TR/startpage.215 in WIN ME

quest7 · 07-15-2005, 11:26 AM

Trying to clean a puter that had TR/dldr.wren. Ran Spybot, Ad aware, Tsd3, HijackThis & AntiVir ver6 in safe mode. Now I only keep getting the "startpage" detection and I can't install programs. Any ideas would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:03 AM, on 7/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\UTILTIES\HIJACKTHIS1991.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

________________________________________________________________

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
Finished
bye

quest7 · 07-15-2005, 11:27 AM

05:42:13 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
05:42:14 [Init] Started 13-07-05 05:42:14 Central Standard Time (UTC: 6), Internet Time @487.66
05:42:14 [Init] Loading TDS-3 Systems ...
05:42:14 [Init] Token successfully adjusted.
05:42:14 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
05:42:14 [Init] • Plugins : OK. Loaded 13
05:42:14 [Init] • Exec Protection : Not Installed
05:42:14 [Init] WARNING: Your Radius.TD3 database needs to be updated!
05:42:14 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
05:42:14 [Init] Licensed users can use the Update facility from the TDS menu
05:42:14 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
05:42:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
05:42:37 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
05:42:37 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
05:42:49 [Init] TDS-3 Ready. <@0.0.0.0, 127.0.0.1, 207.152.69.168 - us>
05:42:49 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes
05:42:49 [TDS] Good morning Operator, all systems are ready.
05:43:03 [Mutex Memory Scan] Started...
05:43:05 [Mutex Memory Scan] Finished (no trojan mutexes found).
05:43:05 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
06:07:30 [Quit] Unloading ...
06:15:44 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
06:15:44 [Init] Started 13-07-05 06:15:44 Central Standard Time (UTC: 6), Internet Time @510.93
06:15:44 [Init] Loading TDS-3 Systems ...
06:15:44 [Init] Token successfully adjusted.
06:15:44 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
06:15:44 [Init] • Plugins : OK. Loaded 13
06:15:44 [Init] • Exec Protection : Not Installed
06:15:45 [Init] WARNING: Your Radius.TD3 database needs to be updated!
06:15:45 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
06:15:45 [Init] Licensed users can use the Update facility from the TDS menu
06:15:45 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
06:16:24 [Init] Started - verifying 29 files ...
06:16:24 [Init] File doesn't exist: C:\autoexec.bat
06:16:25 [Init] File doesn't exist: C:\WINDOWS\System\cmd.exe
06:16:26 [Init] File doesn't exist: C:\WINDOWS\System\netstat.exe
06:16:26 [Init] File doesn't exist: C:\WINDOWS\System\drwatson.exe
06:16:27 [Init] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
06:16:27 [Init] File doesn't exist: C:\WINDOWS\System\rundll32.exe
06:16:28 [Init] File doesn't exist: C:\WINDOWS\System\sysedit.exe
06:16:28 [Init] File doesn't exist: C:\WINDOWS\System\taskman.exe
06:16:40 [Init] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
06:16:40 [Init] File doesn't exist: C:\WINDOWS\System\winlogon.exe
06:16:41 [Init] File doesn't exist: C:\WINDOWS\System\regedt32.exe
06:16:41 [Init] File doesn't exist: C:\WINDOWS\System\regsvr32.exe
06:16:42 [Init] File doesn't exist: C:\WINDOWS\System\netmsg.dll
06:16:42 [Init] File doesn't exist: C:\WINDOWS\System\winsock.dll
06:16:57 [Init] Test finished.
06:16:57 [Init] Memory scan started, please wait a moment ...
06:16:59 [Init] Memory scan complete.
06:16:59 [Init] Started...
06:17:01 [Init] Finished (no trojan mutexes found).
06:17:01 [Init] Started...
06:17:32 [Init] Finished.
06:17:32 [Init] Scanning for services and drivers ...
06:17:33 [Init] Scanned 21 services and drivers.
06:17:33 [Init] Scanning in A:\ ...
06:17:35 [Init] Scanned 0 files: 0 alarms in 2.029297 seconds (Avg 1. files/sec)
06:17:35 [Init] Scanning in C:\ ...
06:57:35 [Init] Scanned 27070 files: 9 alarms in 2400.191 seconds (Avg 12.28 files/sec)
06:57:37 [Init] Finished.
06:57:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
06:57:37 [Init] • Systems Initialised [60267 references - 32164 primaries/15781 traces/12322 variants/other]
06:57:37 [Init] Radius Systems loaded. <Databases updated 13-07-2005>
06:57:38 [Init] TDS-3 Ready. <@127.0.0.1 - us>
06:57:39 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
06:57:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
06:57:40 [TDS] Good morning Operator. You're up early?
06:57:45 [Mutex Memory Scan] Started...
06:57:48 [Mutex Memory Scan] Finished (no trojan mutexes found).
06:57:48 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
07:02:21 [Quit] Unloading ...
11:50:16 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
11:50:16 [Init] Started 13-07-05 11:50:16 Central Standard Time (UTC: 6), Internet Time @743.24
11:50:16 [Init] Loading TDS-3 Systems ...
11:50:16 [Init] Token successfully adjusted.
11:50:16 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
11:50:16 [Init] • Plugins : OK. Loaded 13
11:50:16 [Init] • Exec Protection : Not Installed
11:50:16 [Init] WARNING: Your Radius.TD3 database needs to be updated!
11:50:16 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
11:50:16 [Init] Licensed users can use the Update facility from the TDS menu
11:50:17 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
11:50:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
11:50:38 [Init] • Systems Initialised [60267 references - 32164 primaries/15781 traces/12322 variants/other]
11:50:38 [Init] Radius Systems loaded. <Databases updated 13-07-2005>
11:50:39 [Init] TDS-3 Ready. <@127.0.0.1 - us>
11:50:39 [Tip Of The Day] Keyboard shortcuts exist to save time and mouse movement. For example, to resolve an IP address to its more human-readable DNS address, instead of clicking on the Target Host menu, then ICMP submenu, then Resolve, you can simply press Ctrl+R
11:50:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
11:50:39 [TDS] Good morning Operator.
11:50:42 [Mutex Memory Scan] Started...
11:50:44 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:50:44 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
11:52:02 [CRC32] Started - verifying 29 files ...
11:52:03 [CRC32] File doesn't exist: C:\autoexec.bat
11:52:08 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
11:52:08 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
11:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
11:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
11:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
11:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
11:52:11 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
11:52:24 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
