Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/ldpinch


  • Please log in to reply
13 replies to this topic

#1 jay_rock

jay_rock

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 November 2006 - 03:03 PM

Win32/Ldpinch windows defender is reporting this

Category:
Password Stealer

Description:
This program has potentially unwanted behaviour.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
D:\WINDOWS\Installer\UpdateService.exe

View more information about this item online

But norton / spybot/ adaware and super anti spyware are reporting that i'm clean apart from some tracking cookies here and there.
What I'm wondering is if it is a false negative ..
Any help will be great fully received.

I have now run hijackthis and here is my log file

Logfile of HijackThis v1.99.1
Scan saved at 19:52:22, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\gsicon.exe
D:\WINDOWS\system32\dslagent.exe
D:\PROGRA~1\BTVOYA~2\oamSender.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Johnathan\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Booster] D:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151164321030
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A7B314-BB4C-426A-99C8-BB5BB70651DE}: NameServer = 194.74.65.68 194.72.0.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Any ideas guys ?

BC AdBot (Login to Remove)

 


m

#2 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 24 November 2006 - 04:48 PM

Please download Combofix to your desktop.
  • Doubleclick combo.exe and follow the prompts.
  • Type Y and click “enter”.
Don't click on the window while the fix is running, because that will cause your system to hang!
  • Reboot the computer after the fix is done
  • Automaticle a log should open named combofix.txt. (location: C:\combofix.txt)
  • Post this log in your next reply together with a new HijackThislog


#3 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 10:15 AM

Thanks for the reply Toscane

Here is the Combofix log

Johnathan - 06-11-25 14:56:20.57 Service Pack 2
ComboFix 06.11.22 - Running from: "D:\Documents and Settings\Johnathan\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-25 to 2006-11-25 ))))))))))))))))))))))))))))))))))


2006-11-19 12:06 <DIR> d-------- D:\Program Files\Ace Utilities
2006-11-19 11:38 51,072 --a------ D:\WINDOWS\system32\drivers\ikhlayer.sys
2006-11-19 11:38 30,592 --a------ D:\WINDOWS\system32\drivers\ikhfile.sys
2006-11-19 11:37 <DIR> d-------- D:\Program Files\Spyware Doctor
2006-11-19 11:37 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\PC Tools
2006-11-19 11:31 <DIR> dr-h----- D:\Documents and Settings\Johnathan\Recent
2006-11-19 11:20 <DIR> d-------- D:\Program Files\CCleaner
2006-11-14 21:45 <DIR> d-------- D:\WINDOWS\pss
2006-11-11 14:38 <DIR> d-------- D:\Program Files\Windows Defender
2006-11-11 14:34 <DIR> d--hs---- D:\Config.Msi
2006-11-10 17:19 <DIR> d-------- D:\WINDOWS\WBEM
2006-11-10 17:19 <DIR> d-------- D:\WINDOWS\system32\en-US
2006-11-10 17:17 <DIR> d--h-c--- D:\WINDOWS\ie7
2006-11-10 17:16 121,856 --------- D:\WINDOWS\system32\xmllite.dll
2006-11-10 17:15 <DIR> d-------- D:\WINDOWS\network diagnostic
2006-11-01 20:36 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\PPLive
2006-11-01 20:08 <DIR> d-------- D:\Program Files\PPMate
2006-11-01 20:08 <DIR> d-------- D:\ppmaterecord
2006-11-01 20:08 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\PPMate
2006-11-01 19:42 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\ppstream
2006-10-27 20:16 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2006-10-27 20:16 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\SUPERAntiSpyware.com
2006-10-27 20:15 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2006-10-27 15:09 6,049,280 --------- D:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50,688 --------- D:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458,752 --------- D:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 180,736 --------- D:\WINDOWS\system32\ieui.dll
2006-10-27 02:44 13,312 --a------ D:\WINDOWS\system32\ieudinit.exe
2006-10-26 20:23 <DIR> d-------- D:\Documents and Settings\Johnathan\Application Data\Mozilla


