Tech Support Forum - View Single Post

TechPaul · 03-23-2005, 08:36 AM

Here are the logs your requested. Unless TDS tries to change my host file, I'm pretty sure something is still active because the Microsoft Spyware Beta blocked something from changing the host file shortly after running hoster, and while TDS-3 was installing. And it did find a couple things, so I'll just wait and see where things go from here. I hope you can help me get rid of this stuff.

Thanks again for the assistance,

Paul

StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 06:53:09 (GMT -08:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Owner at NOTEBOOK-4BZAO8

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*StorageGuard="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*QT4HPOT=C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
*Presentation Ready=C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
*PreloadApp=c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*hpScannerFirstBoot=c:\hp\drivers\scanners\scannerfb.exe
*hp Silent Service=C:\Windows\system32\HpSrvUI.exe
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
*dla=C:\WINDOWS\system32\dla\tfswctrl.exe
*Display Settings=C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
*CARPService=carpserv.exe
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.0/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Internet Explorer
»Current User
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://home.microsoft.com/search/search.asp
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://home.microsoft.com/search/lobby/search.asp
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
+SearchUrl
*provider=
»Default User
*Start Page=http://www.hp.com/info/e-center-p
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://home.microsoft.com/search/search.asp
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://home.microsoft.com/search/lobby/search.asp
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*CustomizeSearch=http://srch-us4nb.hpwis.com/
*SearchAssistant=http://srch-us4nb.hpwis.com/
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
*C:\WINDOWS\hosts
`
127.0.0.3 www.greg-tut.com
`127.0.0.3 nylonsexy.com
`127.0.0.3 www.nylonsexy.com
`127.0.0.3 vparivalka.com
`127.0.0.3 www.vparivalka.comtoescrowpay.com
`127.0.0.3 www.awmdabest.com
`127.0.0.3 www.sexfiles.nu
`127.0.0.3 awmdabest.com
`127.0.0.3 sexfiles.nu
`127.0.0.3 allforadult.com
`127.0.0.3 www.allforadult.com
`127.0.0.3 www.iframe.biz
`127.0.0.3 iframe.biz
`127.0.0.3 www.newiframe.biz
`127.0.0.3 newiframe.biz
`127.0.0.3 www.vesbiz.biz
`127.0.0.3 vesbiz.biz
`127.0.0.3 www.pizdato.biz
`127.0.0.3 pizdato.biz
`127.0.0.3 www.aaasexypics.com
`127.0.0.3 aaasexypics.com
`127.0.0.3 www.virgin-tgp.net
`127.0.0.3 virgin-tgp.net
`127.0.0.3 www.awmcash.biz
`127.0.0.3 awmcash.biz
`127.0.0.3 buldog-stats.com
`127.0.0.3 www.buldog-stats.com
`127.0.0.3 fregat.drocherway.com
`127.0.0.3 slutmania.biz
`127.0.0.3 www.slutmania.biz
`127.0.0.3 toolbarpartner.com
`127.0.0.3 www.toolbarpartner.com
`127.0.0.3 www.megapornix.com
`127.0.0.3 megapornix.com
`127.0.0.3 www.sp2******.biz
`127.0.0.3 sp2******.biz
`127.0.0.3 greg-tut.com
`http://213.159.117.203/dkprogs/hosts.txt
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+544=\SystemRoot\System32\smss.exe
+592=<unkown>
+616=\??\C:\WINDOWS\system32\winlogon.exe
+660=C:\WINDOWS\system32\services.exe
+672=C:\WINDOWS\system32\lsass.exe
+864=C:\WINDOWS\system32\svchost.exe
+888=C:\WINDOWS\System32\svchost.exe
+1028=<unkown>
+1052=<unkown>
+1324=C:\WINDOWS\system32\spoolsv.exe
+1436=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+1544=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+1604=C:\WINDOWS\system32\HPConfig.exe
+1640=C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
+1712=C:\WINDOWS\wanmpsvc.exe
+1876=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
+1904=C:\Program Files\Real\RealPlayer\RealPlay.exe
+1916=C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
+1980=C:\windows\system\hpsysdrv.exe
+1996=C:\Windows\system32\HpSrvUI.exe
+2004=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
+2012=C:\WINDOWS\system32\dla\tfswctrl.exe
+2024=C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
+2032=C:\WINDOWS\System32\carpserv.exe
+108=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+120=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+180=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+1020=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+3004=C:\WINDOWS\explorer.exe
+3284=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
+3380=C:\Documents and Settings\Owner\Desktop\computer cleaning tools\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