11:52:24 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
11:52:25 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
11:52:26 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
11:52:27 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
11:52:40 [CRC32] Test finished.
11:52:41 [Memory Scan] Memory scan started, please wait a moment ...
11:52:44 [Memory Scan] Memory scan complete.
11:52:44 [Mutex Memory Scan] Started...
11:52:45 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:52:45 [Trace Scan] Started...
11:53:17 [Trace Scan] Finished.
11:53:17 [Service\Driver Scan] Scanning for services and drivers ...
11:53:17 [Service\Driver Scan] Scanned 21 services and drivers.
11:53:17 [File Scan] Scanning in A:\ ...
11:53:19 [File Scan] Scanned 0 files: 0 alarms in 1.980469 seconds (Avg 1. files/sec)
11:53:19 [File Scan] Scanning in C:\ ...
12:32:51 [File Scan] Scanned 27869 files: 0 alarms in 2371.789 seconds (Avg 12.75 files/sec)
12:32:52 [Scan] Finished.
12:33:01 [Quit] Unloading ...
18:28:52 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:28:52 [Init] Started 13-07-05 18:28:52 Central Standard Time (UTC: 6), Internet Time @1020.05
18:28:52 [Init] Loading TDS-3 Systems ...
18:28:52 [Init] Token successfully adjusted.
18:28:52 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:28:52 [Init] • Plugins : OK. Loaded 13
18:28:52 [Init] • Exec Protection : Not Installed
18:28:52 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:28:52 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:28:52 [Init] Licensed users can use the Update facility from the TDS menu
18:28:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:29:05 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:29:05 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
18:29:05 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
18:29:05 [Init] TDS-3 Ready. <@127.0.0.1 - us>
18:29:06 [Tip Of The Day] The Target Host menu is dedicated to finding out information about remote computers, from backdoors to system information to network positioning.
18:29:06 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
18:29:06 [TDS] Good evening Operator. What time do you finish work tonight?
18:29:08 [Mutex Memory Scan] Started...
18:29:10 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:29:10 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:29:40 [CRC32] Started - verifying 29 files ...
18:29:41 [CRC32] File doesn't exist: C:\autoexec.bat
18:29:47 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
18:29:47 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
18:29:51 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
18:29:52 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
18:29:57 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
18:29:57 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
18:29:58 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
18:30:09 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
18:30:09 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
18:30:10 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
18:30:10 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
18:30:11 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
18:30:11 [CRC32] Test finished.
18:30:26 [Memory Scan] Memory scan started, please wait a moment ...
18:30:28 [Memory Scan] Memory scan complete.
18:30:28 [Mutex Memory Scan] Started...
18:30:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:30:30 [Trace Scan] Started...
18:32:03 [Trace Scan] Finished.
18:32:03 [Service\Driver Scan] Scanning for services and drivers ...
18:32:04 [Service\Driver Scan] Scanned 21 services and drivers.
18:32:04 [File Scan] Scanning in A:\ ...
18:32:06 [File Scan] Scanned 0 files: 0 alarms in 2.09375 seconds (Avg 1. files/sec)
18:32:06 [File Scan] Scanning in C:\ ...
18:32:52 [File Scan] Scanned 814 files: 0 alarms in 45.64063 seconds (Avg 18.83 files/sec)
18:32:52 [Scan] Finished.
18:32:59 [Quit] Unloading ...
18:34:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:34:25 [Init] Started 13-07-05 18:34:25 Central Standard Time (UTC: 6), Internet Time @1023.90
18:34:25 [Init] Loading TDS-3 Systems ...
18:34:25 [Init] Token successfully adjusted.
18:34:25 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:34:25 [Init] • Plugins : OK. Loaded 13
18:34:25 [Init] • Exec Protection : Not Installed
18:34:25 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:34:25 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:34:25 [Init] Licensed users can use the Update facility from the TDS menu
18:34:26 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:34:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:34:38 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
18:34:38 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
18:34:38 [Init] TDS-3 Ready. <@127.0.0.1 - us>
18:34:39 [Tip Of The Day] Visit the TDS-3 Operator discussion forum! Just press F5 on your keyboard, or click FORUM from the Help menu http://www.diamondcs.com.au/forum/
18:34:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
18:34:39 [TDS] Good evening Operator.
18:34:41 [Mutex Memory Scan] Started...
18:34:43 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:34:43 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:35:00 [CRC32] Started - verifying 29 files ...
18:35:01 [CRC32] File doesn't exist: C:\autoexec.bat
18:35:01 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
18:35:02 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
18:35:02 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
18:35:03 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
18:35:03 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
18:35:14 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
18:35:15 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
18:35:16 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
18:35:16 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
18:35:30 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
18:35:31 [Memory Scan] Memory scan started, please wait a moment ...
18:35:33 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
18:35:33 [Memory Scan] Memory scan complete.
18:35:33 [Mutex Memory Scan] Started...
18:35:33 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
18:35:34 [CRC32] Test finished.
18:35:35 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:35:35 [Trace Scan] Started...
18:35:58 [Trace Scan] Finished.
18:35:59 [Service\Driver Scan] Scanning for services and drivers ...
18:35:59 [Service\Driver Scan] Scanned 21 services and drivers.
18:35:59 [File Scan] Scanning in A:\ ...
18:36:01 [File Scan] Scanned 0 files: 0 alarms in 1.984375 seconds (Avg 1. files/sec)
18:36:01 [File Scan] Scanning in C:\ ...
19:10:22 [File Scan] Scanned 27980 files: 0 alarms in 2060.75 seconds (Avg 14.58 files/sec)
19:10:23 [Scan] Finished.
19:15:37 [Quit] Unloading ...

