Could someone take a look at this log?

[Spike95609]

Hi,
My computer has developed a problem in the last few days. Usually only between the hours of 5pm and midnight (GMT) my broadband connection is hijacked and used to upload a constant stream of information. If I disconnect, the CPU runs at 100% and makes the system a little unstable unless I reconnect. Multiple cscript.exe files are launched every second or two in task manager. Having looked around the system the following files keep on appearing - in c:\WINNT\System32\wins I get a svchost.exe and WMI.vbs. In c:\WINNT\System32\WBEM\Logs a wbemprox.txt file. In c:\WINNT\System32 I keep on getting Perflid_Perfdata_1b8 (or 1bc or other combo) files. In C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\content.IE5\MBWSCNE3\ a Test[1] file keeps appearing. Also I have an idea that win.cfg in c:\WINNT and a few other security files might have been altered. I've managed to delete the offending files but they keep getting reinstalled. Spybot and Ad Aware can't find a thing, nor could PC Tools Anti-Virus. I've around about exhausted anything I can think of to eliminate this, further suggestions most welcome!
Cheers,
Mark

Logfile of HijackThis v1.99.1
Scan saved at 10:05:35, on 16/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Turnpike\Inverse\ARMon32a.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\KM9801U\MMHotKey.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\KM9801U\HokHIDKC.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%207%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Inverse IP InSight Client (Demon) (InverseLaunchIPI_Demon) - Inverse Network Technology - C:\Turnpike\Inverse\LaunchIPI.exe
O23 - Service: Fix-It Utilities 2000 Task Manager (mxserver) - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe

[greyknight17]

Welcome to TSF.

Did you follow the steps here before you posted here?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

You don't seem to have an antivirus program installed. Download a free one at Grisoft http://free.grisoft.com/freeweb.php. Install it and make sure to check for updates.

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Download a free one at ZoneAlarm http://www.zonelabs.com.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you might get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on start update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run Ewido now:
* Click on scanner and then Settings. Under 'What to scan' select 'Scan every file' and hit OK.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action with all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'. Save it to your desktop.

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

[Spike95609]

Hi,
Thanks for the tips. I should have looked at those before posting really. I've done what you said but it hasn't changed anything. Ewido detected a few residues of old malware that was uninstalled years ago and rendered harmless. No I don't have a firewall, probably a bit naive of me but using Netscape and a rare email programme has almost always kept me free of these things just as well in the past. If I were to install a firewall, this would presumably stop the software being downloaded onto the system would it? Because I can delete the files in safe mode, it's stopping them from coming back that's the problem.
Thanks for your help,
Mark

Logfile of HijackThis v1.99.1
Scan saved at 21:58:51, on 17/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Turnpike\Inverse\ARMon32a.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\KM9801U\MMHotKey.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\KM9801U\HokHIDKC.EXE
C:\WINNT\system32\wins\svchost.exe
C:\WINNT\system32\cscript.exe
C:\Program Files\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%207%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O17 - HKLM\System\CCS\Services\Tcpip\..\{70E06126-4BC8-49D7-B718-6E305C18CE25}: NameServer = 158.152.1.58 158.152.1.43
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Inverse IP InSight Client (Demon) (InverseLaunchIPI_Demon) - Inverse Network Technology - C:\Turnpike\Inverse\LaunchIPI.exe
O23 - Service: Fix-It Utilities 2000 Task Manager (mxserver) - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe

[greyknight17]

Let's see what Panda can find:

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

[Spike95609]

Excellent programme, it's the first one to actually detect any of the files being used. It's disinfected a few things though I can't say whether this has had any effect yet as it's midday now and for some reason it never starts playing up until after 5pm.


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\Default User\b4gijska.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\DHickman-21\6048pu3y.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\DHickman-22\0ouxyrlg.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\DHickman-9\8mxa51p9.slt\cookies.txt[.atwola.com/]
Virus:Bck/PortGate.A Renamed C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0A2LDW6P\test[1].exe
Virus:W32/DcBot.A.worm Disinfected C:\WINNT\system32\kernel32.ime
Adware:Adware/StatBlaster Not disinfected C:\WINNT\system32\O
Virus:W32/DcBot.A.worm Disinfected C:\WINNT\system32\remote.exe
Virus:Bck/PortGate.A Renamed C:\WINNT\system32\wins\svchost.exe
Virus:Trj/Downloader.JDS Disinfected C:\WINNT\system32\wins\WMI.vbe

[greyknight17]

Delete these if still found:

C:\WINNT\system32\O
C:\WINNT\system32\wins

Restart. Does that wins folder still return in c:\windows\system32? If so, let's try running this scan also:

Make sure you turn off any antivirus programs you have running while performing the online scan below. Using Internet Explorer, run a virus scan at http://www.kaspersky.com/virusscanner Click on 'Launch Kaspersky Anti-Virus Web Scanner' and install the ActiveX component from Kaspersky. Click Yes and it will begin downloading the latest definition files. Once that's done, click on 'Scan Settings' and make sure the following are selected:

Scan using the following Anti-Virus database:
- Extended

Scan Options:
- Scan Archives
- Scan Mail Bases

Click OK. Now under select a target to scan, select 'My Computer'. It will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the 'Save as Text' button. Save the file to your desktop. Copy and paste that information in your next post.