06:58:20 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
06:58:21 [Init] Started 23-03-05 06:58:21 Pacific Standard Time (UTC: 8), Internet Time @665.52
06:58:21 [Init] Loading TDS-3 Systems ...
06:58:21 [Init] Token successfully adjusted.
06:58:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
06:58:21 [Init] • Plugins : OK. Loaded 13
06:58:21 [Init] • Exec Protection : Not Installed
06:58:21 [Init] WARNING: Your Radius.TD3 database needs to be updated!
06:58:21 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
06:58:21 [Init] Licensed users can use the Update facility from the TDS menu
06:58:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
06:58:30 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
06:58:30 [Init] • Systems Initialised [50195 references - 25217 primaries/12781 traces/12197 variants/other]
06:58:30 [Init] Radius Systems loaded. <Databases updated 23-03-2005>
06:58:30 [Init] TDS-3 Ready. <Owner@127.0.0.1 - United States>
06:58:30 [Tip Of The Day] Did you know? - TDS-3 has many exclusive detection techniques built-in that were pioneered and developed here at the DiamondCS lab in Western Australia. Our experience, research depth and technological breakthroughs translate directly into TDS, making a security expert out of anyone!
06:58:30 [TDS] Good morning Owner. Mmm... is that coffee I can smell?
06:58:37 [Mutex Memory Scan] Started...
06:58:38 [Mutex Memory Scan] Finished (no trojan mutexes found).
06:58:38 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
06:59:31 [CRC32] Started - verifying 29 files ...
06:59:34 [CRC32] File doesn't exist: C:\WINDOWS\System32\regsvr32.exe
06:59:44 [CRC32] Test finished.
07:01:00 [Memory Scan] Memory scan started, please wait a moment ...
07:01:03 [Memory Scan] Memory scan complete.
07:01:03 [Mutex Memory Scan] Started...
07:01:05 [Mutex Memory Scan] Finished (no trojan mutexes found).
07:01:05 [Trace Scan] Started...
07:01:21 [Trace Scan] Finished.
07:01:21 [ServiceScan] Scanning for services and drivers ...
07:01:27 [ServiceScan] Scanned 302 services and drivers.
07:01:27 [File Scan] Scanning in C:\ ...
07:23:03 [File Scan] Scanned 22677 files: 2 alarms in 1295.824 seconds (Avg 18.5 files/sec)
07:23:03 [File Scan] Scanning in D:\ ...
07:23:03 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
07:23:03 [File Scan] Scanning in E:\ ...
07:23:07 [File Scan] Scanned 11 files: 2 alarms in 4.517578 seconds (Avg 3.43 files/sec)
07:23:07 [Scan] Finished.