quest7 · 07-15-2005, 11:36 AM

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"Hidserv" = "Hidserv.exe run" [MS]
"HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"Delay" = "C:\WINDOWS\delayrun.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"IPInSightMonitor 01" = ""C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"" ["Visual Networks"]
"2wSysTray" = "C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE" ["2Wire, Inc."]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb09.exe" ["HP"]
"DeviceDiscovery" = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"]
"CreateCD50" = "C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r" ["Roxio"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Yahoo HP Reminder 1.0" = "C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE" ["Yahoo! Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]

System Policies [Description]:
------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
[prevents changes to Active Desktop configuration; removes
Display Properties|Web (tab)]

HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001
[removes Display Properties, Background (tab)]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Plus!.bmp"

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\UNDERW~2.SCR" (Underwater.scr) [MS]

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"RegistryMedicAuotScan" -> launches: "C:\PROGRAM FILES\REGISTRY MEDIC\RegMedical.exe -S" ["Iomatic"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/WINDOWS/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 15 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 60 seconds)

Ried · 07-15-2005, 06:52 PM

Hello quest7 and welcome to TSF,

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\RMAgentOutput.dll

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Using Windows Explorer, delete the following Files indicated in RED if it still exists:

C:\WINDOWS\RMAgentOutput.dll

Reboot into Normal Mode.

Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan.

Restart and post a new HijackThis log along with the results from ActiveScan.

quest7 · 07-18-2005, 09:04 AM

Thanks Ried for the reply. I did all that you requested but I also upgraded to WinXP. Anyway here are the logs.

Incident Status Location

Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D3.TMP
Adware:Adware/Comet No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq213.TMP
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe
Virus:Trj/Downloader.MR Disinfected C:\tttxxsp.chm
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Windows User\Application Data\area.exe
_________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:37:33 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

_________________________________________________________________

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"EssSpkPhone" = "essspk.exe" [empty string]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{4b218e3e-bc98-4770-93d3-2731b9329278}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 C:\WINDOWS\inf\ie.inf" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4395}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\(Default) = "CRLUpdate"
\StubPath = "C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl" [MS]
{CA0A4247-44BE-11d1-A005-00805F8ABE06}\(Default) = "Power Policy Settings"
\StubPath = "RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\tds3shl.dll" [empty string]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\tds3shl.dll" [empty string]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]

Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
[prevents changes to Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]

HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001
[removes Display Properties, Desktop (tab)]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Plus!.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]
"RegistryMedicAuotScan" -> launches: "C:\PROGRAM FILES\REGISTRY MEDIC\RegMedical.exe -S" ["Iomatic"]
"Uninstall Expiration Reminder" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /u /n:1" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/WINDOWS/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 103 seconds)

quest7 · 07-18-2005, 10:54 AM

C:\Documents and Settings\Administrator\Desktop\utilities1\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

**POADB** · 07-18-2005, 01:16 PM

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\tttxxsp.chm
C:\Documents and Settings\Windows User\Application Data\area.exe

Empty this folder.

C:\Program Files\Yahoo!\YPSR\Quarantine\

Run a new Panda Scan and a new HJT log when you have done, and bring the results with you in your next post.

quest7 · 07-19-2005, 10:21 AM

Here's the results:

Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Virus:Trj/Qhost.BM Disinfected C:\Program Files\TDS3\dcsres.exe
Adware:Adware/Comet No disinfected C:\Recycled\Dc65.TMP
Adware:Adware/eZula No disinfected C:\Recycled\Dc207.TMP ________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 3:47:17 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

**POADB** · 07-19-2005, 10:34 AM

C:\Recycled\ << Empty this folder!!

Your log is clean.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

quest7 · 07-19-2005, 11:08 AM

Well POADB, that seems to have done it. This isn't my puter anyway, was doing an XP upgrade when I ran into all the bull*#$$@!. Anyway, much thanks to you and RIED for your help. Have a great day across the pond!

07-15-2005, 11:26 AM	#1 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	TR/startpage.215 in WIN ME Trying to clean a puter that had TR/dldr.wren. Ran Spybot, Ad aware, Tsd3, HijackThis & AntiVir ver6 in safe mode. Now I only keep getting the "startpage" detection and I can't install programs. Any ideas would be appreciated. Logfile of HijackThis v1.99.1 Scan saved at 11:31:03 AM, on 7/15/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\DESKTOP\UTILTIES\HIJACKTHIS1991.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe" O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab ________________________________________________________________ ECHO is off PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\RMAgentOutput.dll: UPX! Finished bye