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-25 14:34 -------- d-------- D:\Program Files\Mozilla Firefox
2006-11-25 14:34 -------- d-------- D:\Program Files\Common Files
2006-11-24 20:25 -------- d-------- D:\Program Files\Common Files\Symantec Shared
2006-11-23 08:27 -------- d-------- D:\Program Files\Norton Internet Security
2006-11-19 12:37 -------- d-------- D:\Program Files\mIRC
2006-11-10 17:29 -------- d-------- D:\Program Files\Common Files\Microsoft Shared
2006-11-10 17:28 -------- d-------- D:\Program Files\MSN Messenger
2006-11-10 17:21 -------- d-------- D:\Program Files\Internet Explorer
2006-10-31 23:13 -------- d-------- D:\Program Files\BT Voyager 100 ADSL Modem
2006-10-30 22:27 -------- d-------- D:\Program Files\Common Files\Adobe
2006-10-30 22:27 -------- d-------- D:\Program Files\Adobe
2006-10-27 15:09 413696 --a------ D:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ D:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 156160 --a------ D:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ D:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ D:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ D:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ D:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ D:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ D:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ D:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 123904 --a------ D:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ D:\WINDOWS\system32\ieakui.dll
2006-10-25 19:44 359808 --a------ D:\WINDOWS\system32\drivers\TCPIP.SYS
2006-10-21 15:24 -------- d-------- D:\Documents and Settings\Johnathan\Application Data\Macromedia
2006-10-17 13:06 78336 --a------ D:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ D:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- D:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ D:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ D:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ D:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- D:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- D:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ D:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- D:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ D:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ D:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- D:\WINDOWS\system32\ieapfltr.dll
2006-10-14 17:54 -------- d-------- D:\Program Files\OfficeUpdate11
2006-10-13 12:35 65536 --a------ D:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ D:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ D:\WINDOWS\system32\nwprovau.dll
2006-10-13 10:23 163584 --a------ D:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-04 20:20 -------- d-------- D:\Program Files\Symantec
2006-09-29 18:45 -------- d-------- D:\Documents and Settings\Johnathan\Application Data\G-Force
2006-09-29 18:44 -------- d-------- D:\Program Files\SoundSpectrum
2006-09-15 21:52 91904 --a------ D:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 05:01 1084416 --a------ D:\WINDOWS\system32\msxml3.dll
2006-09-07 21:40 13312 --a------ D:\WINDOWS\system32\BASSMOD.dll
2006-09-06 17:43 22752 --a------ D:\WINDOWS\system32\spupdsvc.exe
2006-08-25 15:45 617472 --a------ D:\WINDOWS\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"D:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"D:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"GSICONEXE"="gsicon.exe"
"DSLAGENTEXE"="dslagent.exe USB"
"Symantec NetDriver Monitor"="D:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Booster"="D:\\PROGRA~1\\BTVOYA~2\\oamSender.exe"
"Windows Defender"="\"D:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"DWQueuedReporting"="\"D:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"DWQueuedReporting"="\"D:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"="D:\\WINDOWS\\Installer\\UpdateService.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\MP Scheduled Scan.job
D:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Johnathan.job

Completion time: 06-11-25 14:57:31.42
D:\ComboFix.txt ... 06-11-25 14:57


And here is the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 15:09:00, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\gsicon.exe
D:\WINDOWS\system32\dslagent.exe
D:\PROGRA~1\BTVOYA~2\oamSender.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Johnathan\Desktop\HijackThis\HijackThis.exe
D:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Booster] D:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151164321030
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A7B314-BB4C-426A-99C8-BB5BB70651DE}: NameServer = 194.74.65.68 194.72.0.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


hope you can help me??

#4 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 10:19 AM

Forgot to say the windows defender has the file D:\WINDOWS\Installer\UpdateService.exe in quarantine at the moment

ANd this key in the reg bothers me also

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"="D:\\WINDOWS\\Installer\\UpdateService.exe"

Thats from the combofix log.

what ya think?

#5 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 25 November 2006 - 12:03 PM

Before you make changes of any kind to the registry first make a backup (it can take 60 MB of space!) Be sure you save it at a place you can easy find it when needed.
Symantec has a good tutorial at:
http://service1.symantec.com/SUPPORT/tsgen...17?OpenDocument

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL


Afterwards...

