|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-30-2005, 01:56 AM
|
#21 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Ok, all done.
The TFTP1212 you asked about is a file. I managed to do as you said for Hoster and Killbox, sorry about the slight misunderstanding. The logs of WinPFind, Track qoo and Kaspersky I will post tonight as I have to go to work just now and don't have the time. If it is of any interest, in the last 5 mins as I type this AVG has told me that it has found a virus about 3 times, the same one as I posted about before (Trojanhorse IRC/Backdoor.SdBot.HLV) bug |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-30-2005, 01:36 PM
|
#22 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Here are the logs you requested (Kaspersky not possible as the link is dead)
WinPFind WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195 Internet Explorer Version: 6.0.2800.1106 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... FSG! 29/11/2004 17:27:02 10156943 C:\Program Files\avg70free_289a392.exe Checking %WinDir% folder... PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 UPX! 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll aspack 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll UPX! 10/01/2005 16:17:24 170053 C:\WINNT\tsc.exe UPX! 03/05/2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 Checking %System% folder... UPX! 11/08/2003 18:30:42 R 1024 C:\WINNT\SYSTEM32\TFTP1212 winsync 26/07/2000 12:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu Umonitor 19/06/2003 20:05:04 529168 C:\WINNT\SYSTEM32\RASDLG.DLL Checking %System%\Drivers folder and sub-folders... UPX! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys FSG! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys PEC2 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys aspack 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 30/08/2005 09:36:32 H 924914 C:\WINNT\ShellIconCache 30/08/2005 19:54:46 H 1024 C:\WINNT\system32\config\software.LOG 30/08/2005 19:26:22 H 1024 C:\WINNT\system32\config\default.LOG 30/08/2005 19:49:16 H 1024 C:\WINNT\system32\config\SECURITY.LOG 30/08/2005 19:51:26 H 1024 C:\WINNT\system32\config\SAM.LOG 29/07/2005 16:27:32 H 0 C:\WINNT\inf\oem3.inf 31/07/2005 23:11:42 H 10820 C:\WINNT\Help\update.GID 30/08/2005 19:26:18 H 6 C:\WINNT\Tasks\SA.DAT 21/08/2005 21:13:54 S 64 C:\WINNT\CSC\csc1.tmp 30/08/2005 19:26:16 S 64 C:\WINNT\CSC\00000001 22/08/2005 07:53:16 S 64 C:\WINNT\CSC\00000002 Checking for CPL files... Microsoft Corporation 26/07/2000 12:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl Microsoft Corporation 26/07/2000 12:00:00 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl Microsoft Corporation 26/07/2000 12:00:00 118032 C:\WINNT\SYSTEM32\intl.cpl Microsoft Corporation 26/07/2000 12:00:00 36112 C:\WINNT\SYSTEM32\irprops.cpl Microsoft Corporation 26/07/2000 12:00:00 122128 C:\WINNT\SYSTEM32\main.cpl Microsoft Corporation 26/07/2000 12:00:00 303888 C:\WINNT\SYSTEM32\mmsys.cpl Microsoft Corporation 26/07/2000 12:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\nwc.cpl Microsoft Corporation 19/06/2003 20:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL Microsoft Corporation 19/06/2003 20:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL Microsoft Corporation 26/07/2000 12:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl Microsoft Corporation 26/07/2000 12:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl Microsoft Corporation 19/06/2003 20:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl Microsoft Corporation 19/06/2003 20:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl Microsoft Corporation 26/07/2000 12:00:00 67344 C:\WINNT\SYSTEM32\access.cpl Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl Microsoft Corporation 19/06/2003 20:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl IBM Corporation 23/09/1999 18:44:36 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 27/03/2005 21:48:02 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... Checking files in %USERPROFILE%\Startup folder... Checking files in %USERPROFILE%\Application Data folder... »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = C:\WINNT\System32\docprop2.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984} = %SystemRoot%\system32\faxshell.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} = C:\WINNT\System32\docprop2.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} Media Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = : {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Synchronization Manager mobsync.exe /logon EPSON Stylus C82 Series C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime Microsoft System Checkup libsys32.exe NT Logging Service syslog32.