Tech Support Forum - View Single Post

Xerses · 10-12-2005, 09:40 PM

Update:

I have pulled the infected hard drive and stuck it into my second computer. I ran a full virus scan on this drive with Fortinet Forticlient and it saw no virus, even though when the infected drive boots, the same AV indicates a virus (Dial/Egroup.L). I downloaded and installed AVG Free just for kicks. Turned off the Forticlient AV, scanned the infected drive with AVG and still no virus is detected!!! I am lost on this one.

Here is the Startuplist log.

StartupList report, 12-Oct-05, 9:32:53 PM
StartupList version: 1.52
Started from : C:\Download\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\rmon.exe
C:\Program Files\Fortinet\FortiClient\fmon.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Fortinet\FortiClient\fortiwf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Download\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
Image Transfer.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ezShieldProtector for Px = C:\WINDOWS\system32\ezSP_Px.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
FortiClient = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe" /minimize

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get...irector/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/downlo...?1083851679164

[ICSScannerLight Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[CR64Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\retro64_loader.dll
CODEBASE = http://www.miniclip.com/bestfriends/retro64_loader.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeup...ntent/opuc.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.real.com/08ee5fe9...dxIE601_fr.cab

[AXELPlayer Class]
InProcServer32 = C:\WINDOWS\System32\MindAvenue\AXELPlayer\AXELPlayer15109.dll
CODEBASE = http://www.mindavenue.com/Downloads/...erAX_Win32.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.co...928.7586689815

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #2: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #3: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #15: C:\Program Files\Fortinet\FortiClient\fortilsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,774 bytes
Report generated in 0.062 seconds

10-12-2005, 09:40 PM	#2 (permalink)
Xerses Registered User Join Date: Oct 2005 Location: Montreal, Quebec, Canada Posts: 4 OS: Win XP Pro	Update Update: I have pulled the infected hard drive and stuck it into my second computer. I ran a full virus scan on this drive with Fortinet Forticlient and it saw no virus, even though when the infected drive boots, the same AV indicates a virus (Dial/Egroup.L). I downloaded and installed AVG Free just for kicks. Turned off the Forticlient AV, scanned the infected drive with AVG and still no virus is detected!!! I am lost on this one. Here is the Startuplist log. StartupList report, 12-Oct-05, 9:32:53 PM StartupList version: 1.52 Started from : C:\Download\StartupList.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Fortinet\FortiClient\scheduler.exe C:\Program Files\Fortinet\FortiClient\rmon.exe C:\Program Files\Fortinet\FortiClient\fmon.exe C:\Program Files\Fortinet\FortiClient\FortiTray.exe C:\Program Files\Fortinet\FortiClient\fortiwf.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Download\StartupList.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Acrobat Speed Launcher.lnk = ? Image Transfer.lnk = ? Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup nwiz = nwiz.exe /install QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" ezShieldProtector for Px = C:\WINDOWS\system32\ezSP_Px.exe TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot FortiClient = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe" /minimize -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry key not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910} -------------------------------------------------- Enumerating Task Scheduler jobs: Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://fpdownload.macromedia.com/get...irector/sw.cab [MSSecurityAdvisor Class] InProcServer32 = C:\WINDOWS\System32\mssecadv.dll CODEBASE = http://download.microsoft.com/downlo...?1083851679164 [ICSScannerLight Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab [CR64Loader Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\retro64_loader.dll CODEBASE = http://www.miniclip.com/bestfriends/retro64_loader.dll [Office Update Installation Engine] InProcServer32 = C:\WINDOWS\opuc.dll CODEBASE = http://office.microsoft.com/officeup...ntent/opuc.cab [RdxIE Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll CODEBASE = http://software-dl.real.com/08ee5fe9...dxIE601_fr.cab [AXELPlayer Class] InProcServer32 = C:\WINDOWS\System32\MindAvenue\AXELPlayer\AXELPlayer15109.dll CODEBASE = http://www.mindavenue.com/Downloads/...erAX_Win32.cab [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.co...928.7586689815 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: Protocol #1: C:\Program Files\Fortinet\FortiClient\fortilsp.dll Protocol #2: C:\Program Files\Fortinet\FortiClient\fortilsp.dll Protocol #3: C:\Program Files\Fortinet\FortiClient\fortilsp.dll Protocol #15: C:\Program Files\Fortinet\FortiClient\fortilsp.dll -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 6,774 bytes Report generated in 0.062 seconds __________________ _______________________________________________ The Wind follows you, the Trees watch you, the Earth feels your every step... there is no escape from a Druid.