07-15-2005, 11:27 AM	#2 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	TDS3 log 05:42:13 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 05:42:14 [Init] Started 13-07-05 05:42:14 Central Standard Time (UTC: 6), Internet Time @487.66 05:42:14 [Init] Loading TDS-3 Systems ... 05:42:14 [Init] Token successfully adjusted. 05:42:14 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 05:42:14 [Init] • Plugins : OK. Loaded 13 05:42:14 [Init] • Exec Protection : Not Installed 05:42:14 [Init] WARNING: Your Radius.TD3 database needs to be updated! 05:42:14 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 05:42:14 [Init] Licensed users can use the Update facility from the TDS menu 05:42:14 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 05:42:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 05:42:37 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 05:42:37 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 05:42:49 [Init] TDS-3 Ready. <@0.0.0.0, 127.0.0.1, 207.152.69.168 - us> 05:42:49 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes 05:42:49 [TDS] Good morning Operator, all systems are ready. 05:43:03 [Mutex Memory Scan] Started... 05:43:05 [Mutex Memory Scan] Finished (no trojan mutexes found). 05:43:05 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 06:07:30 [Quit] Unloading ... 06:15:44 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 06:15:44 [Init] Started 13-07-05 06:15:44 Central Standard Time (UTC: 6), Internet Time @510.93 06:15:44 [Init] Loading TDS-3 Systems ... 06:15:44 [Init] Token successfully adjusted. 06:15:44 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 06:15:44 [Init] • Plugins : OK. Loaded 13 06:15:44 [Init] • Exec Protection : Not Installed 06:15:45 [Init] WARNING: Your Radius.TD3 database needs to be updated! 06:15:45 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 06:15:45 [Init] Licensed users can use the Update facility from the TDS menu 06:15:45 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 06:16:24 [Init] Started - verifying 29 files ... 06:16:24 [Init] File doesn't exist: C:\autoexec.bat 06:16:25 [Init] File doesn't exist: C:\WINDOWS\System\cmd.exe 06:16:26 [Init] File doesn't exist: C:\WINDOWS\System\netstat.exe 06:16:26 [Init] File doesn't exist: C:\WINDOWS\System\drwatson.exe 06:16:27 [Init] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe 06:16:27 [Init] File doesn't exist: C:\WINDOWS\System\rundll32.exe 06:16:28 [Init] File doesn't exist: C:\WINDOWS\System\sysedit.exe 06:16:28 [Init] File doesn't exist: C:\WINDOWS\System\taskman.exe 06:16:40 [Init] File doesn't exist: C:\WINDOWS\System\taskmgr.exe 06:16:40 [Init] File doesn't exist: C:\WINDOWS\System\winlogon.exe 06:16:41 [Init] File doesn't exist: C:\WINDOWS\System\regedt32.exe 06:16:41 [Init] File doesn't exist: C:\WINDOWS\System\regsvr32.exe 06:16:42 [Init] File doesn't exist: C:\WINDOWS\System\netmsg.dll 06:16:42 [Init] File doesn't exist: C:\WINDOWS\System\winsock.dll 06:16:57 [Init] Test finished. 06:16:57 [Init] Memory scan started, please wait a moment ... 06:16:59 [Init] Memory scan complete. 06:16:59 [Init] Started... 06:17:01 [Init] Finished (no trojan mutexes found). 06:17:01 [Init] Started... 06:17:32 [Init] Finished. 06:17:32 [Init] Scanning for services and drivers ... 06:17:33 [Init] Scanned 21 services and drivers. 06:17:33 [Init] Scanning in A:\ ... 06:17:35 [Init] Scanned 0 files: 0 alarms in 2.029297 seconds (Avg 1. files/sec) 06:17:35 [Init] Scanning in C:\ ... 06:57:35 [Init] Scanned 27070 files: 9 alarms in 2400.191 seconds (Avg 12.28 files/sec) 06:57:37 [Init] Finished. 06:57:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 06:57:37 [Init] • Systems Initialised [60267 references - 32164 primaries/15781 traces/12322 variants/other] 06:57:37 [Init] Radius Systems loaded. <Databases updated 13-07-2005> 06:57:38 [Init] TDS-3 Ready. <@127.0.0.1 - us> 06:57:39 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file. 06:57:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 06:57:40 [TDS] Good morning Operator. You're up early? 06:57:45 [Mutex Memory Scan] Started... 06:57:48 [Mutex Memory Scan] Finished (no trojan mutexes found). 06:57:48 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 07:02:21 [Quit] Unloading ... 11:50:16 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 11:50:16 [Init] Started 13-07-05 11:50:16 Central Standard Time (UTC: 6), Internet Time @743.24 11:50:16 [Init] Loading TDS-3 Systems ... 11:50:16 [Init] Token successfully adjusted. 11:50:16 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 11:50:16 [Init] • Plugins : OK. Loaded 13 11:50:16 [Init] • Exec Protection : Not Installed 11:50:16 [Init] WARNING: Your Radius.TD3 database needs to be updated! 11:50:16 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 11:50:16 [Init] Licensed users can use the Update facility from the TDS menu 11:50:17 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 11:50:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 11:50:38 [Init] • Systems Initialised [60267 references - 32164 primaries/15781 traces/12322 variants/other] 11:50:38 [Init] Radius Systems loaded. <Databases updated 13-07-2005> 11:50:39 [Init] TDS-3 Ready. <@127.0.0.1 - us> 11:50:39 [Tip Of The Day] Keyboard shortcuts exist to save time and mouse movement. For example, to resolve an IP address to its more human-readable DNS address, instead of clicking on the Target Host menu, then ICMP submenu, then Resolve, you can simply press Ctrl+R 11:50:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 11:50:39 [TDS] Good morning Operator. 11:50:42 [Mutex Memory Scan] Started... 11:50:44 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:50:44 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 11:52:02 [CRC32] Started - verifying 29 files ... 11:52:03 [CRC32] File doesn't exist: C:\autoexec.bat 11:52:08 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe 11:52:08 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe 11:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe 11:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe 11:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe 11:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe 11:52:11 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe 11:52:24 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe 11:52:24 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe 11:52:25 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe 11:52:26 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll 11:52:27 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll 11:52:40 [CRC32] Test finished. 11:52:41 [Memory Scan] Memory scan started, please wait a moment ... 11:52:44 [Memory Scan] Memory scan complete. 11:52:44 [Mutex Memory Scan] Started... 11:52:45 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:52:45 [Trace Scan] Started... 11:53:17 [Trace Scan] Finished. 11:53:17 [Service\Driver Scan] Scanning for services and drivers ... 11:53:17 [Service\Driver Scan] Scanned 21 services and drivers. 11:53:17 [File Scan] Scanning in A:\ ... 11:53:19 [File Scan] Scanned 0 files: 0 alarms in 1.980469 seconds (Avg 1. files/sec) 11:53:19 [File Scan] Scanning in C:\ ... 12:32:51 [File Scan] Scanned 27869 files: 0 alarms in 2371.789 seconds (Avg 12.75 files/sec) 12:32:52 [Scan] Finished. 12:33:01 [Quit] Unloading ... 18:28:52 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 18:28:52 [Init] Started 13-07-05 18:28:52 Central Standard Time (UTC: 6), Internet Time @1020.05 18:28:52 [Init] Loading TDS-3 Systems ... 18:28:52 [Init] Token successfully adjusted. 18:28:52 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 18:28:52 [Init] • Plugins : OK. Loaded 13 18:28:52 [Init] • Exec Protection : Not Installed 18:28:52 [Init] WARNING: Your Radius.TD3 database needs to be updated! 18:28:52 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 18:28:52 [Init] Licensed users can use the Update facility from the TDS menu 18:28:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 18:29:05 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 18:29:05 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 18:29:05 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 18:29:05 [Init] TDS-3 Ready. <@127.0.0.1 - us> 18:29:06 [Tip Of The Day] The Target Host menu is dedicated to finding out information about remote computers, from backdoors to system information to network positioning. 18:29:06 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 18:29:06 [TDS] Good evening Operator. What time do you finish work tonight? 18:29:08 [Mutex Memory Scan] Started... 18:29:10 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:29:10 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 18:29:40 [CRC32] Started - verifying 29 files ... 18:29:41 [CRC32] File doesn't exist: C:\autoexec.bat 18:29:47 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe 18:29:47 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe 18:29:51 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe 18:29:52 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe 18:29:57 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe 18:29:57 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe 18:29:58 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe 18:30:09 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe 18:30:09 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe 18:30:10 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe 18:30:10 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll 18:30:11 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll 18:30:11 [CRC32] Test finished. 18:30:26 [Memory Scan] Memory scan started, please wait a moment ... 18:30:28 [Memory Scan] Memory scan complete. 18:30:28 [Mutex Memory Scan] Started... 18:30:30 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:30:30 [Trace Scan] Started... 18:32:03 [Trace Scan] Finished. 18:32:03 [Service\Driver Scan] Scanning for services and drivers ... 18:32:04 [Service\Driver Scan] Scanned 21 services and drivers. 18:32:04 [File Scan] Scanning in A:\ ... 18:32:06 [File Scan] Scanned 0 files: 0 alarms in 2.09375 seconds (Avg 1. files/sec) 18:32:06 [File Scan] Scanning in C:\ ... 18:32:52 [File Scan] Scanned 814 files: 0 alarms in 45.64063 seconds (Avg 18.83 files/sec) 18:32:52 [Scan] Finished. 18:32:59 [Quit] Unloading ... 18:34:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 18:34:25 [Init] Started 13-07-05 18:34:25 Central Standard Time (UTC: 6), Internet Time @1023.90 18:34:25 [Init] Loading TDS-3 Systems ... 18:34:25 [Init] Token successfully adjusted. 18:34:25 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 18:34:25 [Init] • Plugins : OK. Loaded 13 18:34:25 [Init] • Exec Protection : Not Installed 18:34:25 [Init] WARNING: Your Radius.TD3 database needs to be updated! 18:34:25 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 18:34:25 [Init] Licensed users can use the Update facility from the TDS menu 18:34:26 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 18:34:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 18:34:38 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 18:34:38 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 18:34:38 [Init] TDS-3 Ready. <@127.0.0.1 - us> 18:34:39 [Tip Of The Day] Visit the TDS-3 Operator discussion forum! Just press F5 on your keyboard, or click FORUM from the Help menu http://www.diamondcs.com.au/forum/ 18:34:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 18:34:39 [TDS] Good evening Operator. 18:34:41 [Mutex Memory Scan] Started... 18:34:43 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:34:43 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 18:35:00 [CRC32] Started - verifying 29 files ... 18:35:01 [CRC32] File doesn't exist: C:\autoexec.bat 18:35:01 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe 18:35:02 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe 18:35:02 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe 18:35:03 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe 18:35:03 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe 18:35:14 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe 18:35:15 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe 18:35:16 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe 18:35:16 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe 18:35:30 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe 18:35:31 [Memory Scan] Memory scan started, please wait a moment ... 18:35:33 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll 18:35:33 [Memory Scan] Memory scan complete. 18:35:33 [Mutex Memory Scan] Started... 18:35:33 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll 18:35:34 [CRC32] Test finished. 18:35:35 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:35:35 [Trace Scan] Started... 18:35:58 [Trace Scan] Finished. 18:35:59 [Service\Driver Scan] Scanning for services and drivers ... 18:35:59 [Service\Driver Scan] Scanned 21 services and drivers. 18:35:59 [File Scan] Scanning in A:\ ... 18:36:01 [File Scan] Scanned 0 files: 0 alarms in 1.984375 seconds (Avg 1. files/sec) 18:36:01 [File Scan] Scanning in C:\ ... 19:10:22 [File Scan] Scanned 27980 files: 0 alarms in 2060.75 seconds (Avg 14.58 files/sec) 19:10:23 [Scan] Finished. 19:15:37 [Quit] Unloading ...