[Spike95609]

A bit of a disappointing day. The computer went 24 hours without any signs of anything being amiss, now I'm back to square one again. I've deleted the System32/wins directory and is has not come back. But those perflib data files eventually appeared in System32 again, followed by an NTMSJRNL in the System32/Ntmsdata directory. And now I have a test.exe file in System32 which is doing the same thing as the old svchost.exe file did in the wins directory - constantly uploading information, etc. I ran Kaspersky and got the following.

Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 4
Duration of the scan process: 00:34:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS11.zip/125316.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS16.zip/125316.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS16.zip ZIP: suspicious - 1 skipped

cheers,
Mark

[greyknight17]

Go into Spybot->Recovery and check all those entries there and hit the Purge button.

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):

• Click the Download now link on the right to download the program.
• Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directory as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu".  Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, disconnect from the internet.
• Click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

[Spike95609]

Hi,
I've done all that and it has removed a pile of things. Not sure if they're connected though as the test.exe and other files were still in place afterwards. I've deleted these myself in case that makes any difference, though I suspect they'll be reinstalled later on. Anyway the log is as follows:

********
11:39: | Start of Session, 20 June 2006 |
11:39: Spy Sweeper started
11:39: Sweep initiated using definitions version 702
11:39: Starting Memory Sweep
11:43: Memory Sweep Complete, Elapsed Time: 00:04:08
11:43: Starting Registry Sweep
11:43: Found Adware: coolwebsearch (cws)
11:43: HKCR\interface\{cf021f3f-3e14-23a5-cba2-7173706d1316}\ (8 subtraces) (ID = 108399)
11:43: HKLM\software\classes\interface\{cf021f3f-3e14-23a5-cba2-7173706d1316}\ (8 subtraces) (ID = 109777)
11:43: HKLM\software\classes\typelib\{cf021f32-3e14-23a5-cba2-7173706d1316}\ (9 subtraces) (ID = 109804)
11:43: HKCR\typelib\{cf021f32-3e14-23a5-cba2-7173706d1316}\ (9 subtraces) (ID = 112511)
11:43: Found Adware: cws-aboutblank
11:43: HKLM\software\classes\wer1316.wer1316\ (3 subtraces) (ID = 115921)
11:43: HKCR\wer1316.wer1316\ (3 subtraces) (ID = 116781)
11:43: Found Adware: purityscan
11:43: HKCR\interface\{cf021f3f-3e14-23a5-cba2-717765721316}\ (8 subtraces) (ID = 137350)
11:43: HKLM\software\classes\interface\{cf021f3f-3e14-23a5-cba2-717765721316}\ (8 subtraces) (ID = 137681)
11:43: HKLM\software\classes\typelib\{cf021f32-3e14-23a5-cba2-717765721316}\ (9 subtraces) (ID = 137690)
11:43: HKLM\software\classes\wer1316.wer1316.1\ (3 subtraces) (ID = 137694)
11:43: HKCR\typelib\{cf021f32-3e14-23a5-cba2-717765721316}\ (9 subtraces) (ID = 139094)
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\windows\currentversion\explorer\browser helper objects\{cf021f40-3e14-23a5-cba2-7173706d1316}\ (ID = 112121)
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
11:44: Found Adware: edipol alloticket dialer
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\visio ras script\ (9 subtraces) (ID = 125646)
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\windows\currentversion\explorer\browser helper objects\{cf021f40-3e14-23a5-cba2-717765721316}\ (ID = 137948)
11:44: Found Adware: sidesearch
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
11:44: HKU\S-1-5-21-1614895754-492894223-839522115-500\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
11:44: Registry Sweep Complete, Elapsed Time:00:00:15
11:44: Starting Cookie Sweep
11:44: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:44: Starting File Sweep
11:44: Found Trojan Horse: 2nd-thought
11:44: c:\program files\common files\slmss (ID = -2147481537)
12:05: Found Adware: aureate-radiate
12:05: advert.dll (ID = 50290)
12:29: Warning: Unhandled Archive Type
12:30: File Sweep Complete, Elapsed Time: 00:45:51
12:30: Full Sweep has completed. Elapsed time 00:50:17
12:30: Traces Found: 106
12:30: Removal process initiated
12:30: Quarantining All Traces: 2nd-thought
12:30: Quarantining All Traces: cws-aboutblank
12:30: Quarantining All Traces: purityscan
12:30: Quarantining All Traces: coolwebsearch (cws)
12:30: Quarantining All Traces: sidesearch
12:30: Quarantining All Traces: aureate-radiate
12:30: Quarantining All Traces: edipol alloticket dialer
12:30: Removal process completed. Elapsed time 00:00:14
********
11:37: | Start of Session, 20 June 2006 |
11:37: Spy Sweeper started
11:38: Your spyware definitions have been updated.
11:39: | End of Session, 20 June 2006 |

