Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

(W2k) System32 completely cloaked - not folder options issue!

This is a discussion on (W2k) System32 completely cloaked - not folder options issue! within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hello Running Win2K Here are the issues at hand: C:\WINNT\SYSTEM32 is no longer visible to the GUI. Other hidden and


 
 
Thread Tools Search this Thread
Old 07-05-2005, 10:39 PM   #1
 
Join Date: Jul 2005
Posts: 14
OS:



Hello

Running Win2K

Here are the issues at hand:

C:\WINNT\SYSTEM32 is no longer visible to the GUI.

Other hidden and system files show up in explorer, except for SYSTEM32. This is not, I repeat, a simple View/Folder Options issue as the Read Only/Hidden/System files are set to viewable.

Can't access SYSTEM32 through RUN, but can manually access it through DOS (CD system32).

Will not find specific files known to reside in System32 using Windows Search function.

Will scan in SYSTEM32 using AdAware, Sophos, SpyDoctor, but will not find anything out of the ordinary.

While in DOS:

Tried to do ATTRIB on the folder through the command prompt, but it cannot locate it, nor will it list any files or extensions. (Tried attrib *.exe while in SYSTEM32, but could not list any files)

Can't locate the directory from C:\WINNT\ through the good old DIR command either.

This seems like a pretty bad one. Sygate Personal Firewall Pro is not detecting any out of the norm activity (Incoming/Outgoing Permissions only granted to NTOSKRNL.EXE, IEXPLORER.)

I've seen only a very few amount of people with these same exact problems pop up only within this past week. I haven't seen any resolutions to this yet.

HJT Log is clean, and I dont see anything out of the ordinary.

Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\upnpdrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINNT\SOUNDMAN.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Sophos\Sophos Anti-Virus\savprogress.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\liveupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mike.MIKE-EML8V3ZUB8\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /C /FS /X
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - https://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - https://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - https://us.dl1.yimg.com/download.yaho...tocomplete.cab


Could it be a new worm? Never seen anything like this before. I'm going to try safe mode and turn off networking. I can't find any out of the ordinary executables in any of my folders.
MikeFD3S is offline  
Sponsored Links
Advertisement
 
Old 07-05-2005, 10:46 PM   #2
 
Join Date: Jul 2005
Posts: 14
OS:


edited
MikeFD3S is offline  
Old 07-06-2005, 10:13 AM   #3
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


You seem to have a good understanding of your system.

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

This Promise hard drive controller - could this be the cause for your symptoms?? It may be necessary in order to maintain preferences applied to the RAID array connected to the Promise controller. My concern is - is one of these preferences causing the issue??

The only other thing I can currently think of is a program that hides files and folders from windows. You can't even search them out. This is not too long agao, I'm currently in the process of finding the name of this program - does it sound familiar to you??

Other then this:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at https://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
POADB is offline  
Sponsored Links
Advertisement
 
Old 07-06-2005, 11:55 AM   #4
 
Join Date: Jul 2005
Posts: 14
OS:


yeah, this is a really strange bugger

Although I don't use RAID and can disable this from the BIOS, this extra service hasn't caused any problems in the past. I'll disable it from the BIOS and see what happens, but I have a feeling it will have no effect.

A lot of strange things about this one that are leading me to believe that it's some sort of virus.

In Safe Mode, the SYSTEM & SYSTEM32 directories are still hidden.

Even in DOS, the files and directories are completely cloaked, preventing me from ATTRIBing any of the files or directories so i can do any moving or deleting.

Did a quick NETSTAT -AN

doesn't seem quite right to me...