07-15-2005, 11:36 AM	#3 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	Silent Runners log "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS] "SystemTray" = "SysTray.Exe" [MS] "Hidserv" = "Hidserv.exe run" [MS] "HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"] "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "Delay" = "C:\WINDOWS\delayrun.exe" [null data] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."] "IPInSightMonitor 01" = ""C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"" ["Visual Networks"] "2wSysTray" = "C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE" ["2Wire, Inc."] "HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"] "HP Component Manager" = ""C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"" ["Hewlett-Packard Company"] "HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb09.exe" ["HP"] "DeviceDiscovery" = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] "AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"] "CreateCD50" = "C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r" ["Roxio"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "Yahoo HP Reminder 1.0" = "C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE" ["Yahoo! Inc."] "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS] "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"] "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."] TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] System Policies [Description]: ------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001 [prevents changes to Active Desktop configuration; removes Display Properties\|Web (tab)] HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001 [removes Display Properties, Background (tab)] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Plus!.bmp" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\UNDERW~2.SCR" (Underwater.scr) [MS] Startup items in "Startup" & "All Users...Startup" folders: ----------------------------------------------------------- C:\WINDOWS\Start Menu\Programs\StartUp "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS] "RegistryMedicAuotScan" -> launches: "C:\PROGRAM FILES\REGISTRY MEDIC\RegMedical.exe -S" ["Iomatic"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2499216C-4BA5-11D5-BD9C-000103C116D5}\ "ButtonText" = "Yahoo! Login" "MenuText" = "Yahoo! Login" "CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL" ["Yahoo! Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "MSN Messenger Service" "Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C\|/WINDOWS/All Users/Application Data/TuneUp Software/Common/base.css" [file not found] ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 15 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 15 seconds. ---------- (total run time: 60 seconds)