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] Microsoft System Checkup libsys32.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] internat.exe internat.exe msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background Windows Security Service windows.pif [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] Windows Security Service windows.pif [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 149 CDRAutoRun 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\System32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif = wzcdlg.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 30/08/2005 20:13:32 Track qoo REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "EPSON Stylus C82 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C82 Series\" /O6 \"USB001\" /M \"Stylus C82\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Microsoft System Checkup"="libsys32.exe" "NT Logging Service"="syslog32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ----------------- HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers Subkey --- AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} 0 Subkey --- AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} C:\Program Files\Grisoft\AVG Free\avgse.dll Subkey --- ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} C:\Program Files\ewido\security suite\context.dll Subkey --- Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} cscui.dll Subkey --- Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} C:\WINNT\system32\shell32.dll Subkey --- Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} C:\WINNT\system32\shell32.dll Subkey --- WinZip {e0d79300-84be-11ce-9641-444553540000} C:\PROGRA~1\WinZip\wzshlext.dll ===================== HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871} C:\WINNT\system32\shell32.dll Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE} C:\WINNT\System32\docprop2.dll Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984} C:\WINNT\system32\faxshell.dll Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} C:\WINNT\System32\docprop2.dll ============================== C:\Documents and Settings\All Users\Start Menu\Programs\Startup Microsoft Office.lnk ============================== C:\Documents and Settings\pete\Start Menu\Programs\Startup Microsoft Office.lnk ============================== C:\WINNT\system32 cpl files fax.cpl Microsoft Corporation hdwwiz.cpl Microsoft Corporation intl.cpl Microsoft Corporation irprops.cpl Microsoft Corporation main.cpl Microsoft Corporation mmsys.cpl Microsoft Corporation ncpa.cpl Microsoft Corporation nwc.cpl Microsoft Corporation DESK.CPL Microsoft Corporation SYSDM.CPL Microsoft Corporation telephon.cpl Microsoft Corporation timedate.cpl Microsoft Corporation appwiz.cpl Microsoft Corporation inetcpl.cpl Microsoft Corporation odbccp32.cpl Microsoft Corporation powercfg.cpl Microsoft Corporation wuaucpl.cpl Microsoft Corporation access.cpl Microsoft Corporation joy.cpl Microsoft Corporation sticpl.cpl Microsoft Corporation bug |
|
|
|
|
09-02-2005, 01:12 AM
|
#23 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft System Checkup libsys32.exe NT Logging Service syslog32.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft System Checkup libsys32.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Security Service windows.pif HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Windows Security Service windows.pif Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINNT\system32\windows.pif C:\???libsys32.exe C:\???syslog32.exe <--these two ??? you need to locate the files path and put it into killbox. Likely path will be either the C:\WINNT folder or C:\WINNT\system32\ Once you reboot...run the Cleanup utility again. Once back to normal mode... Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. Post the Trendmicro log and another Track qoo.vbs log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 09-02-2005 at 03:22 AM. |
|
|
|
|
09-02-2005, 01:14 AM
|
#24 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Anyone?
Although PC is no longer shutting down, AVG continues to tell me I have Trojanhorse IRC/BackDoor.SdBot.HLV I am unable to run HijackThis or Kaspersky. I have downloaded each of them, and used them recently, but for the last few days I get 'page cannot be diplayed' for Kaspersky online virus scan, and nothing at all when I click HIjackThis. When AVG finds it, I click the 'heal' option. Should I try the others? (Send to virus vault, or delete) When I click one of those options a warning comes up to tell me that if I remove a system file there could be problems etc Would appreciate any help bug |
|
|
|
|
09-02-2005, 01:20 AM
|
#25 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Ha!