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1047 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1049 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1060 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1062 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1070 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1074 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1076 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1083 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1087 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1091 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1096 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1100 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1105 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1107 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1108 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1111 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1113 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1115 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1117 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1119 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1121 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1123 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1125 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1127 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1129 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1131 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1133 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1137 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1139 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1141 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1143 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1161 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1170 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1172 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1174 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1176 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1178 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1182 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1184 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1215 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1219 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1225 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1263 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1278 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1280 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1282 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1284 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1286 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1288 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1290 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1292 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1294 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1296 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1298 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1300 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1302 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1304 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1308 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1310 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1312 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1315 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1317 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1319 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1321 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1323 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1325 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1327 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1329 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1331 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1333 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1339 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1341 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1343 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1345 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1349 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1351 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1353 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1359 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1361 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1363 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1371 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1373 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1375 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1377 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1379 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1381 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1383 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1385 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1387 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1391 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1393 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1395 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1397 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1399 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1401 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1403 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1405 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1407 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1411 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1415 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1417 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1419 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1423 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1425 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1427 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1429 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1431 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1435 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1437 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1439 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1441 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1447 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1449 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1451 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1453 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1456 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1458 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1460 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1462 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1464 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1466 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1468 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1470 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1472 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1474 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1480 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1482 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1515 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1519 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1523 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1525 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1527 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1529 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1531 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1533 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1535 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1537 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1539 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1541 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1543 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1545 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1547 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1549 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1551 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1553 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1555 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1557 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1559 0.0.0.0:0 LISTENING
TCP 127.0.0.1:445 127.0.0.1:1108 ESTABLISHED
TCP 127.0.0.1:1108 127.0.0.1:445 ESTABLISHED
TCP 192.168.1.100:139 0.0.0.0:0 LISTENING
TCP 192.168.1.100:1045 0.0.0.0:0 LISTENING
TCP 192.168.1.100:1045 192.168.1.254:139 ESTABLISHED

I'll try that software for now as well, thanks!
MikeFD3S is offline  
Old 07-06-2005, 01:36 PM   #5
 
Join Date: Jul 2005
Posts: 14
OS:


other errata:

Popular anti-virus software homepages are not loading. (Sending them to 127.0.0.1)

This one really doesn't want to be found or deleted!
MikeFD3S is offline  
Old 07-06-2005, 01:40 PM   #6
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Let's use a program to scan for any trojans that may exist. Download TDS-3 https://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at https://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at https://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
POADB is offline  
Old 07-06-2005, 06:51 PM   #7
 
Join Date: Jul 2005
Posts: 14
OS:


I'll give it a try, thanks.

I know I have some spyware files and cookies passively sitting in old directories, and they will register some hits as trojans-- but most spyware related virus/hijack activity i've seen is obscenely blatant and gaudy as in comparison to this one.

Haven't found any corrupt data or performance issues yet...crossing my fingers that I can spot it.

Hear of any others with this problem? The only other instances I've read about were only within this past week or so, just in UK and EU.
MikeFD3S is offline  
Old 07-06-2005, 09:05 PM   #8
 
Join Date: Jul 2005
Posts: 14
OS:


TDS-3 located these--

They don't seem like anything major-- more or less remnants of old/partially deleted spyware.

Scan Control Dumped @ 20:01:59 06-07-05

Positive identification: Adware.VirtualBouncer.j Dropper.b
File: c:\documents and settings\mike.michael-97rthwp\local settings\temporary internet files\content.ie5\tzsh7scs\bundleouter1211031201[1].exe

Positive identification (DLL): TrojanDownloader.Win32.Tibser.b (dll)
File: c:\winnt\crt32_v2.dll

Positive identification: Riskware.Tool.KillApp.b
File: c:\winnt\temp\ctzapxx\drivers\wdm\common\killapps.exe
MikeFD3S is offline  
Old 07-07-2005, 01:14 AM   #9
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Can you see the folder in safe mode? Is this PC networked to another? There are several virus/worms that can infect the system.exe file and and dump the virus files into that folder.... to hide the system32 folder. I would suggest you make sure your virus scanner is up to date and run a scan from safe mode.

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Were is the Mwav log?

Please post the following logs...

Download Silent runners.Vbs https://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!



MicroBell is offline  
Old 07-07-2005, 11:26 PM   #10
 
Join Date: Jul 2005
Posts: 14
OS:


System & System32 folders hidden in safe mode. This PC is occasionally used in a home network, as well as a seperate business network

Here is the Silent Runners log:


"Silent Runners.vbs", revision 39, https://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATI Launchpad" = (empty string)
"TaskBar" = ""C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"" ["Creative Technology Ltd"]
"ctfmon.exe" = "ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS]
"ASUS Probe" = "C:\Program Files\ASUS\Probe\AsusProb.exe" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"Register Homesite+.exe" = ""C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER" ["Macromedia, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Macromedia FTP & RDS"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\CfShellFtpRds.dll" ["Macromedia, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}" = "Sophos Anti-Virus Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sophos\Sophos Anti-Virus\savshellext.dll" ["Sophos plc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
SavShellExt\(Default) = "{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sophos\Sophos Anti-Virus\savshellext.dll" ["Sophos plc"]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\tds3shl.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
SavShellExt\(Default) = "{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sophos\Sophos Anti-Virus\savshellext.dll" ["Sophos plc"]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\tds3shl.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SavShellExt\(Default) = "{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sophos\Sophos Anti-Virus\savshellext.dll" ["Sophos plc"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\mike.MIKE-EML8V3ZUB8\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "mike" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"AutoUpdate Monitor" -> shortcut to: "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" ["Sophos plc"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=https://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "blank" = "res://msaps.dll/index.html" [file not found]
HIJACK WARNING! "PostNotCached" = "res://msaps.dll/index.html" [file not found]
HIJACK WARNING! "MRU Update" = "1" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Sophos Anti-Virus, SAVService, ""C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe"" ["Sophos plc"]
Sophos Anti-Virus status reporter, SAVAdminService, ""C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe"" ["Sophos plc"]
Sophos AutoUpdate Service, Sophos AutoUpdate Service, ""C:\Program Files\Sophos\AutoUpdate\ALsvc.exe"" ["Sophos plc"]
Sygate Personal Firewall Pro, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Universal Plug and Play device driver, upnpdrv, "C:\WINNT\system32\upnpdrv.exe" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 7 seconds.
---------- (total run time: 58 seconds)
MikeFD3S is offline  
Old 07-07-2005, 11:27 PM   #11
 
Join Date: Jul 2005
Posts: 14
OS:


Startdreck log

StartDreck (build 2.1.7 public stable) - 2005-07-07 @ 22:20:56 (GMT -07:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as mike at RX7

»Registry
»Run Keys
»Current User
»Run
*ATI Launchpad=
*TaskBar="C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
*ctfmon.exe=ctfmon.exe
»RunOnce
»Default User
»Run
*Mascro soft SDK updates2=SDKrepair2.exe
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*NeroFilterCheck=C:\WINNT\system32\NeroCheck.exe
*Synchronization Manager=mobsync.exe /logon
*CTHelper=CTHELPER.EXE
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*Ptipbmf=rundll32.exe ptipbmf.dll,SetWriteCacheMode
*ASUS Probe=C:\Program Files\ASUS\Probe\AsusProb.exe
*SoundMan=SOUNDMAN.EXE
*SmcService=C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
*Register Homesite+.exe="C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile="C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
+.jse
*JSEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
`InprocServer32=
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
*C:\autoexec.bat
*C:\WINNT\system32\autoexec.nt
*C:\WINNT\wininit.ini
*C:\WINNT\system32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+168=\SystemRoot\System32\smss.exe
+192=\??\C:\WINNT\system32\csrss.exe
+212=\??\C:\WINNT\SYSTEM32\winlogon.exe
+240=C:\WINNT\system32\services.exe
+252=C:\WINNT\system32\lsass.exe
+372=C:\WINNT\system32\Ati2evxx.exe
+416=C:\Program Files\Sygate\SPF\smc.exe
+472=C:\WINNT\system32\svchost.exe
+516=C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
+736=C:\WINNT\system32\spoolsv.exe
+776=C:\WINNT\System32\CTsvcCDA.exe
+792=C:\WINNT\System32\svchost.exe
+856=C:\WINNT\system32\hidserv.exe
+884=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+952=C:\WINNT\system32\regsvc.exe
+1004=C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
+1040=C:\WINNT\system32\MSTask.exe
+1064=C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
+1136=C:\WINNT\system32\upnpdrv.exe
+1168=C:\WINNT\System32\WBEM\WinMgmt.exe
+1192=C:\WINNT\System32\MsPMSPSv.exe
+1204=C:\WINNT\system32\svchost.exe
+1408=C:\WINNT\SYSTEM32\Ati2evxx.exe
+1448=C:\WINNT\Explorer.EXE
+1508=C:\WINNT\system32\CTHELPER.EXE
+1520=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+1436=C:\Program Files\ASUS\Probe\AsusProb.exe
+1544=C:\WINNT\SOUNDMAN.EXE
+1568=C:\Program Files\iTunes\iTunesHelper.exe
+1536=C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
+1588=C:\WINNT\system32\ctfmon.exe
+1640=C:\Program Files\iPod\bin\iPodService.exe
+1652=C:\Program Files\Sophos\AutoUpdate\ALMon.exe
+1580=C:\WINNT\System32\WScript.exe
+1772=C:\WINNT\system32\NOTEPAD.EXE
+1860=C:\Documents and Settings\mike.MIKE-EML8V3ZUB8\Desktop\startdreck\StartDreck.exe
»NT Services
*Adobe LM Service Adobe LM Service - on demand
*Alerter Alerter - on demand
*Application Management AppMgmt - on demand
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Symantec Password Validation ccPwdSvc - on demand
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*Creative Service for CDROM Access Creative Service for running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fax Service Fax - on demand
*HID Input Service HidServ running auto
*iPod Service iPodService running on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper Service LmHosts running auto
*Macromedia Licensing Service Macromedia Licensing - on demand
*Machine Debug Manager MDM running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc running auto
*Plug and Play PlugPlay running auto
*IPSEC Policy Agent PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry Service RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Sophos Anti-Virus status reporter SAVAdminService running auto
*Sophos Anti-Virus SAVService running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*RunAs Service seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Sharing SharedAccess - on demand
*Sygate Personal Firewall Pro SmcService running auto
*Sophos AutoUpdate Service Sophos AutoUpdate Se running auto
*Print Spooler Spooler running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Universal Plug and Play device driver upnpdrv running auto
*Uninterruptible Power Supply UPS - on demand
*Utility Manager UtilMan - on demand
*Windows Time W32Time - on demand
*Windows Management Instrumentation WinMgmt running auto
*WMDM PMSP Service WMDM PMSP Service running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi running on demand
`sions
*Automatic Updates wuauserv running auto
*Wireless Configuration WZCSVC - on demand
»Application specific
MikeFD3S is offline  
Old 07-07-2005, 11:29 PM   #12
 