07-15-2005, 06:52 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Hello quest7 and welcome to TSF, Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\RMAgentOutput.dll Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Using Windows Explorer, delete the following Files indicated in RED if it still exists: C:\WINDOWS\RMAgentOutput.dll Reboot into Normal Mode. Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan. Restart and post a new HijackThis log along with the results from ActiveScan. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-18-2005, 09:04 AM	#5 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	The results Thanks Ried for the reply. I did all that you requested but I also upgraded to WinXP. Anyway here are the logs. Incident Status Location Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D3.TMP Adware:Adware/Comet No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq213.TMP Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe Virus:Trj/Downloader.MR Disinfected C:\tttxxsp.chm Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Windows User\Application Data\area.exe _________________________________________________________________ Logfile of HijackThis v1.99.1 Scan saved at 9:37:33 AM, on 7/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\essspk.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wpabaln.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Windows User\Desktop\HijackThis1991.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe _________________________________________________________________ "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SystemTray" = "SysTray.Exe" [MS] "Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "EssSpkPhone" = "essspk.exe" [empty string] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS] >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations" \StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS] >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup" \StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS] {44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6" \StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS] {4b218e3e-bc98-4770-93d3-2731b9329278}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 C:\WINDOWS\inf\ie.inf" [MS] {5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS] {7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6" \StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS] {89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update" \StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6" \StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS] {89820200-ECBD-11cf-8B85-00AA005B4395}\(Default) = "Windows Desktop Update" \StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS] {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\(Default) = "CRLUpdate" \StubPath = "C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl" [MS] {CA0A4247-44BE-11d1-A005-00805F8ABE06}\(Default) = "Power Policy Settings" \StubPath = "RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\NVSHELL.DLL" ["NVIDIA Corporation"] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\tds3shl.dll" [empty string] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\tds3shl.dll" [empty string] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Group Policies [Description]: ----------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001 [prevents changes to Active Desktop; removes Web tab from Display Properties\| Desktop (tab)\|Customize Desktop... (button)\|Desktop Items (window)] HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001 [removes Display Properties, Desktop (tab)] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Plus!.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS] Startup items in "Administrator" & "All Users" startup folders: --------------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [file not found] "PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found] "RegistryMedicAuotScan" -> launches: "C:\PROGRAM FILES\REGISTRY MEDIC\RegMedical.exe -S" ["Iomatic"] "Uninstall Expiration Reminder" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /u /n:1" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2499216C-4BA5-11D5-BD9C-000103C116D5}\ "ButtonText" = "Yahoo! Login" "MenuText" = "Yahoo! Login" "CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL" ["Yahoo! Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C\|/WINDOWS/All Users/Application Data/TuneUp Software/Common/base.css" [file not found] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]} ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]} Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]} TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"] WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 28 seconds. ---------- (total run time: 103 seconds)