Please go to:
start-->run

and type this in:
notepad
click OK
Copy/paste this bold text: (Ensure there is no space above REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"=-


Then click on the FILE menu and select save as
Save the file as fix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types"

Save this as fix.reg Choose to save as *all files and place it on your desktop.

CLOSE your internet Explorer and all other open windows!
Double click on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot the computer!!

Download, install, and update AVG anti-spyware 7.5 (This is a 30 days trial)
  • Install AVG anti-spyware.
  • Start the program but don't scan for virus at this moment.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Close AVG anti-spyware, Do Not run a scan at this moment.

Reboot your pc into safe mode

Safe mode for Windows XP
  • Restart the computer.
  • As soon as BIOS is loaded and before Windows is loaded, begin tapping the F8 (or F5) key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
To clean temporary files:
Go > start > run and type cleanmgr and click OK
Scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
Click OK to remove those files.
Click Yes to confirm deletion.

Start AVG anti-spyware.
  • Click on Scanner
  • Click on Complete System Scan
  • Let the program scan your pc, be patient this may take a little time.
  • If you have any infections you will prompted, click “set all elements to: recommended action” and choose Quarantine
  • Click "Apply all actions"
  • Next select the button "Save Report".
  • Click the "Save report as" button and save the report to your desktop.
  • Close AVG and reboot your system back into Normal Mode.
Post the results of the AVG report scan along with a new HijackThis log.

#6 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 03:04 PM

AVG report scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:42:43 25/11/2006

+ Scan result:



D:\System Volume Information\_restore{CCDECC52-46B5-4F84-85A3-686C94CB76A6}\RP172\A0037849.exe -> Dropper.Agent.ata : No action taken.
D:\Documents and Settings\Johnathan\Desktop\Ultimate AOI\New WinRAR 3.61 ZIP archive.zip/WRAR361Patch/winrar.3.xx.generic.patch.exe -> Not-A-Virus.Hacktool.Crack : No action taken.
:mozilla.21:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.22:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.23:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.118:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.130:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.112:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.113:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.131:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Cqcounter : No action taken.
:mozilla.213:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Hitslink : No action taken.
:mozilla.84:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.127:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Masterstats : No action taken.
:mozilla.132:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.173:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Masterstats : No action taken.
:mozilla.71:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Paycounter : No action taken.
:mozilla.133:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.134:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.135:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.135:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.136:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.136:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.137:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.137:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.138:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.138:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.139:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.140:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.17:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.18:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.19:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.20:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-18_14-28-25-843 -> TrackingCookie.Sexcounter : No action taken.
:mozilla.172:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Sexlist : No action taken.
:mozilla.59:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.60:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.61:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.62:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.86:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Statcounter : No action taken.
:mozilla.87:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Statcounter : No action taken.
:mozilla.88:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Statcounter : No action taken.
:mozilla.66:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies.txt -> TrackingCookie.Weborama : No action taken.
:mozilla.175:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.200:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Yadro : No action taken.
:mozilla.201:D:\Documents and Settings\Johnathan\Application Data\Mozilla\Firefox\Profiles\36l5zuzr.default\cookies_2006-11-10_17-5-37-843 -> TrackingCookie.Yadro : No action taken.
D:\System Volume Information\_restore{CCDECC52-46B5-4F84-85A3-686C94CB76A6}\RP298\A0060545.exe -> Trojan.LdPinch.awz : No action taken.
D:\System Volume Information\_restore{CCDECC52-46B5-4F84-85A3-686C94CB76A6}\RP308\A0067772.exe -> Trojan.LdPinch.awz : No action taken.
D:\System Volume Information\_restore{CCDECC52-46B5-4F84-85A3-686C94CB76A6}\RP308\A0067773.exe -> Trojan.LdPinch.awz : No action taken.


::Report end


it says no action taken but i did delete them after i saved the log file

HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 19:58:54, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\gsicon.exe
D:\WINDOWS\system32\dslagent.exe
D:\PROGRA~1\BTVOYA~2\oamSender.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Johnathan\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Booster] D:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151164321030
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A7B314-BB4C-426A-99C8-BB5BB70651DE}: NameServer = 194.74.65.68 194.72.0.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


seems i had some residue of viruses in the system restore files

What next my new friend
Also thanks again for your time :thumbsup:

#7 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 25 November 2006 - 04:26 PM

it says no action taken but i did delete them after i saved the log file


Do not worry about this, the files are safe and can do no harm in the "System Volume Information" part of your computer.
When finished cleaning we will make a clean restorepoint as well.

It seems all is clear now, but we will take a deeper look:

Download Silentrunners.zip Unzip it to your desktop and doubleclick on it.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

Let it run for about 1 minute, When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.


Download WinPFind.zip

Extract WinPFind.zip to your c:\ folder.
Please print these instructions as you will be going into safe mode.
Reboot your computer into Safe Mode by following the following steps:

Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#8 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 05:09 PM

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""D:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""D:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GSICONEXE" = "gsicon.exe" ["BT, Inc."]
"DSLAGENTEXE" = "dslagent.exe USB" [null data]
"Symantec NetDriver Monitor" = "D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"Booster" = "D:\PROGRA~1\BTVOYA~2\oamSender.exe" ["GlobespanVirata, Inc."]
"Windows Defender" = ""D:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"!AVG Anti-Spyware" = ""D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll" [MS]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "D:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{721A1B24-EC8B-4eda-9CCE-39720B9FA747}" = "WipeExt"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "D:\Program Files\Ace Utilities\wipext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "D:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WipeExt\(Default) = "{721A1B24-EC8B-4eda-9CCE-39720B9FA747}"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "D:\Program Files\Ace Utilities\wipext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WipeExt\(Default) = "{721A1B24-EC8B-4eda-9CCE-39720B9FA747}"
-> {HKLM...CLSID} = "WipeExt"
\InProcServer32\(Default) = "D:\Program Files\Ace Utilities\wipext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Background.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Johnathan\Desktop\Desktop Background.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmyst.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "D:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Norton AntiVirus - Scan my computer - Johnathan" -> launches: "D:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
HTTP SSL, HTTPFilter, "D:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"D:\WINDOWS\System32\w3ssl.dll" [MS]}
ISSvc, ISSVC, "D:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
PC Tools Spyware Doctor, SDhelper, "D:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
SmartLinkService, SLService, "slserv.exe" ["Smart Link"]
Symantec Core LC, Symantec Core LC, "D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""D:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows Defender, WinDefend, ""D:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 83 seconds, including 31 seconds for message boxes)