Join Date: Jul 2005
Posts: 14
OS:


mwav log coming up...
MikeFD3S is offline  
Old 07-07-2005, 11:42 PM   #13
 
Join Date: Jul 2005
Posts: 14
OS:


Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WhenU Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\bridge.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\HDPlugin1018.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\MIKE~1.MIK\LOCALS~1\Temp\_ISTMP2.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\MIKE~1.MIK\LOCALS~1\Temp\_ISTMP2.DIR\_ISTMP0.DIR\FileGrp\MSVCP60.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\imagx5.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\HDPlugin1018.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Documents and Settings\All Users.WINNT\Application Data\Ahead\NeroDigital\settings.xml". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnap-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnap-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\Skins\standard.bmp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\VerizonUninstaller.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\VZGUninstall.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\Motive\MotivePreQual.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzPackageInfo.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzProductInfo.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzServerPosts.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzSFP.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPMsgs.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzUpdateAdvisor.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzNetSvc.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzUpdateMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzInstall.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzInventory.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzLoggerExp.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzUpdateMgrPS.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\vzServices.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr\Dialup.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr\DdmDll.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzOutlookConfigTask.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzLandingPageTask.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzMotiveSystemCheckTask.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzMiscTask.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\MotiveBrowser.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02A31521-8EAE-11D0-A149-0040051F847F}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}" refers to invalid object "C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{069747E6-58A8-4597-87F1-CA2DBC42696C}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzServerPosts.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0FF436CF-5780-4F0A-8CF1-974032EDB20E}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzPackageInfo.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}" refers to invalid object "C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B62A3D1-9C04-4BD5-84B5-D2607302501F}" refers to invalid object "C:\WINNT\System32\divxdec.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{23473B33-52A1-4418-8BAF-FCDDB755503F}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzSFP.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2B1F8ED9-4200-4846-B8A3-BB58CDD3121C}" refers to invalid object "C:\WINNT\system32\system32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{34D9E371-457D-11D0-A0F4-0040051F847F}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3708886A-7D2C-4451-9325-0DA59C287011}" refers to invalid object "C:\Program Files\Creative\SBAudigy\RemoteCenter\Center\Tasks\MP3FileSink.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{37C64D52-538B-11D5-BC0B-00D0B76BF9FA}" refers to invalid object "C:\PROGRA~1\Creative\SBAudigy\REMOTE~1\Center\Tasks\CTAudRec.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4BC02DC2-3B39-4A98-BAB3-79C2FF247051}" refers to invalid object "C:\Program Files\Common Files\ACD Systems\Video\ACDFX.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C171D40-8277-11D5-AD55-00010333D0AD}" refers to invalid object "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C58F422-C7F4-4EC6-949E-A443976820A8}" refers to invalid object "C:\Program Files\Verizon Online\Verizon Online Support Center\SmartBridge\SBIQOutlook.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4D9F962F-5FFB-4E1E-A2E8-505F67468CBA}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr1_1\CMIWrapper.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70342BB6-3484-42EF-A85A-677FE74E701A}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzOutlookConfigTask.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C8548F1-EE63-4CE0-89F0-C7B735B5A07F}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzInstall.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}" refers to invalid object "C:\WINNT\System32\crt32_v2.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8D23B2C0-6CC5-4184-BCC0-0382CD0DEF78}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr1_1\DDM.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8FB1F531-485C-11D0-B0DC-080009C351D7}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{94547240-04F1-11D6-AD56-00010333D0AD}" refers to invalid object "C:\Program Files\Yahoo!\browser\ybmesbar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9C2C220D-6E2D-4715-A715-AAEFCE3A3124}" refers to invalid object "C:\Program Files\Verizon Online\Verizon Online Support Center\SmartBridge\SBIQWin32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A5BF4FDD-B508-49B8-A66E-5F6AC43D1D7B}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzInventory.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0FA4C4D-2610-4CD9-9BCD-CDEB9DE895C0}" refers to invalid object "C:\Program Files\Verizon Online\Verizon Online Support Center\SmartBridge\SBIQExcel.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B2543DC1-95D7-11D0-A15F-0040051F847F}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBDFDB8B-1305-4EBB-91D6-41B4BD29B76B}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\ConnMgr1_1\PPPoEInfo.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C11FD3C9-F2A5-44DC-860F-49B01A09495E}" refers to invalid object "C:\Program Files\Common Files\ACD Systems\Video\ACDFX.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C22877C3-4214-11D0-B0DA-080009C351D7}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C22877C4-4214-11D0-B0DA-080009C351D7}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C606BA60-AB76-48B6-96A7-2C4D5C386F70}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\Motive\MotivePreQual.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6174FD2-4451-41C3-877E-8782507552BA}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzUpdateAdvisor.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D338CEAB-65CA-4B96-A84A-9B640C26108F}" refers to invalid object "C:\WINNT\System32\jsconsole.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D518DFD4-BE30-4B16-A296-D3764384E7CB}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzProductInfo.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D5A2B7F4-264D-4B04-B499-14D117BACA39}" refers to invalid object "C:\Program Files\Sophos\Sophos Anti-Virus\systeminformation.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D7004463-C95A-4A06-8FF6-EDBDC60C9BDB}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\SFP\vzUpdateMgrPS.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DEDF39EB-6AB8-4419-BA03-59DB97ACDEE1}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzMotiveSystemCheckTask.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DF01B236-ECF3-11D0-BEB9-0040054538AA}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E86B2E41-58A9-11D0-9332-0040051F847F}" refers to invalid object "C:\WINNT\system32\FtpTree.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0DDF22F-B82E-4DA6-A31D-1020A770DA09}" refers to invalid object "C:\Program Files\Sophos\Sophos Anti-Virus\systeminformation.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FC7AF042-3319-4F74-B0C8-BB734E6B5E30}" refers to invalid object "C:\Program Files\Common Files\Verizon Online\TaskCore\vzLandingPageTask.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FDE3577A-6254-181C-4E11-339E4F746BD3}" refers to invalid object "C:\WINNT\System32\wins32t.dll". Action Taken: No Action Taken.
Entry "HKCR\Adobe.Illustrator.dwg" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.
Entry "HKCR\Adobe.Illustrator.dxf" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.
Entry "HKCR\Adobe.Illustrator.pict" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Microsoft.SpITNProcessor.1" refers to invalid object "{B5B47E0B-54FE-4B06-7267-970BD79B7BF2}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
File C:\WINNT\crtv2_32.dll infected by "Trojan-Downloader.Win32.Small.ut" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\crtv2_32.dll infected by "Trojan-Downloader.Win32.Small.ut" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File C:\WINNT\crtv2_32.dll infected by "Trojan-Downloader.Win32.Small.ut" Virus! Action Taken: No Action Taken.
MikeFD3S is offline  
Old 07-08-2005, 12:48 AM   #14
 
Join Date: Jul 2005
Posts: 14
OS:


The viruses that mwav found were pretty much the same ones that aren't really active.