07-18-2005, 10:54 AM	#6 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	rkfiles log C:\Documents and Settings\Administrator\Desktop\utilities1\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\tsc.exe: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye

07-18-2005, 01:16 PM	#7 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot): C:\WINDOWS\Downloaded Program Files\popcaploader.inf C:\tttxxsp.chm C:\Documents and Settings\Windows User\Application Data\area.exe Empty this folder. C:\Program Files\Yahoo!\YPSR\Quarantine\ Run a new Panda Scan and a new HJT log when you have done, and bring the results with you in your next post. __________________

07-19-2005, 10:21 AM	#8 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	Logs Here's the results: Incident Status Location Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Virus:Trj/Qhost.BM Disinfected C:\Program Files\TDS3\dcsres.exe Adware:Adware/Comet No disinfected C:\Recycled\Dc65.TMP Adware:Adware/eZula No disinfected C:\Recycled\Dc207.TMP ________________________________________________________________ Logfile of HijackThis v1.99.1 Scan saved at 3:47:17 PM, on 7/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Windows User\Desktop\HijackThis1991.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

07-19-2005, 10:34 AM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	C:\Recycled\ << Empty this folder!! Your log is clean. Please clear your System Restore Points by doing the following: To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. Now create a new Restore Point: To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________

07-19-2005, 11:08 AM	#10 (permalink)
quest7 Registered User Join Date: Jul 2005 Posts: 64 OS: xp	Thanks! Well POADB, that seems to have done it. This isn't my puter anyway, was doing an XP upgrade when I ran into all the bull*#$$@!. Anyway, much thanks to you and RIED for your help. Have a great day across the pond!