flags legitimate registry keys as false positives and it seems that any key it does find (legitimate or not) it shows as Trace.Registry. Let's see what information that key holds and if it is bad or not.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

Now download CCS_Slave.def to the WinPFind2\Plugins folder. NOTE: To download, right-click on the link and choose Save Link As from the menu.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • In the AddOn-Options box click the checkbox for
    • CCS_Slave.def
    to select it.
  • Now click the Add On's tab and then click the Run AddOn's button.
  • When the scan is complete click Configuration tab and then click the Export To Text button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here.

I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 04 August 2006 - 01:06 PM

sorry old timer for not answering quickly, since there was no urgency, i let it rest
i had stuff to do.

I had some time today but had trouble with your procedure..
specifically with the CCS def link which showed an error message.

Maybe i waited too long, in which case please excuse me..
IF you think it necessary to look for those traces, i'll gladly try again
as soon as i get the good link.

no problem if you lost patience, i understand that.

thank you for everything

w

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 PM

Posted 05 August 2006 - 07:21 AM

Hi winigo. I don't thinkwe'll find anything but let's have a look just to be safe.

WinPFind2 has been updated (that's why there was a problem). Delete your current WinPFind2 folder and then do the followinng:

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

Now download CCS_Slave.def
to the WinPFind2\Plugins folder. NOTE: To download, right-click on the link and choose Save Link As from the menu.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • CCS_Slave.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here.

I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 05 August 2006 - 11:15 AM

thank you OT, the report :

Logfile created on: 08/05/2006 12:10
WinPFind2 by OldTimer - Version 1.0.1 Folder = C:\Documents and Settings\JC\Desktop\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
c:\windows\system32\alg.exe - (Microsoft Corporation )
d:\progra~1\alwils~1\avast4\ashdisp.exe - ( )
d:\program files\alwil software\avast4\ashserv.exe - ( )
d:\program files\alwil software\avast4\aswupdsv.exe - ( )
\??\c:\windows\system32\csrss.exe - (Microsoft Corporation )
c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
c:\windows\system32\dllhost.exe - (Microsoft Corporation )
c:\windows\system32\dllhost.exe - (Microsoft Corporation )
c:\windows\system32\dmadmin.exe - (Microsoft Corp., Veritas Software )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\program files\internet explorer\iexplore.exe - (Microsoft Corporation )
d:\program files\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\windows\system32\lexbces.exe - (Lexmark International, Inc. )
c:\windows\system32\lexpps.exe - (Lexmark International, Inc. )
c:\windows\system32\locator.exe - (Microsoft Corporation )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\program files\common files\microsoft shared\vs7debug\mdm.exe - (Microsoft Corporation )
c:\windows\system32\msdtc.exe - (Microsoft Corporation )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\microsoft office\office10\outlook.exe - (Microsoft Corporation )
c:\windows\system32\rundll32.exe - (Microsoft Corporation )
c:\windows\system32\scardsvr.exe - (Microsoft Corporation )
c:\windows\system32\services.exe - (Microsoft Corporation )
\systemroot\system32\smss.exe - (Microsoft Corporation )
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\tablet.exe - (Wacom Technology, Corp. )
c:\windows\system32\tlntsvr.exe - (Microsoft Corporation )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs, LLC )
c:\windows\system32\vssvc.exe - (Microsoft Corporation )
c:\windows\system32\wdfmgr.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\documents and settings\jc\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\microsoft office\office10\winword.exe - (Microsoft Corporation )
c:\windows\system32\wbem\wmiapsrv.exe - (Microsoft Corporation )
c:\windows\system32\wscntfy.exe - (Microsoft Corporation )
d:\program files\zonealarm\zlclient.exe - (Zone Labs, LLC )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.1 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
Start Page - http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
Search Page -
Default Page - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
Default Search - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page - %SystemRoot%\system32\blank.htm
Start Page - http://www.google.ca/
Search Page -
Local Page - C:\WINDOWS\system32\blank.htm
ProxyEnable - 0
ProxyOverride -

BHO's
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{53707962-6F74-2D53-2644-206D7942484F} - = D:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = D:\Program Files\bin\ssv.dll (Sun Microsystems, Inc. )

Internet Explorer Bars, Toolbars and Extensions
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{21569614-B795-46B1-85F4-E737A8DC09AD} - Shell Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - = (File not found))
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - = (File not found))
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation )

Approved Shell Extensions (Non-Microsoft only)
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation )
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{472083B0-C522-11CF-8763-00608CC02F24} - avast = D:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software )
{68f32140-2ca3-11d0-acc1-444553540000} - PicaView Shell Extension = D:\PROGRA~1\PicaView\PicaView.dll (ACD Systems, Ltd. )
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{AB77609F-2178-4E6F-9C4B-44AC179D937A} - aČ Context Menu Shell Extension = D:\PROGRA~1\A2FREE~1\A2CONT~1.DLL ( )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )

ContextMenuHandlers (Non-Microsoft only)
avast - {472083B0-C522-11CF-8763-00608CC02F24} = D:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software )
PicaView - {68f32140-2ca3-11d0-acc1-444553540000} = D:\PROGRA~1\PicaView\PicaView.dll (ACD Systems, Ltd. )
WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
a2ContMenu - {AB77609F-2178-4E6F-9C4B-44AC179D937A} = D:\PROGRA~1\A2FREE~1\A2CONT~1.DLL ( )
avast - {472083B0-C522-11CF-8763-00608CC02F24} = D:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software )
WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )

ColumnHandlers (Non-Microsoft only)
{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

Registry Run Keys
avast! - D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ( )
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (File not found))
nwiz - nwiz.exe /install (NVIDIA Corporation )
SunJavaUpdateSched - D:\Program Files\bin\jusched.exe (Sun Microsystems, Inc. )
Zone Labs Client - "D:\Program Files\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
IMAIL - Installed = 1
MAPI - Installed = 1
MSFS - Installed = 1
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (File not found))

Startup Lnks
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc. )
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated )
desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation )
desktop.ini - C:\Documents and Settings\JC\Start Menu\Programs\Startup\desktop.ini ( )

Disabled MSConfig Items

User Agent Post Platform
SV1 -

AppInit DLLs
AppInit_DLLs - (File not found))

Image File Execution Options
Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
crypt32chain - crypt32.dll (Microsoft Corporation )
cryptnet - cryptnet.dll (Microsoft Corporation )
cscdll - cscdll.dll (Microsoft Corporation )
ScCertProp - wlnotify.dll (Microsoft Corporation )
Schedule - wlnotify.dll (Microsoft Corporation )
sclgntfy - sclgntfy.dll (Microsoft Corporation )
SensLogn - WlNotify.dll (Microsoft Corporation )
termsrv - wlnotify.dll (Microsoft Corporation )
wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
{31E789D4-DB81-4640-875A-5DF82A71CC7F} - (WebSTAR DPX110)
{AE9D917E-9280-4094-8026-EA558452CBA1} - (Intel® PRO/100 VE Network Connection)

Winsock2 Catalogs (Non-Microsoft only)

Protocol Handlers (Non-Microsoft only)
ipp - (File not found))
msdaipp - (File not found))

Protocol Filters (Non-Microsoft only)

<Services>
Application Layer Gateway Service - ALG - Automatic - Running - C:\WINDOWS\System32\alg.exe (Microsoft Corporation )
Application Management - AppMgmt - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
avast! iAVS4 Control Service - aswUpdSv - Automatic - Running - "D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" ( )
Windows Audio - AudioSrv - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
avast! Antivirus - avast! Antivirus - Automatic - Running - "D:\Program Files\Alwil Software\Avast4\ashServ.exe" ( )
Computer Browser - Browser - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
COM+ System Application - COMSysApp - Automatic - Running - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (Microsoft Corporation )
Cryptographic Services - CryptSvc - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DHCP Client - Dhcp - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Logical Disk Manager Administrative Service - dmadmin - Automatic - Running - C:\WINDOWS\System32\dmadmin.exe /com (Microsoft Corp., Veritas Software )
Logical Disk Manager - dmserver - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
Error Reporting Service - ERSvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Event Log - Eventlog - Automatic - Running - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Fast User Switching Compatibility - FastUserSwitchingCompatibility - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Help and Support - helpsvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Server - lanmanserver - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Workstation - lanmanworkstation - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
LexBce Server - LexBceS - Automatic - Running - C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc. )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Machine Debug Manager - MDM - Automatic - Running - "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (Microsoft Corporation )
Distributed Transaction Coordinator - MSDTC - On Demand - Running - C:\WINDOWS\System32\msdtc.exe (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
NT LM Security Support Provider - NtLmSsp - Automatic - Running - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
NVIDIA Display Driver Service - NVSvc - Automatic - Running - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation )
Plug and Play - PlugPlay - Automatic - Running - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Access Auto Connection Manager - RasAuto - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Access Connection Manager - RasMan - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Routing and Remote Access - RemoteAccess - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Registry - RemoteRegistry - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k LocalService (Microsoft Corporation )
Remote Procedure Call (RPC) Locator - RpcLocator - Automatic - Running - C:\WINDOWS\System32\locator.exe (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Smart Card - SCardSvr - Automatic - Running - C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation )
Task Scheduler - Schedule - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Secondary Logon - seclogon - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Windows Firewall/Internet Connection Sharing (ICS) - SharedAccess - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Shell Hardware Detection - ShellHWDetection - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Print Spooler - Spooler - Automatic - Running - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
System Restore Service - srservice - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Image Acquisition (WIA) - stisvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation )
MS Software Shadow Copy Provider - SwPrv - Automatic - Running - C:\WINDOWS\System32\dllhost.exe /Processid:{FC0E08EE-91BB-41C9-9836-B8A4EAF81117} (Microsoft Corporation )
TabletService - TabletService - Automatic - Running - C:\WINDOWS\System32\Tablet.exe (Wacom Technology, Corp. )
Telephony - TapiSrv - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
Themes - Themes - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Telnet - TlntSvr - Automatic - Running - C:\WINDOWS\System32\tlntsvr.exe (Microsoft Corporation )
Distributed Link Tracking Client - TrkWks - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation )
Universal Plug and Play Device Host - upnphost - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
TrueVector Internet Monitor - vsmon - Automatic - Running - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (Zone Labs, LLC )
Volume Shadow Copy - VSS - Automatic - Running - C:\WINDOWS\System32\vssvc.exe (Microsoft Corporation )
Windows Time - W32Time - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Management Instrumentation - winmgmt - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Windows Management Instrumentation Driver Extensions - Wmi - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WMI Performance Adapter - WmiApSrv - Automatic - Running - C:\WINDOWS\System32\wbem\wmiapsrv.exe (Microsoft Corporation )
Security Center - wscsvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Automatic Updates - wuauserv - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Wireless Zero Configuration - WZCSVC - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/20/2003 16:06 | Attr = HS])