Scan Control Dumped @ 07:26:38 23-03-05
Positive identification: TrojanDownloader.Win32.Small.akz
File: c:\temporary\aun_0010.exe

Positive identification (DLL): Adware.Coreak.a (dll)
File: c:\windows\system32\akcore.dll

03-23-2005, 08:36 AM	#22 (permalink)
TechPaul Registered User Join Date: Mar 2005 Posts: 17 OS: Win XP	Here are the logs your requested. Unless TDS tries to change my host file, I'm pretty sure something is still active because the Microsoft Spyware Beta blocked something from changing the host file shortly after running hoster, and while TDS-3 was installing. And it did find a couple things, so I'll just wait and see where things go from here. I hope you can help me get rid of this stuff. Thanks again for the assistance, Paul StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 06:53:09 (GMT -08:00) Platform: Windows XP (Win NT 5.1.2600 ) Internet Explorer: 6.0.2600.0000 Logged in as Owner at NOTEBOOK-4BZAO8 »Registry »Run Keys »Current User »Run »RunOnce »Default User »Run AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE »RunOnce »Local Machine »Run SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT=C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready=C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp=c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv=c:\windows\system\hpsysdrv.exe hpScannerFirstBoot=c:\hp\drivers\scanners\scannerfb.exe hp Silent Service=C:\Windows\system32\HpSrvUI.exe gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla=C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings=C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService=carpserv.exe AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" % +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger 4.0/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe +Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} StubPath=rundll32 iesetup.dll,IEAccessUserInst »Browser Helper Objects (LM) {53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll »Internet Explorer »Current User Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://home.microsoft.com/search/search.asp Local Page=C:\WINDOWS\System32\blank.htm Search Bar=http://home.microsoft.com/search/lobby/search.asp Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home +SearchUrl provider= »Default User Start Page=http://www.hp.com/info/e-center-p »Local Machine Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://home.microsoft.com/search/search.asp Local Page=C:\WINDOWS\System32\blank.htm Search Bar=http://home.microsoft.com/search/lobby/search.asp Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome CustomizeSearch=http://srch-us4nb.hpwis.com/ SearchAssistant=http://srch-us4nb.hpwis.com/ »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect C:\msdos.sys C:\config.sys C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\System32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\wininit.ini `[Rename] `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= C:\WINDOWS\hosts ` 127.0.0.3 www.greg-tut.com `127.0.0.3 nylonsexy.com `127.0.0.3 www.nylonsexy.com `127.0.0.3 vparivalka.com `127.0.0.3 www.vparivalka.comtoescrowpay.com `127.0.0.3 www.awmdabest.com `127.0.0.3 www.sexfiles.nu `127.0.0.3 awmdabest.com `127.0.0.3 sexfiles.nu `127.0.0.3 allforadult.com `127.0.0.3 www.allforadult.com `127.0.0.3 www.iframe.biz `127.0.0.3 iframe.biz `127.0.0.3 www.newiframe.biz `127.0.0.3 newiframe.biz `127.0.0.3 www.vesbiz.biz `127.0.0.3 vesbiz.biz `127.0.0.3 www.pizdato.biz `127.0.0.3 pizdato.biz `127.0.0.3 www.aaasexypics.com `127.0.0.3 aaasexypics.com `127.0.0.3 www.virgin-tgp.net `127.0.0.3 virgin-tgp.net `127.0.0.3 www.awmcash.biz `127.0.0.3 awmcash.biz `127.0.0.3 buldog-stats.com `127.0.0.3 www.buldog-stats.com `127.0.0.3 fregat.drocherway.com `127.0.0.3 slutmania.biz `127.0.0.3 www.slutmania.biz `127.0.0.3 toolbarpartner.com `127.0.0.3 www.toolbarpartner.com `127.0.0.3 www.megapornix.com `127.0.0.3 megapornix.com `127.0.0.3 www.sp2***.biz `127.0.0.3 sp2***.biz `127.0.0.3 greg-tut.com `http://213.159.117.203/dkprogs/hosts.txt C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\System32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\System32\notepad.exe C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +544=\SystemRoot\System32\smss.exe +592=<unkown> +616=\??