|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-05-2006, 08:35 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 12
OS: XP
|
Trojans Removed But Lose Internet Connect
A few days ago I picked up some malware and trojans. I scanned and removed the buggers, but since that time my internet connection shuts down regularly. It will reactivate if I cycle the cable modem or disable and enable the network card (seemingly anything that forces it to update the IP address). Might there be something in my Hijack This log that would explain this? Well, here it is:
Logfile of HijackThis v1.99.1 Scan saved at 7:08:21 AM, on 05/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\runservice.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\DELLSU~1\DSAgnt.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Microsoft Office\Office\EXCEL.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Me\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://univ8.centra.com/SiteRoots/sa...Downloader.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Thanks for your help. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
01-05-2006, 01:14 PM
|
#3 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Please perform an online scan with Internet Explorer at Kaspersky Online Scanner
Answer Yes, when prompted to install an ActiveX component.
__________________
Question - what have you done for the community today? |
|
|
|
|
01-05-2006, 03:20 PM
|
#4 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 12
OS: XP
|
Scan Results
Here is the file from the Kaspersky Scan:
------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Thursday, January 05, 2006 14:17:39 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 5/01/2006 Kaspersky Anti-Virus database records: 169356 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 177395 Number of viruses found: 3 Number of infected objects: 91 Number of suspicious objects: 0 Duration of the scan process: 5942 sec Infected Object Name - Virus Name C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FA20B9B.INI Infected: Trojan-Downloader.Win32.Agent.bc C:\Documents and Settings\Me\.housecall\Quarantine\A0043067.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043074.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043076.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043078.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043082.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043091.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043094.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043097.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043099.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043100.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043101.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043104.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043105.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043108.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043110.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043112.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043113.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043115.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043117.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043121.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043125.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043126.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043127.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043128.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043147.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043148.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043152.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043154.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043155.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043171.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043173.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043174.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043175.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043221.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043225.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043278.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043300.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043360.exe.bac_a01236 Infected: Trojan-Downloader.Win32.Agent.td C:\Documents and Settings\Me\.housecall\Quarantine\A0043361.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043366.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\A0043394.exe.bac_a01236 Infected: Trojan.Win32.Agent.bi C:\Documents and Settings\Me\.housecall\Quarantine\mfcna32.exe.bac_a01236 Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039674.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039681.prx:lzohhu:$DATA Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039691.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039697.prx:lzohhu:$DATA Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039702.dll Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0039703.dll Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0040704.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0040719.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0040903.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0041903.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0041926.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP306\A0041950.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP306\A0041962.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP306\A0042966.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP306\A0042972.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP306\A0043057.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043062.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043070.exe Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043132.ini:lcbxjc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043166.exe Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043301.dll Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043310.exe Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043373.dll Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043471.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043472.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043473.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043474.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043475.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043476.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043477.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043478.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043479.INI:kejzmi:$DATA Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0044779.exe Infected: Trojan-Downloader.Win32.Agent.td C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045008.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045009.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045010.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045011.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045012.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045013.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045014.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045015.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045016.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045017.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045018.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045019.INI:bufyt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045020.exe Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045021.prx:lzohhu:$DATA Infected: Trojan.Win32.Agent.bi C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045022.prx:lzohhu:$DATA Infected: Trojan.Win32.Agent.bi Scan process completed. |
|
|
|
|
01-05-2006, 03:29 PM
|
#5 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install - CleanUp.exe (not recommended for WinXP64) Download & extract it to it's own folder - About Buster.zip. 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding. It is IMPORTANT that you don't miss a step & perform everything in the correct order. * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following:
5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * Run About Buster and click - Begin Removal. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.
__________________
Question - what have you done for the community today? |
|
|
|
|
01-05-2006, 04:41 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 12
OS: XP
|
About Buster'ed
Done and here's my result:
AboutBuster 6.0 Scan started on [05/01/2006] at [3:29:47 PM] ------------------------------------------------------------- Internet Explorer Instances Terminated! HomeSearch Service stopped if present ------------------------------------------------------------- Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:swfuwo Removed Stream! C:\WINDOWS\CONTROL(13).INI:bufyt Removed Stream! C:\WINDOWS\KB825119.log:uvqdvx Removed Stream! C:\WINDOWS\KB894391.log:zihzsl Removed Stream! C:\WINDOWS\MSDFMAP(10).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(11).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(12).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(2).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(3).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(4).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(5).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(6).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(7).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(8).INI:ellboz Removed Stream! C:\WINDOWS\MSDFMAP(9).INI:ellboz Removed Stream! C:\WINDOWS\Q811789.log:ufzrus Removed Stream! C:\WINDOWS\Q816979.log:fycjrf Removed Stream! C:\WINDOWS\Windows Update.log:nymjjv Removed Stream! C:\WINDOWS\WMSysPr9(10).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(11).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(12).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(13).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(14).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(15).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(16).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(17).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(2).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(3).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(4).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(5).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(6).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(7).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(8).prx:yzqcfh Removed Stream! C:\WINDOWS\WMSysPr9(9).prx:yzqcfh ------------------------------------------------------------- Removed File! : C:\WINDOWS\ozrva.log Removed File! : C:\WINDOWS\system32\jbbnb.log Removed File! : C:\WINDOWS\system32\vbwkz.dat Removed File! : C:\WINDOWS\system32\zvnpu.log ------------------------------------------------------------- Removed Temp Files Internet Explorer Settings Reset! ------------------------------------------------------------- Scan was COMPLETED SUCCESSFULLY at 3:33:00 PM |
|
|
|
|
01-05-2006, 10:18 PM
|
#7 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
How's the machine now? Please post a new HJT log.