CurrentUser ApplicationData Folder
C:\Documents and Settings\JC\Application Data\AdobeDLM.log - ( [Ver = | Size = 1216 bytes | Date = 03/23/2006 22:04 | Attr = ])
C:\Documents and Settings\JC\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/20/2003 16:06 | Attr = HS])
C:\Documents and Settings\JC\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 03/23/2006 22:04 | Attr = ])
C:\Documents and Settings\JC\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 20328 bytes | Date = 08/03/2006 13:08 | Attr = ])

DPF files
{193C772A-87BE-4B19-A7BB-445B226FE9A1} - ewidoOnlineScan Control - CodeBase = http://download.ewido.net/ewidoOnlineScan.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://www.bitdefender.com/scan8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://v5.windowsupdate.microsoft.com/v5co...b?1095424758007
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{6E5A37BF-FD42-463A-877C-4EB7002E68AE} - Housecall ActiveX 6.5 - CodeBase = http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} - HouseCall Control - CodeBase = http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
{7F8C8173-AD80-4807-AA75-5672F22B4582} - ICSScanner Class - CodeBase = http://download.zonelabs.com/bin/promotion...canner37460.cab
{80DD2229-B8E4-4C77-B72F-F22972D723EA} - - CodeBase = http://www.bitdefender.com/scan/Msie/bitdefender.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{94EB57FE-2720-496C-B33F-D9353C6E23F7} - F-Secure Online Scanner 2.1 - CodeBase = http://support.f-secure.com/ols/fscax.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - GpcContainer Class - CodeBase = https://abletranslations.webex.com/client/T...ort/ieatgpc.cab
{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - - CodeBase = http://download.abacast.com/download/files/abasetup144.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

<Add On's>

>>>>Output for AddOn file CCS_Slave.def<<<<

KEY - HKLM\SYSTEM\CurrentControlSet\Services\Slave - Include SUBKEYS
-
\Security -
\Enum -
\Enum\\0 - Root\LEGACY_SLAVE\0000
\Enum\\Count - 1
\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\ControlSet001\Services\Slave - Include SUBKEYS
-
\Security -
\Enum -
\Enum\\0 - Root\LEGACY_SLAVE\0000
\Enum\\Count - 1
\Enum\\NextInstance - 1

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 PM

Posted 08 August 2006 - 07:58 PM

Hi winigo. Well, the keyis there. Let's see where it points.

Download Root_Slave.def and save it to the Plugins folder in the WinPFind2 folder (right-click on the link and choose Save Link As or Save Target As).

Start WinPFind2 and in the Addon Options box check the box in front of Root_Slave.def. Now click the AddOn's tab and click the Run AddOn's button. When finished (it shouldn't take hardly any time) click the Configuration tab and click the Simple Reportbutton. Notepad will open with the information loaded in it. Copy/paste that information back here and I will review it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 winigo

winigo
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 09 August 2006 - 08:52 AM

Here it is:

Logfile created on: 08/09/2006 09:49
WinPFind2 by OldTimer - Version 1.0.1 Folder = C:\Documents and Settings\JC\Desktop\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Add On's>

>>>>Output for AddOn file Root_Slave.def<<<<

KEY - HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SLAVE - Include SUBKEYS
not found. -

.................
thank you
w

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 PM

Posted 12 August 2006 - 02:24 PM

Hi winigo. Since there is nothing there it is not a problem. I think A2 is just seeing the word "slave" in a registry key and throwing up an alert. If you really don't want to see it at every scan you could contact A2 in their forum and let them know the specifics and they will check into it and fix the definition files.


Otherwise everything looks good.



Cheers.



OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users