just doing the second part now

#9 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 05:37 PM

WinPFind\WinPFind.txt log file

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 25/11/2006 22:20:16
WinPFind v1.5.0 Folder = D:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 23/08/2001 12:00:00 41397 D:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 30/10/2006 11:25:08 1488688 D:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PECompact2 16/11/2006 05:20:40 10474920 D:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 16/11/2006 05:20:40 10474920 D:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 03/08/2004 23:56:56 1200128 D:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 03/08/2004 23:56:38 708096 D:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 03/08/2004 23:56:58 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 03/08/2004 23:56:46 657920 D:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 23/08/2001 12:00:00 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 19/06/2006 15:19:26 304944 D:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 03/08/2004 21:41:38 1309184 D:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
25/11/2006 22:17:32 S 2048 D:\WINDOWS\bootstat.dat ()
14/10/2006 19:53:46 RH 0 D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
14/10/2006 19:53:50 RH 0 D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
27/10/2006 15:10:48 S 42340 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ie7.cat ()
11/10/2006 06:28:32 S 9200 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914440.cat ()
16/10/2006 15:35:46 S 10965 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920213.cat ()
13/10/2006 12:55:52 S 10965 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923980.cat ()
13/10/2006 13:33:10 S 10259 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924270.cat ()
25/11/2006 22:17:20 H 8192 D:\WINDOWS\system32\config\default.LOG ()
25/11/2006 22:18:02 H 1024 D:\WINDOWS\system32\config\SAM.LOG ()
25/11/2006 22:17:34 H 16384 D:\WINDOWS\system32\config\SECURITY.LOG ()
25/11/2006 22:18:32 H 73728 D:\WINDOWS\system32\config\software.LOG ()
25/11/2006 22:17:44 H 1122304 D:\WINDOWS\system32\config\system.LOG ()
18/11/2006 13:57:28 H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
10/11/2006 17:28:54 S 341 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
10/11/2006 17:28:54 S 413 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
10/11/2006 17:28:54 S 574 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
10/11/2006 17:28:54 S 126 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
10/11/2006 17:28:54 S 98 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
10/11/2006 17:28:54 S 136 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
25/11/2006 22:20:58 H 330 D:\WINDOWS\Tasks\MP Scheduled Scan.job ()
25/11/2006 22:16:00 H 6 D:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
03/08/2004 23:56:58 68608 D:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
18/01/2004 01:09:54 41984 D:\WINDOWS\SYSTEM32\AdvUninstCPL.cpl ()
03/08/2004 23:56:58 549888 D:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
03/08/2004 23:56:58 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
03/08/2004 23:56:58 135168 D:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
03/08/2004 23:56:58 80384 D:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
20/03/2003 05:36:42 290816 D:\WINDOWS\SYSTEM32\gsi.cpl (BT, Inc.)
03/08/2004 23:56:58 155136 D:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
17/10/2006 13:05:48 1817088 D:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
03/08/2004 23:56:58 129536 D:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
03/08/2004 23:56:58 380416 D:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
03/08/2004 23:56:58 68608 D:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
03/05/2006 01:56:54 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
23/08/2001 12:00:00 187904 D:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
03/08/2004 23:56:58 618496 D:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
23/08/2001 12:00:00 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
03/08/2004 23:56:58 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
03/08/2004 23:56:58 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
23/08/2001 12:00:00 36864 D:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
03/08/2004 23:56:58 32768 D:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
03/08/2004 23:56:58 114688 D:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
03/08/2004 23:56:58 298496 D:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
23/08/2001 12:00:00 28160 D:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
03/08/2004 23:56:58 94208 D:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
03/08/2004 23:56:58 148480 D:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
26/05/2005 03:16:30 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
17/10/2006 13:05:48 1817088 D:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
23/08/2001 12:00:00 187904 D:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
23/08/2001 12:00:00 35840 D:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
23/08/2001 12:00:00 36864 D:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
23/08/2001 12:00:00 28160 D:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/download/8/3...heckControl.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/...b?1151164321030
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/06/2006 14:53:00 HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/06/2006 15:26:08 HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
24/06/2006 14:53:00 HS 84 D:\Documents and Settings\Johnathan\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
01/07/2006 18:27:54 869 D:\Documents and Settings\Johnathan\Application Data\AdobeDLM.log ()
24/06/2006 15:26:08 HS 62 D:\Documents and Settings\Johnathan\Application Data\desktop.ini ()
01/07/2006 18:27:54 0 D:\Documents and Settings\Johnathan\Application Data\dm.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://go.microsoft.com/fwlink/?LinkId=69157
\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
\\Default_Page_URL - http://go.microsoft.com/fwlink/?LinkId=69157
\\Default_Search_URL - http://go.microsoft.com/fwlink/?LinkId=54896
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
\\Local Page - D:\WINDOWS\system32\blank.htm



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{02478D38-C3F9-4EFB-9B51-7695ECA05670} - Yahoo! Toolbar Helper = D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{53707962-6F74-2D53-2644-206D7942484F} - = D:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - PCTools Site Guard = D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (PC Tools)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
\{9030D464-4C02-4ABF-8ECC-5164760863C6} - Windows Live Sign-in Helper = D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
\{9394EDE7-C8B5-483E-8773-474BF36AF6E4} - ST = D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
\{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class = D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
\{B56A7D7D-6927-48C8-A975-17DF180C71AC} - PCTools Browser Monitor = D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (PC Tools)
\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSNToolBandBHO = D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll (Microsoft Corporation)
\{BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class = D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - Norton Internet Security = D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Norton Internet Security = D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8198
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 = Windows Messenger
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 = Sun Java Console
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8195 = Yahoo! Messenger
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8196 =
\\{e2e2dd38-d088-4134-82b7-f2ba38496583} - 8197 = @xpsp3res.dll,-20001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = D:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - ButtonText: Spyware Doctor =
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = ()
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = D:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = D:\Program Files\WinRAR\rarext.dll ()
\\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\{721A1B24-EC8B-4eda-9CCE-39720B9FA747} - WipeExt = D:\Program Files\Ace Utilities\wipext.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\CuteFTP 8 Professional - {8f7261d0-d2b9-11d2-9909-00605205b24c} = D:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll (GlobalSCAPE Texas, LP.)
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\WipeExt - {721A1B24-EC8B-4eda-9CCE-39720B9FA747} = D:\Program Files\Ace Utilities\wipext.dll ()
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\CuteFTP 8 Professional - {8f7261d0-d2b9-11d2-9909-00605205b24c} = D:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll (GlobalSCAPE Texas, LP.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\WipeExt - {721A1B24-EC8B-4eda-9CCE-39720B9FA747} = D:\Program Files\Ace Utilities\wipext.dll ()
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp - D:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
GSICONEXE - D:\WINDOWS\SYSTEM32\gsicon.exe (BT, Inc.)
DSLAGENTEXE - D:\WINDOWS\SYSTEM32\dslagent.exe ()
Symantec NetDriver Monitor - D:\PROGRA~1\SYMNET~1\SNDMon.exe (Symantec Corporation)
Booster - D:\PROGRA~1\BTVOYA~2\oamSender.exe (GlobespanVirata, Inc.)
Windows Defender - D:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
!AVG Anti-Spyware - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe - D:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
msnmsgr - D:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
D:\Documents and Settings\Johnathan\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = D:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = D:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation)
\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - SABShellExecuteHook Class = D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = D:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\!SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL = (SUPERAntiSpyware.com)
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{1BA8E464-FBCA-4636-A629-8C90683AB4F8} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{D30E34AF-7434-4BF4-867B-5E9A15E5E893} - (1394 Net Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\belarc - D:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


As requested

#10 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 25 November 2006 - 05:52 PM

Both logs are clean :thumbsup:

Especially when surfing with other browsers then IE (which have the Java built-in) it is very important to update your Java software. Sun's Java is updated in order to eliminate the exploitation of vulnerabilities. For this reason, it's extremely important that you remove the older more vulnerable versions from your system.

Go here and click on the Download button to the right of Java Runtime Environment (JRE) 5.0 Update 9.
  • Accept the license agreement by clicking the radio button.
  • Under Windows Platform - J2SE™ Runtime Enviroment 5.0 Update 9 click the Windows Offline Installation, Multi-language link.
  • Go to Add/Remove Programs and remove any entries that refer to Java 2 Runtime Enviroment
    It should have next icon next to it: Posted Image
    and then reboot your PC.
  • Navigate to and delete the following folder, if it exists: C:\Program Files\Java.
  • Finally double click the installation file that you downloaded earlier.
I advise you to clear the system restore:
For XP:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Please post back with a new HJT-log.

#11 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 25 November 2006 - 06:37 PM

All your step done
new hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 23:29:31, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\gsicon.exe
D:\WINDOWS\system32\dslagent.exe
D:\PROGRA~1\BTVOYA~2\oamSender.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Johnathan\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Booster] D:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151164321030
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A7B314-BB4C-426A-99C8-BB5BB70651DE}: NameServer = 194.74.65.68 194.72.0.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Once again i must thank you for your time and expertise. You guys really are the mutts nuts. Its nice to have such a quick and perfessional response all of which is free of charge.

From one very happy man THANK YOU

:huh: :thumbsup: :flowers: :o :huh: :huh: :) :huh: :huh:

Edited by fvck, 25 November 2006 - 06:38 PM.


#12 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 26 November 2006 - 06:34 AM

Glad I was able to help :thumbsup:

You may also fix these entries:

Run Hijackthis, click on 'Do a system scan only'
check only the items listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Click on 'Fix checked' and close the program.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Steps in order to keep your computer clean!

#13 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 26 November 2006 - 06:45 AM

Did as requested first entry was cleared but these two


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

come right back after another scan

#14 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:48 AM

Posted 26 November 2006 - 11:02 AM

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


It does not matter you can not fix these entries. They are legit, just empty at this time, referring to a change in your Internet Explorer searchpages.
So you can leave them this way.

If the computer is running well this topic can be closed. :thumbsup:

Edited by Toscane, 26 November 2006 - 11:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users