__________________
Question - what have you done for the community today? |
|
|
|
|
01-06-2006, 05:22 AM
|
#8 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 12
OS: XP
|
Still Losing Connectivity
That has sped the computer up some, but I am still losing the connection. Here's the new HJT log:
Logfile of HijackThis v1.99.1 Scan saved at 4:16:36 AM, on 06/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\runservice.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\DELLSU~1\DSAgnt.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Messenger\msmsgs.exe C:\DOCUME~1\Me\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://univ8.centra.com/SiteRoots/sa...Downloader.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
|
|
|
|
01-06-2006, 10:35 AM
|
#9 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Fix this with HijackThis :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0 Let me know if that improves the situation.
__________________
Question - what have you done for the community today? |
|
|
|
|
01-07-2006, 04:05 AM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Besides losing connections, do you experience any malware activity like pop ups, browser hijacking? Losing connections does not seem characteristicly like malware. They love being able to connect to the internet.
For the sake of ruling out malware activity, let's dig a bit deeper & do some intense scanning... Download RootKitRevealer.zip Unzip it to the desktop, run it, and click Scan. This will generate a log file. Please post the entire contents of the log file in your next reply. WinPfind.zip - download & extract the contents to it's own folder at the root of drive C Download and install Ewido Security Suite
Download & RUN WinsockFix.zip Reboot to Safe Mode Run Ewido:
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. WinPfind 1. From within the WinPFind folder, double click WinPFind.exe 2. Click Start Scan 3. Once the Scan is complete, it will create a report in a text file 4. Go to the WinPFind folder & locate WinPFind.txt 5. Post the results in your next reply! ** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. Please post all 3 logs in your next reply
__________________
Question - what have you done for the community today? |
|
|
|
|
01-08-2006, 07:06 AM
|
#13 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 12
OS: XP
|
I'm back with some logs for you. I can sense your excitement.
Here's the Rootkit Log: HKLM\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o 26/06/2004 5:58 AM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 08/01/2006 3:45 AM 80 bytes Data mismatch between Windows API and raw hive data. C:\Documents and Settings\Me\Local Settings\Temp\~DFA8D2.tmp 08/01/2006 3:47 AM 16.00 KB Hidden from Windows API. C:\Program Files\Common Files\Symantec Shared\SPBBC\2006-01-08-1b00.kc 08/01/2006 2:02 AM 144.66 KB Visible in Windows API, but not in MFT or directory index. C:\Program Files\Common Files\Symantec Shared\SPBBC\2006-01-08-6a80.kc 08/01/2006 3:46 AM 144.66 KB Hidden from Windows API. C:\Program Files\Norton AntiVirus\Savrt\0347NAV~.TMP 08/01/2006 4:08 AM 0 bytes Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 08/01/2006 3:45 AM 64.00 KB Visible in Windows API, but not in MFT or directory index. ------------------------------------------------------------------- Next up is the Ewido: -------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:33:53 AM, 08/01/2006 + Report-Checksum: 2F3BD836 + Scan result: C:\Documents and Settings\Me\Cookies\me@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Me\Cookies\me@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\Documents and Settings\Me\Cookies\me@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Me\Cookies\me@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Me\Cookies\me@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Me\Cookies\me@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043070.exe -> Trojan.Agent.bi : Cleaned without backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043166.exe -> Trojan.Agent.bi : Cleaned without backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0043310.exe -> Trojan.Agent.bi : Cleaned without backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0044779.exe -> Downloader.Agent.td : Cleaned without backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0045020.exe -> Trojan.Agent.bi : Cleaned without backup ::Report End ----------------------------------------------------------------------- And finally the WinPFind: WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... Checking %WinDir% folder... Checking %System% folder... PEC2 29/08/2002 2:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC PTech 04/11/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL PECompact2 08/12/2005 4:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe aspack 08/12/2005 4:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe aspack 03/08/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll UPX! 21/02/2004 10:33:36 PM 6689115 C:\WINDOWS\SYSTEM32\pav.sig aspack 21/02/2004 10:33:36 PM 6689115 C:\WINDOWS\SYSTEM32\pav.sig SAHAgent 21/02/2004 10:33:36 PM 6689115 C:\WINDOWS\SYSTEM32\pav.sig Umonitor 03/08/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 29/08/2002 2:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU Checking %System%\Drivers folder and sub-folders... PTech 