[Ried]

Hello Mark,

Let's see if this tool will provide any insight into what is holding those folders in place.

Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

[Spike95609]

Hello,
Thanks for chipping in! I've run the scan, which took only 10 minutes surprisingly enough, all the others lasted about an hour. Anyway it says:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 21/06/2006 10:37:14 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PECompact2 08/06/2006 18:19:52 5967776 C:\WINNT\SYSTEM32\MRT.exe
aspack 08/06/2006 18:19:52 5967776 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 19/06/2003 20:05:04 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 08/05/2001 13:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PEC2 26/11/1999 04:43:50 830748 C:\WINNT\SYSTEM32\drivers\winacpci.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
18/06/2006 16:49:08 H 1012280 C:\WINNT\ShellIconCache
21/06/2006 10:38:20 S 64 C:\WINNT\CSC\00000001
17/06/2006 13:00:10 S 64 C:\WINNT\CSC\00000002
27/04/2006 18:42:58 S 64 C:\WINNT\CSC\csc1.tmp
21/06/2006 10:33:36 H 1024 C:\WINNT\system32\config\default.LOG
21/06/2006 10:41:18 H 1024 C:\WINNT\system32\config\SAM.LOG
21/06/2006 10:39:28 H 1024 C:\WINNT\system32\config\SECURITY.LOG
21/06/2006 10:43:58 H 1024 C:\WINNT\system32\config\software.LOG
21/06/2006 10:38:20 H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 08/05/2001 13:00:00 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 19/06/2003 20:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 24/08/2000 01:56:00 228352 C:\WINNT\SYSTEM32\CTDetect.cpl
Microsoft Corporation 19/06/2003 20:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 08/05/2001 13:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 08/05/2001 13:00:00 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 08:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 08/05/2001 13:00:00 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 08/05/2001 13:00:00 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 30/10/2001 09:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems 20/02/2003 17:42:34 229487 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 08/05/2001 13:00:00 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 08/05/2001 13:00:00 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Ontrack Data International 15/08/2002 23:26:38 32768 C:\WINNT\SYSTEM32\mxctlpnl.cpl
Microsoft Corporation 08/05/2001 13:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 08/05/2001 13:00:00 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 26/08/2002 11:11:40 36864 C:\WINNT\SYSTEM32\odbccp32.cpl
Autodesk, Inc. 23/04/2001 01:35:46 454718 C:\WINNT\SYSTEM32\plotman.cpl
Sun Microsystems 06/05/2001 12:14:22 24665 C:\WINNT\SYSTEM32\plugincpl131.cpl
Sun Microsystems 01/11/2002 20:15:54 45175 C:\WINNT\SYSTEM32\plugincpl140_03.cpl
Microsoft Corporation 19/06/2003 20:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 14/12/2003 10:20:50 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 19/06/2003 20:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Autodesk, Inc. 23/04/2001 01:35:50 454719 C:\WINNT\SYSTEM32\styleman.cpl
Microsoft Corporation 19/06/2003 20:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/05/2001 13:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 08/05/2001 13:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl
Corel Corporation 07/11/1997 06:24:16 102400 C:\WINNT\SYSTEM32\verscpl.cpl
Microsoft Corporation 19/06/2003 20:05:04 54272 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 29/08/2002 08:14:40 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 23/09/1999 18:44:36 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 08/05/2001 13:00:00 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26/08/2002 11:11:40 36864 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{B63FCD5A-2396-11D1-B762-00A0C90646A4} = C:\Corel\Graphics8\programs\CMFFnd80.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\Ontrack\Fix-It\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerArchiver
{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VersionsMenu
{03170921-4754-11cf-AB9A-00C0F00683EB} = C:\COREL\Versions\CVersion.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\Winzip\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{969223C0-26AA-11D0-90EE-444553540000}
= pgpmn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\Ontrack\Fix-It\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerArchiver
{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VersionsMenu
{03170921-4754-11cf-AB9A-00C0F00683EB} = C:\COREL\Versions\CVersion.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\Winzip\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{969223C0-26AA-11D0-90EE-444553540000}
= pgpmn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\Ontrack\Fix-It\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\FolderToCorelMediaFolder
{0FBF99C1-4127-11D1-B1E6-C17E96D9180A} = C:\Corel\Graphics8\programs\CMFFld80.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\Winzip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\system32\msdxm.ocx
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
Register MediaRing Talk C:\Program Files\MediaRing Talk\register.exe
KM9801U C:\PROGRA~1\KM9801U\MMHotKey.EXE
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
SpeedTouch USB Diagnostics "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
updateMgr "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 21/06/2006 10:47:08



Hijack This scan goes:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:58, on 21/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Turnpike\Inverse\ARMon32a.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\KM9801U\MMHotKey.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\KM9801U\HokHIDKC.EXE
C:\Program Files\Netscape\Netscape 7\Netscp.exe
C:\Program Files\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%207%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\kjgah5is.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70E06126-4BC8-49D7-B718-6E305C18CE25}: NameServer = 158.152.1.58 158.152.1.43
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Inverse IP InSight Client (Demon) (InverseLaunchIPI_Demon) - Inverse Network Technology - C:\Turnpike\Inverse\LaunchIPI.exe
O23 - Service: Fix-It Utilities 2000 Task Manager (mxserver) - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


By the way I've had a thought. In the System32 directory I keep on getting perflib_perfdata_1c0 (or 1bc or some other combo) files appearing, I've only had these since this virus thing appeared. The most recent one of these files is always "in use" by something so I can't delete it, but the earlier ones can be removed. They can all be taken off in safe mode though. Interestingly these only really seem to reappear when I have removed them all and then load Netscape for the first time. They appear in the directory at exactly that moment. Is it possible that some part of Netscape could have been hacked and it's this that's constantly reinstalling everything? Because as soon as I wipe the test/svchost files off the system and everything looks normal, the first sign that they're coming back are these Perflib files and the test/svchost files are never far behind them. Perhaps I should remove Netscape and reinstall it?
Cheers,
Mark

[Ried]

Hi Spike,

Those perflib_perfdata files are not malicious. See Microsoft for an explanation.


Dr Web seems to be the only other scanner that will detect kernel32.ime that Panda saw, but didn't disinfect. I'd like to give Dr Web a try and see if it will clean this out for us.

Download Dr.Web CureIt & save it on desktop. We shall be using it later

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour.

[Spike95609]

Hello,
Thanks for that! I've got the following from the log

remote.exe;C:\WINNT\system32;BackDoor.IRC.Play;Deleted.;
test[1].exe;C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0A2LDW6P;Win32.HLLW.Udu;Deleted.;
test[1]_exe.vir;C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0A2LDW6P;Win32.HLLW.Udu;Deleted.;

The kernel32 was detected and moved. Too early to say whether anything has changed, this virus seems to have a habit of turning up in its own good time.
Cheers,
Mark

[Ried]

Ok Mark, I'll leave this open and await an update from you.

In the meantime, please download and install these programs for added protection:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Add a Firewall as well to give you better control over what is trying to access your system as well as programs that are trying to send information out. Use the links greyknight17 gave you. ZoneAlarm Free works quite well and is very user friendly.

[Spike95609]

Well 24 hours later and everything sort of seems to be okay. I'll not draw breath for at least another week though... I do have an NTMSJRNL file reinstalled in the System32/NtmsData folder. So far as I'm aware this first appeared with the virus and doing a search for it on google it would appear to be a spyware file. Hopefully it's just a helpeless fragment that won't bother me. I'll wait and see what happens. All being well, thank you very much for all your help on this, I'd have been quite stuffed without you! But if all turns out to be bad then I'll be back here right away!
Cheers,
Mark

[greyknight17]

Upload that NTMSJRNL file to http://virusscan.jotti.org and report back what it found. What else is in that NtmsData folder?

[Spike95609]

Hi,
I ran it through Virus Scan and it didn't find anything. Actually I'm not entirely sure what this file is. Google says it's spyware and it may well be, but I don't think it's connected to the virus I had. I thought it was a file that was created at exactly the same time, but it appears to delete itself with each shut down and reinstalls itself some time later. So for all I know it could have been on the system for years. The NtmsData folder just holds four normal system files, I think they're all connected to AutoCAD - NTMSDATA, NTMSDAKA.bak, NTMSIDX, and NTMSREG. I have another computer that isn't connected to the internet at all and so can't be infected, but it also runs AutoCAD and all of these files are present, but not the NTMSJRNL that appears on this computer now and again. Thinking about it, perhaps it is also an AutoCAD file and nothing to worry about?

Anyway some 50 hours have passed and there's no sign of any badness returning to this computer. It'll take me a week and a half before I'm able to breathe again, but I think it's probably safe now! Once again, thanks ever so much for your help.
Mark