\C:\WINDOWS\system32\winlogon.exe +660=C:\WINDOWS\system32\services.exe +672=C:\WINDOWS\system32\lsass.exe +864=C:\WINDOWS\system32\svchost.exe +888=C:\WINDOWS\System32\svchost.exe +1028=<unkown> +1052=<unkown> +1324=C:\WINDOWS\system32\spoolsv.exe +1436=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe +1544=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe +1604=C:\WINDOWS\system32\HPConfig.exe +1640=C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe +1712=C:\WINDOWS\wanmpsvc.exe +1876=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe +1904=C:\Program Files\Real\RealPlayer\RealPlay.exe +1916=C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE +1980=C:\windows\system\hpsysdrv.exe +1996=C:\Windows\system32\HpSrvUI.exe +2004=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe +2012=C:\WINDOWS\system32\dla\tfswctrl.exe +2024=C:\Program Files\Utilities\Notebook Utilities\hptasks.exe +2032=C:\WINDOWS\System32\carpserv.exe +108=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe +120=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe +180=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe +1020=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe +3004=C:\WINDOWS\explorer.exe +3284=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe +3380=C:\Documents and Settings\Owner\Desktop\computer cleaning tools\StartDreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User 06:58:20 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 06:58:21 [Init] Started 23-03-05 06:58:21 Pacific Standard Time (UTC: 8), Internet Time @665.52 06:58:21 [Init] Loading TDS-3 Systems ... 06:58:21 [Init] Token successfully adjusted. 06:58:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 06:58:21 [Init] • Plugins : OK. Loaded 13 06:58:21 [Init] • Exec Protection : Not Installed 06:58:21 [Init] WARNING: Your Radius.TD3 database needs to be updated! 06:58:21 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 06:58:21 [Init] Licensed users can use the Update facility from the TDS menu 06:58:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 06:58:30 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 06:58:30 [Init] • Systems Initialised [50195 references - 25217 primaries/12781 traces/12197 variants/other] 06:58:30 [Init] Radius Systems loaded. <Databases updated 23-03-2005> 06:58:30 [Init] TDS-3 Ready. <Owner@127.0.0.1 - United States> 06:58:30 [Tip Of The Day] Did you know? - TDS-3 has many exclusive detection techniques built-in that were pioneered and developed here at the DiamondCS lab in Western Australia. Our experience, research depth and technological breakthroughs translate directly into TDS, making a security expert out of anyone! 06:58:30 [TDS] Good morning Owner. Mmm... is that coffee I can smell? 06:58:37 [Mutex Memory Scan] Started... 06:58:38 [Mutex Memory Scan] Finished (no trojan mutexes found). 06:58:38 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 06:59:31 [CRC32] Started - verifying 29 files ... 06:59:34 [CRC32] File doesn't exist: C:\WINDOWS\System32\regsvr32.exe 06:59:44 [CRC32] Test finished. 07:01:00 [Memory Scan] Memory scan started, please wait a moment ... 07:01:03 [Memory Scan] Memory scan complete. 07:01:03 [Mutex Memory Scan] Started... 07:01:05 [Mutex Memory Scan] Finished (no trojan mutexes found). 07:01:05 [Trace Scan] Started... 07:01:21 [Trace Scan] Finished. 07:01:21 [ServiceScan] Scanning for services and drivers ... 07:01:27 [ServiceScan] Scanned 302 services and drivers. 07:01:27 [File Scan] Scanning in C:\ ... 07:23:03 [File Scan] Scanned 22677 files: 2 alarms in 1295.824 seconds (Avg 18.5 files/sec) 07:23:03 [File Scan] Scanning in D:\ ... 07:23:03 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec) 07:23:03 [File Scan] Scanning in E:\ ... 07:23:07 [File Scan] Scanned 11 files: 2 alarms in 4.517578 seconds (Avg 3.43 files/sec) 07:23:07 [Scan] Finished. Scan Control Dumped @ 07:26:38 23-03-05 Positive identification: TrojanDownloader.Win32.Small.akz File: c:\temporary\aun_0010.exe Positive identification (DLL): Adware.Coreak.a (dll) File: c:\windows\system32\akcore.dll