03/08/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 08/01/2006 2:07:30 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT 08/01/2006 2:05:06 AM H 54156 C:\WINDOWS\QTFont.qfn 05/01/2006 2:54:48 AM HS 18944 C:\WINDOWS\forms\configs\Thumbs.db 22/12/2005 6:05:36 PM H 10820 C:\WINDOWS\Help\update.GID 08/01/2006 2:05:08 AM H 23959 C:\WINDOWS\SYSTEM32\FFASTLOG.TXT 08/01/2006 2:04:54 AM HS 7225 C:\WINDOWS\SYSTEM32\mmf.sys 30/11/2005 8:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat 01/12/2005 4:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat 02/01/2006 3:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat 08/01/2006 2:07:22 AM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG 08/01/2006 2:07:42 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG 08/01/2006 2:07:32 AM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG 08/01/2006 2:52:36 AM H 90112 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG 08/01/2006 2:07:36 AM H 1101824 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG 14/12/2005 1:42:18 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG 27/12/2005 3:34:50 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KZOQ55PW\desktop.ini 27/12/2005 3:34:50 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y9H8VORL\desktop.ini 27/12/2005 3:34:50 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YCK99TDB\desktop.ini 27/12/2005 3:34:50 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YDCZTPRY\desktop.ini 04/01/2006 10:21:46 AM HS 233472 C:\WINDOWS\SYSTEM32\DirectX\Dinput\Thumbs.db 08/01/2006 2  40 AM H 6 C:\WINDOWS\Tasks\SA.DAT27/12/2005 5:08:38 AM HS 18944 C:\WINDOWS\Web\Wallpaper\Thumbs.db Checking for CPL files... Microsoft Corporation 03/08/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl Creative Technology Ltd. 28/05/2001 10:47:00 AM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl 16/11/1996 11:00:00 PM 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL Microsoft Corporation 03/08/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl Microsoft Corporation 29/08/2002 2:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL Microsoft Corporation 16/11/1996 11:00:00 PM 45984 C:\WINDOWS\SYSTEM32\MLCFG32.CPL Microsoft Corporation 03/08/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 29/08/2002 2:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL Microsoft Corporation 03/08/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl Intel(R) Corporation 11/03/2003 1:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl Apple Computer, Inc. 27/05/2003 11:42:58 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 29/08/2002 2:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL Microsoft Corporation 03/08/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 03/08/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26/05/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 26/05/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 03/09/2002 6:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI Checking files in %ALLUSERSPROFILE%\Application Data folder... 03/09/2002 5:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI Checking files in %USERPROFILE%\Startup folder... 03/09/2002 6:00:00 AM HS 84 C:\Documents and Settings\Me\Start Menu\Programs\Startup\DESKTOP.INI 23/08/2003 4:55:16 PM 761 C:\Documents and Settings\Me\Start Menu\Programs\Startup\Microsoft Find Fast.lnk 23/08/2003 4:55:14 PM 736 C:\Documents and Settings\Me\Start Menu\Programs\Startup\Office Startup.lnk Checking files in %USERPROFILE%\Application Data folder... 03/09/2002 5:50:46 AM HS 62 C:\Documents and Settings\Me\Application Data\DESKTOP.INI 11/01/2004 1:57:54 AM 0 C:\Documents and Settings\Me\Application Data\dm.ini 27/12/2005 2:40:52 AM 1853447 C:\Documents and Settings\Me\Application Data\Install.dat »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD} CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\System32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66} MenuText = Uninstall BitDefender Online Scanner v8 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\System32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\System32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ATIModeChange Ati2mdxx.exe PRONoMgr.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe DVDSentry C:\WINDOWS\System32\DSentry.exe CTSysVol C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe CTDVDDet C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE CTHelper CTHELPER.EXE AsioReg REGSVR32.EXE /S CTASIO.DLL UpdReg C:\WINDOWS\UpdReg.EXE MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SB Audigy 2 Startup Menu /L:ENG DellSupport "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent = Ati2evxx.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 08/01/2006 3:39:23 AM |
|
|
|
|
01-08-2006, 08:28 AM
|
#14 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
The results are coming up clean. It did find the remnants of a previous infection but that file in not known to disrupt connectivity. Please delete the file:
C:\Documents and Settings\Me\Application Data\Install.datI suspect that you may have a network card that's failing but it's best that you open a new thread at th Networking forum so that those guys may have a look at it. Tell them that the HJT log forum has declared you clean.
__________________
Question - what have you done for the community today? |
|
|
|
| Thread Tools | |
|
|