I was typing as you were sending me the last set of instructions! Thank you, will do as you say later today (8.15am here, and off to work) Many thanks for your time and patience! bug |
|
|
|
|
09-03-2005, 01:56 AM
|
#26 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
I followed your instructions (regedit, then Killbox).
Sorry to say, when I clicked on the Trend Micro hyperlink, I got 'page cannot be displayed'. The same as I get when I try Kaspersky. Also, I have been unable to update AVG for 2 days now. Here is the last part of your instructions, the Track qoo log. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "EPSON Stylus C82 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C82 Series\" /O6 \"USB001\" /M \"Stylus C82\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ----------------- HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers Subkey --- AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} 0 Subkey --- AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} C:\Program Files\Grisoft\AVG Free\avgse.dll Subkey --- ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} C:\Program Files\ewido\security suite\context.dll Subkey --- Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} cscui.dll Subkey --- Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} C:\WINNT\system32\shell32.dll Subkey --- Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} C:\WINNT\system32\shell32.dll Subkey --- WinZip {e0d79300-84be-11ce-9641-444553540000} C:\PROGRA~1\WinZip\wzshlext.dll ===================== HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871} C:\WINNT\system32\shell32.dll Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE} C:\WINNT\System32\docprop2.dll Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984} C:\WINNT\system32\faxshell.dll Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} C:\WINNT\System32\docprop2.dll ============================== C:\Documents and Settings\All Users\Start Menu\Programs\Startup Microsoft Office.lnk ============================== C:\Documents and Settings\pete\Start Menu\Programs\Startup Microsoft Office.lnk ============================== C:\WINNT\system32 cpl files fax.cpl Microsoft Corporation hdwwiz.cpl Microsoft Corporation intl.cpl Microsoft Corporation irprops.cpl Microsoft Corporation main.cpl Microsoft Corporation mmsys.cpl Microsoft Corporation ncpa.cpl Microsoft Corporation nwc.cpl Microsoft Corporation DESK.CPL Microsoft Corporation SYSDM.CPL Microsoft Corporation telephon.cpl Microsoft Corporation timedate.cpl Microsoft Corporation appwiz.cpl Microsoft Corporation inetcpl.cpl Microsoft Corporation odbccp32.cpl Microsoft Corporation powercfg.cpl Microsoft Corporation wuaucpl.cpl Microsoft Corporation access.cpl Microsoft Corporation joy.cpl Microsoft Corporation sticpl.cpl Microsoft Corporation bug |
|
|
|
|
09-03-2005, 07:56 PM
|
#27 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Try this - with all browser windows closed, Go to Start->Run and copy and paste each of the following, hitting ok after each:
regsvr32 softpub.dll regsvr32 wintrust.dll regsvr32 initpki.dll regsvr32 dssenh.dll regsvr32 rsaenh.dll regsvr32 gpkcsp.dll regsvr32 sccbase.dll regsvr32 slbcsp.dll regsvr32 cryptdlg.dll Reboot, then try to access the sites that were giving you problems again. Also post another hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
09-04-2005, 04:34 AM
|
#28 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Did as you asked OK, except unable to run the 3rd last on the list, sccbase.dll
Still unable to access Kaspersky or Trend Micro unfortunately. Was able to run HijackThis though, and here is the log; Logfile of HijackThis v1.99.1 Scan saved at 11:32:36, on 04/09/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/ R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing) bug |
|
|
|
|
09-04-2005, 05:17 PM
|
#29 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Please visit this website - http://virusscan.jotti.org/
Submit these file(s) for a comprehensive scan & then post the results back here C:\WINNT\system32\internat.exe Are you missing any files/entrys that I'm asking you to remove? Your right back were we started with a new W32/RBOT-AIY worm. If you don't take ALL the entrys/files out at the same time..this thing reinstalls over and over. Please tighten up your security.... Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. Recommended Protection Programs Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
If you do not have a firewall, here are 4 free ones available for personal use: Please take a look at these well written articles
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
09-05-2005, 10:31 AM
|
#30 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Oh dear. Well, that is very dissapointing news. I have tried to do everything that you have asked me to do, and have said when I was unable to do some of the things, or unable to access sites.
From your 4th post I was aware that there was a lot I could do to inprove my PC security (for example I have no firewall installed). And I fully intended to carry out all, or as much as possible, of your good suggestions. However, I did not think it was a good idea to start downloading and installing new 'things' at the same time as I was receiving regular instructions and advice from yourself on things to do to my PC. So as well as carrying out your latest set of instructions, I should also start to install all the other things I am missing? I guess I just thought it might confuse the issue somehow... bug *Edited to include the results of that scan* Service load: 0% 100% File: internat.exe Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 f4206fca3b1d2feab50738ec2485d5f3 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing Powered by Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, and some people who prefer to remain anonymous... many thanks to all! Statistics Last file scanned at least one scanner reported something about: uninstall.exe, detected by: Scanner Malware name AntiVir X ArcaVir X Avast Win32:Trojan-gen. {Other} AVG Antivirus X BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X Fortinet X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X UNA X VBA32 X You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives Last edited by bughunta; 09-05-2005 at 10:36 AM. |
|
|
|
|
09-06-2005, 02:47 AM
|
#31 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Useally your right. We don't like users to install anything while we are removing the malware from the system. The problem is...if the users security settings are too low..they keep getting reinfected with something else as soon as we remove the bad guys (which is your case)
So...Install a firewall so you can monitor and block any traffic. Then post another WinPFind, Track qoo log. The issue is...you have a Trojanhorse IRC/Backdoor.SdBot.HLV trojan which is very tough to remove. We need to get ALL it's files and entrys at the same time. Miss one..and it reinstalls.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
09-06-2005, 12:12 PM
|
#32 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Yesterday I successfully installed SpywareBlaster, SpywareGuard, IESpy-Ad, WinPatrol, and ZoneAlarm. Hope that was OK?
I have also now been able to update AVG. And here are the logs; WinPFind »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195 Internet Explorer Version: 6.0.2800.1106 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... FSG! 29/11/2004 17:27:02 10156943 C:\Program Files\avg70free_289a392.exe Checking %WinDir% folder... UPX! 21/12/1999 07:58:02 21312 C:\WINNT\choice.exe PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 UPX! 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll aspack 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll UPX! 10/01/2005 16:17:24 170053 C:\WINNT\tsc.exe UPX! 03/05/2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 Checking %System% folder... UPX! 11/08/2003 18:30:42 R 1024 C:\WINNT\SYSTEM32\TFTP1212 winsync 26/07/2000 12:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu Umonitor 19/06/2003 20:05:04 529168 C:\WINNT\SYSTEM32\RASDLG.DLL Checking %System%\Drivers folder and sub-folders... UPX! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys FSG! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys PEC2 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys aspack 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 06/09/2005 02:14:48 H 1106426 C:\WINNT\ShellIconCache 06/09/2005 18:00:34 H 31767 C:\WINNT\system32\vsconfig.xml 05/09/2005 21:22:40 H 4212 C:\WINNT\system32\zllictbl.dat 06/09/2005 18:43:24 H 1024 C:\WINNT\system32\config\software.LOG 06/09/2005 18:00:40 H 1024 C:\WINNT\system32\config\default.LOG 06/09/2005 18:09:40 H 1024 C:\WINNT\system32\config\SECURITY.LOG 06/09/2005 18:00:56 H 1024 C:\WINNT\system32\config\SAM.LOG 29/07/2005 16:27:32 H 0 C:\WINNT\inf\oem3.inf 31/07/2005 23:11:42 H 10820 C:\WINNT\Help\update.GID 06/09/2005 17:59:32 H 6 C:\WINNT\Tasks\SA.DAT 21/08/2005 21:13:54 S 64 C:\WINNT\CSC\csc1.tmp 06/09/2005 18:00:08 S 64 C:\WINNT\CSC\00000001 22/08/2005 07:53:16 S 64 C:\WINNT\CSC\00000002 Checking for CPL files... Microsoft Corporation 26/07/2000 12:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl Microsoft Corporation 26/07/2000 12:00:00 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl Microsoft Corporation 26/07/2000 12:00:00 118032 C:\WINNT\SYSTEM32\intl.cpl Microsoft Corporation 26/07/2000 12:00:00 36112 C:\WINNT\SYSTEM32\irprops.cpl Microsoft Corporation 26/07/2000 12:00:00 122128 C:\WINNT\SYSTEM32\main.cpl Microsoft Corporation 26/07/2000 12:00:00 303888 C:\WINNT\SYSTEM32\mmsys.cpl Microsoft Corporation 26/07/2000 12:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\nwc.cpl Microsoft Corporation 19/06/2003 20:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL Microsoft Corporation 19/06/2003 20:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL Microsoft Corporation 26/07/2000 12:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl Microsoft Corporation 26/07/2000 12:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl Microsoft Corporation 19/06/2003 20:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl Microsoft Corporation 19/06/2003 20:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl Microsoft Corporation 26/07/2000 12:00:00 67344 C:\WINNT\SYSTEM32\access.cpl Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl Microsoft Corporation 19/06/2003 20:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl IBM Corporation 23/09/1999 18:44:36 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 27/03/2005 21:48:02 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... Checking files in %USERPROFILE%\Startup folder... 05/09/2005 17:58:38 437 C:\Documents and Settings\pete\Start Menu\Programs\Startup\SpywareGuard.lnk Checking files in %USERPROFILE%\Application Data folder... »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] {81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = C:\WINNT\System32\docprop2.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984} = %SystemRoot%\system32\faxshell.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} = C:\WINNT\System32\docprop2.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2} SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} Media Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = : {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Synchronization Manager mobsync.exe /logon EPSON Stylus C82 Series C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] internat.exe internat.exe msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background MSDOS Security Service msdos.pif [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] MSDOS Security Service msdos.pif [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 149 CDRAutoRun 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\System32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif = wzcdlg.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 06/09/2005 18:43:56 Track qoo REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "EPSON Stylus C82 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C82 Series\" /O6 \"USB001\" /M \"Stylus C82\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe" "Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ----------------- HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers Subkey --- AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} 0 Subkey --- AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} C:\Program Files\Grisoft\AVG Free\avgse.dll Subkey --- Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} cscui.dll Subkey --- Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} C:\WINNT\system32\shell32.dll Subkey --- Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} C:\WINNT\system32\shell32.dll Subkey --- WinZip {e0d79300-84be-11ce-9641-444553540000} C:\PROGRA~1\WinZip\wzshlext.dll ===================== HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871} C:\WINNT\system32\shell32.dll Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF} C:\WINNT\system32\shell32.dll Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE} C:\WINNT\System32\docprop2.dll Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984} C:\WINNT\system32\faxshell.dll Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} C:\WINNT\System32\docprop2.dll ============================== C:\Documents and Settings\All Users\Start Menu\Programs\Startup Microsoft Office.lnk ============================== C:\Documents and Settings\pete\Start Menu\Programs\Startup Microsoft Office.lnk SpywareGuard.lnk ============================== C:\WINNT\system32 cpl files fax.cpl Microsoft Corporation hdwwiz.cpl Microsoft Corporation intl.cpl Microsoft Corporation irprops.cpl Microsoft Corporation main.cpl Microsoft Corporation mmsys.cpl Microsoft Corporation ncpa.cpl Microsoft Corporation nwc.cpl Microsoft Corporation DESK.CPL Microsoft Corporation SYSDM.CPL Microsoft Corporation telephon.cpl Microsoft Corporation timedate.cpl Microsoft Corporation appwiz.cpl Microsoft Corporation inetcpl.cpl Microsoft Corporation odbccp32.cpl Microsoft Corporation powercfg.cpl Microsoft Corporation wuaucpl.cpl Microsoft Corporation access.cpl Microsoft Corporation joy.cpl Microsoft Corporation sticpl.cpl Microsoft Corporation HijackThis Logfile of HijackThis v1.99.1 Scan saved at 19  30, on 06/09/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/ R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37240.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe bug |
|
|
|
|
09-07-2005, 12:57 AM
|
#33 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Ok...
Let's try this again... Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSDOS Security Service msdos.pif [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices] MSDOS Security Service msdos.pif *Note* I also need you to have a peek here...http://ae.trendmicro-europe.com/cons...WORM_SDBOT.BYO While in the registry check some of those other keys for that entry...or any of the others we already removed and delete them if found. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: NT login service (ntlogin32) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Open hijackthis, do a scan and fix the following entrys IF listed. O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINNT\system32\cool.exe C:\WINNT\SYSTEM32\TFTP1212 C:\???msdos.pif <--again locate that files path and put it in the box. Once you reboot...run another Kaspersky scan and post it's log along with another WinPfind log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
09-08-2005, 02:56 PM
|
#34 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
I followed your instructions to the letter!
Removed both of those registry entries in RED. Went to Trendmicro and checked to see if there was anything else there to be removed (there wasn't). I then disabled NT login service. Ran HijackThis; none of the entries you wrote were listed so I did nothing. I ran Killbox and did as you said Here is the WinPFind log. As I said before, unfortunately I do not seem to be able to access Kaspersky by the hyperlink in one of your previous posts. I just get 'Page cannot be displayed' (is this for everyone, or just me?) »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195 Internet Explorer Version: 6.0.2800.1106 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... FSG! 29/11/2004 17:27:02 10156943 C:\Program Files\avg70free_289a392.exe Checking %WinDir% folder... UPX! 21/12/1999 07:58:02 21312 C:\WINNT\choice.exe PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791 UPX! 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll aspack 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll UPX! 10/01/2005 16:17:24 170053 C:\WINNT\tsc.exe UPX! 03/05/2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791 Checking %System% folder... winsync 26/07/2000 12:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu Umonitor 19/06/2003 20:05:04 529168 C:\WINNT\SYSTEM32\RASDLG.DLL Checking %System%\Drivers folder and sub-folders... UPX! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys FSG! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys PEC2 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys aspack 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 08/09/2005 20:45:18 H 1107734 C:\WINNT\ShellIconCache 08/09/2005 20:49:58 H 31767 C:\WINNT\system32\vsconfig.xml 05/09/2005 21:22:40 H 4212 C:\WINNT\system32\zllictbl.dat 08/09/2005 21:48:40 H 1024 C:\WINNT\system32\config\software.LOG 08/09/2005 20:50:06 H 1024 C:\WINNT\system32\config\default.LOG 08/09/2005 20:59:10 H 1024 C:\WINNT\system32\config\SECURITY.LOG 08/09/2005 21 58 H 1024 C:\WINNT\system32\config\SAM.LOG07/09/2005 21:05:24 H 8628 C:\WINNT\system32\spool\drivers\w32x86\3\E_QI021E.GID 29/07/2005 16:27:32 H 0 C:\WINNT\inf\oem3.inf 31/07/2005 23:11:42 H 10820 C:\WINNT\Help\update.GID 08/09/2005 20:49:02 H 6 C:\WINNT\Tasks\SA.DAT 08/09/2005 20:49:10 S 64 C:\WINNT\CSC\00000001 22/08/2005 07:53:16 S 64 C:\WINNT\CSC\csc1.tmp 07/09/2005 23:12:18 S 64 C:\WINNT\CSC\00000002 Checking for CPL files... Microsoft Corporation 26/07/2000 12:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl Microsoft Corporation 26/07/2000 12:00:00 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl Microsoft Corporation 26/07/2000 12:00:00 118032 C:\WINNT\SYSTEM32\intl.cpl Microsoft Corporation 26/07/2000 12:00:00 36112 C:\WINNT\SYSTEM32\irprops.cpl Microsoft Corporation 26/07/2000 12:00:00 122128 C:\WINNT\SYSTEM32\main.cpl Microsoft Corporation 26/07/2000 12:00:00 303888 C:\WINNT\SYSTEM32\mmsys.cpl Microsoft Corporation 26/07/2000 12:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\nwc.cpl Microsoft Corporation 19/06/2003 20:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL Microsoft Corporation 19/06/2003 20:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL Microsoft Corporation 26/07/2000 12:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl Microsoft Corporation 26/07/2000 12:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl Microsoft Corporation 19/06/2003 20:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl Microsoft Corporation 19/06/2003 20:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl Microsoft Corporation 26/07/2000 12:00:00 67344 C:\WINNT\SYSTEM32\access.cpl Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl Microsoft Corporation 19/06/2003 20:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl IBM Corporation 23/09/1999 18:44:36 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 27/03/2005 21:48:02 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... Checking files in %USERPROFILE%\Startup folder... 05/09/2005 17:58:38 437 C:\Documents and Settings\pete\Start Menu\Programs\Startup\SpywareGuard.lnk Checking files in %USERPROFILE%\Application Data folder... »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] {81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension {1E2CDF40-419B-11D2-A5A1-002018648BA7} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\shell32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = C:\WINNT\System32\docprop2.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984} = %SystemRoot%\system32\faxshell.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} = C:\WINNT\System32\docprop2.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2} SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} Media Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\system32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = : {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Synchronization Manager mobsync.exe /logon EPSON Stylus C82 Series C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] internat.exe internat.exe msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 149 CDRAutoRun 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\System32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif = wzcdlg.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 08/09/2005 21:49:53 Thankyou bug |
|
|
|
|
09-08-2005, 08:38 PM
|
#35 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Excellent!
We got'em. Let's try a Panda scan... Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
09-09-2005, 04:08 PM
|
#36 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
First the panda activescan log;
Incident Status Location Adware:adware/stoolbar No disinfected Windows Registry Virus:Trj/Qhost.gen Disinfected C:\Documents and Settings\pete\Application Data\WinPatrol\HOSTS And now the HijackThis log; Logfile of HijackThis v1.99.1 Scan saved at 23:08:35, on 09/09/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/ R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37240.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe Hoping this means all is well... bug |
|
|
|
|
09-10-2005, 11:28 AM
|
#37 (permalink) |
|
I helped the forums.
Join Date: Sep 2004
Location: Edinburgh, Scotland
Posts: 60
OS: W2K
|
Also, I tried again with Kaspersky, and this time was able to run an online scan (took forever). So that must be good news right?
Here is the Kaspersky result; ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, September 10, 2005 17:54:26 Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 10/09/2005 Kaspersky Anti-Virus database records: 139731 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 48744 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 6818 sec No malware has been detected. The sections that have been scanned are CLEAN. Scan process completed. bug |
|
|
|
|
09-10-2005, 03:55 PM
|
#38 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.
Reset hidden/system files and folders Windows XP ===============
Windows 2000 ===============
Windows ME ===============
Windows 95/98/98SE ===============
Create a new System Restore point Windows XP ===============
Windows ME ===============
Reboot the PC and repeat the above procedure again When you get to this option
For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.
Enable Windows Auto Update
Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. Recommended Protection Programs Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
If you do not have a firewall, here are 4 free ones available for personal use: In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use: In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
| Thread Tools | |
|
|