The only things that look very out of the ordinary are the missing files. A majority of them were of programs that i deleted myself, but some of the others...not too sure.
MikeFD3S is offline  
Old 07-08-2005, 10:41 AM   #15
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Download KillBox https://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\crtv2_32.dll
C:\WINNT\system32\crtv2_32.dll
C:\WINNT\system32\KILLAPPS.EXE


Please download CCleaner via this website: https://www.ccleaner.com/ccdownload.asp

When you have installed it, click on the Registry tab and then click Scan for issues. When it has finished scanning click Fix selected issues.

Reboot, rescan with HJT and post back.

Note to MicroBell - please check other logs.
POADB is offline  
Old 07-08-2005, 02:05 PM   #16
 
Join Date: Jul 2005
Posts: 14
OS:


SYSTEM & SYSTEM32 still hidden

New HJT Log

Logfile of HijackThis v1.98.0
Scan saved at 12:53:22 PM, on 7/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\upnpdrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\mike.MIKE-EML8V3ZUB8\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - https://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - https://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - https://us.dl1.yimg.com/download.yaho...tocomplete.cab



Still no change, but hopes high that something will be found.

Other possibly useful info:

About a month or two ago, moved to a new house and had to setup new internet service. For a few days had no firewall set up at all. Probably a local kid scanning local ports with a proggie found my computer and installed a keylogger under several different names and attempts (westwood.exe, skull.exe, lexbce.exe) I disabled them by making empty text files with the same names and deleted the original files. I got my firewall up and running (Sygate PF Professional) and blocked all incoming and outgoing, except for NTOSKRNL.EXE, IEXPLORER, Emule & Bittorrent. Sophos Antivirus was also installed, and everything was good for a few months.

I did set up my router to do Port Forwarding on 4661-4671 TCP, and 4672 UDP to my machine, as well as the appropriate Bittorrent TCP ports.

Never had any problems until I moved my machine to the office to do some work the office comps couldnt handle. That's when I noticed the hidden folders problem. The File & Printer sharing was turned on at the time, but the drives werent allowed to be shared by other users on the network. Perhaps the problem lies in the Office Network. None of the other office comps seems to have the same problem (XP Systems)

Can't locate any newly created TMP, DLL, EXE, COM or BAT files in C:\ C:\WINNT\ or C:\WINNT\SYSTEM32 when looking in those dirs under the DOS prompt. (only way to manually access the SYSTEM32 folder, but can only vew non hidden files)

I'm tempted to do a fresh reinstall and format of the drive, since it's fast and easy...but I really want to know how my system was compromised and with what, if anything.
MikeFD3S is offline  
Old 07-08-2005, 04:00 PM   #17
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


You have an outdated version of HijackThis. Download the newest version at https://www.greyknight17.com/spy/HijackThis.exe and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the HijackThis log here.
POADB is offline  
Old 07-09-2005, 01:22 PM   #18
 
Join Date: Jul 2005
Posts: 14
OS:


all fixes have been performed, here is the newer version HJT log, some new info popped up

Got an unexpected error when starting HJT---

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #53 - File not found

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.



Here is the log


Logfile of HijackThis v1.99.1
Scan saved at 12:13:24 PM, on 7/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\upnpdrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mike.MIKE-EML8V3ZUB8\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - https://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - https://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - https://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINNT\system32\upnpdrv.exe



it does appear that my system.ini is missing (!?) and some new services have appeared with the new version's log
MikeFD3S is offline  
Old 07-09-2005, 04:41 PM   #19
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Go to Start>Run and type C:\Windows\System32

Does it load up??

If so - try this:

Go to Start>Run and type attrib -a -h -r -s c:\windows\system32

Let me know if this works.
POADB is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:16 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts