|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
July 7th, 2006, 05:32 AM
|
|||
|
|||
|
Trojan.Win32.crypt.o
This virus has somehow found its way onto my computer and i need to know how to remove it. It cannot be deleted through my existing virus-scan program. The virus has attached itself to my wireless adapter and has been causing some minor problems, nothing significant but i just want to stop it before it gets worse. The virus is labeled winc.dll i know a decent amount about computers but nothing associated with this... it would be much appreciated if someone could help me,
|
|
#2
July 8th, 2006, 01:56 PM
|
||||
|
||||
|
Welcome to CTH blakeh7787. Lets see what is running on your PC. Go here and download the latest version of Hijack This. When you have downloaded it, doubleclick to install. Once installed, open Hijack This and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.
Also go here and download Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious.
|
|
#3
July 8th, 2006, 09:05 PM
|
|||
|
|||
|
Thank you very much for the help. Here is my log from Hijack This:
Logfile of HijackThis v1.99.1 Scan saved at 3:58:23 PM, on 7/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Apoint\Apntex.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe C:\WINDOWS\system32\PLORER~1.EXE C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.savewealth.com/support/ie6/welcome.html R3 - URLSearchHook: (no name) - {1209315D-DDB5-F61A-90A1-F18AD1A2FBE9} - C:\WINDOWS\system32\fxo.dll (file missing) R3 - URLSearchHook: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 202.67.220.232 win.mail.ru O2 - BHO: (no name) - {0C11AF95-E852-4F49-8D04-89D6D921511c} - C:\WINDOWS\system32\hlupestn.dll O2 - BHO: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpDE9A.tmp (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [Rlir] C:\WINDOWS\system32\PLORER~1.EXE O4 - HKCU\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [AKiller] "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe" O4 - HKCU\..\Run: [strtas] lo31.exe O4 - HKCU\..\Run: [Sabt] "C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe" -vt ndrv O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - http://www.mathxl.com/applets/PearsonInstallAsst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC8BE28-A132-4E85-AD31-5777FB2C8317}: NameServer = 24.197.96.16,24.197.96.15 O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll O20 - Winlogon Notify: pdhwqjbq - C:\WINDOWS\SYSTEM32\pdhwqjbq.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winc - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHar dwareResourceManager.exe O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing) O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing) O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
|
|
#4
July 8th, 2006, 09:06 PM
|
|||
|
|||
|
And here is my log from Silent Runner:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "Rlir" = "C:\WINDOWS\system32\PLORER~1.EXE" [null data] "Microsoft Windowsx DLL Services Configuration" = "windir32.exe" [file not found] "AKiller" = ""C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"" [empty string] "strtas" = "lo31.exe" [file not found] "Sabt" = ""C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe" -vt ndrv" [file not found] "NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++} "wininet.dll" = "dfrgsrv.exe" [file not found] "dcomcfg.exe" = "dcomcfg.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Mouse Suite 98 Daemon" = "ICO.EXE" [file not found] "SonyPowerCfg" = "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" ["Sony Corporation"] "HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"] "Microsoft Windowsx DLL Services Configuration" = "windir32.exe" [file not found] "VAIO Recovery" = "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."] "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "F-Secure Manager" = ""C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] "News Service" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"" ["F-Secure Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallP rovider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {0C11AF95-E852-4F49-8D04-89D6D921511c}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\hlupestn.dll" [null data] {658C2066-9489-BA79-A149-EF2B5BC883E1}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\oycitfsv.dll" [null data] {827DC836-DD9F-4A68-A602-5812EB50A834}\(Default) = (no title provided) -> {HKLM...CLSID} = "MSEvents Object" \InProcServer32\(Default) = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}\(Default) = (no title provided) -> {HKLM...CLSID} = "Nothing" \InProcServer32\(Default) = "C:\WINDOWS\system32\hpDE9A.tmp" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\ INFECTION WARNING! "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" = "USB Ware" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [file not found] INFECTION WARNING! "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}" = "XenaDot Software" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\xenadot.dll" [file not found] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = " C:\WINDOWS\system32\mmc.dll" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! pdhwqjbq\DLLName = "pdhwqjbq.dll" [null data] INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS] INFECTION WARNING! winc\DLLName = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\aaa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS] Startup items in "Blake" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Charter High-Speed Security Suite" -> shortcut to: "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "] Enabled Scheduled Tasks: ------------------------ "Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS] "Registration reminder 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS] "Scheduled scanning task" -> launches: "C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\CHARTE~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: winsflt.dll [empty string], 01 - 05, 23 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] "{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" -> {HKLM...CLSID} = "SecurityToolbar" \InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] "{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" = (no title provided) -> {HKLM...CLSID} = "SecurityToolbar" \InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] Explorer Bars Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\(Default) = "SecurityToolbar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [file not found] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {200DB664-75B5-47C0-8B45-A44ACCF73C00}\ "ButtonText" = "Web Filter" "CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}" -> {HKLM...CLSID} = "F-Secure Parental Control COM button" \InProcServer32\(Default) = "C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F01}\ "MenuText" = "Web Filter" "CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}" -> {HKLM...CLSID} = "F-Secure Parental Control COM button" \InProcServer32\(Default) = "C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {300DB664-75B5-47C0-8B45-A44ACCF73C00}\ "ButtonText" = "IE Shield" "MenuText" = "IE Shield..." "CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}" -> {HKLM...CLSID} = "F-Secure IE Shield COM button" \InProcServer32\(Default) = "C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.savewealth.com Missing lines (compared with English-language version): [Strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ "{1209315D-DDB5-F61A-90A1-F18AD1A2FBE9}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\fxo.dll" [file not found] "{658C2066-9489-BA79-A149-EF2B5BC883E1}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\oycitfsv.dll" [null data] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Charter High-Speed Security Suite, BackWeb Plug-in - 3528733, "C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERV IC~1.EXE" ["BackWeb Technologies Inc. "] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure HTTP Server, fshttps, ""C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE"" ["F-Secure Corporation"] FSBWSYS, FSBWSYS, ""C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe"" ["F-Secure Corp."] FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"] VAIO Entertainment File Import Service, VAIO Entertainment File Import Service, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe" ["Sony Corporation"] VAIO Media Integrated Server, VAIOMediaPlatform-IntegratedServer-AppServer, "C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe" ["Sony Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 98 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 16 seconds. ---------- (total run time: 146 seconds)
|
|
#5
July 9th, 2006, 02:48 AM
|
||||
|
||||
|
Yep, you have a few baddies onboard. Please download VundoFix.exe to your desktop and doubleclick on VundoFix.exe to run it.
Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK. When VundoFix re-opens, click the Scan for Vundo button. When it has finished scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES. Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Once your computer has shut down, wait for a minute or two and then turn your computer back on. Open My Computer. Doubleclick on your C drive and look for C:\vundofix.txt. Also post the contents of C:\vundofix.txt and run Hijack This and Silent Runners again and post new logs.
|
|
#6
July 9th, 2006, 04:30 PM
|
|||
|
|||
|
I ran the VundoFix, and after a couple of minutes it finished and said that no infected files were found, i went ahead and shutdown the computer and created the logs anyways, here is the hijackthis log:
Logfile of HijackThis v1.99.1 Scan saved at 11:28:37 AM, on 7/9/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe C:\WINDOWS\system32\PLORER~1.EXE C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.savewealth.com/support/ie6/welcome.html R3 - URLSearchHook: (no name) - {1209315D-DDB5-F61A-90A1-F18AD1A2FBE9} - C:\WINDOWS\system32\fxo.dll (file missing) R3 - URLSearchHook: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 202.67.220.232 win.mail.ru O2 - BHO: (no name) - {0C11AF95-E852-4F49-8D04-89D6D921511c} - C:\WINDOWS\system32\hlupestn.dll O2 - BHO: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpDE9A.tmp (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [Rlir] C:\WINDOWS\system32\PLORER~1.EXE O4 - HKCU\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [AKiller] "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe" O4 - HKCU\..\Run: [strtas] lo31.exe O4 - HKCU\..\Run: [Sabt] "C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe" -vt ndrv O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - http://www.mathxl.com/applets/PearsonInstallAsst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC8BE28-A132-4E85-AD31-5777FB2C8317}: NameServer = 24.197.96.16,24.197.96.15 O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll O20 - Winlogon Notify: pdhwqjbq - C:\WINDOWS\SYSTEM32\pdhwqjbq.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winc - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHar dwareResourceManager.exe O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing) O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing) O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
|
|
#7
July 9th, 2006, 04:35 PM
|
|||
|
|||
|
And here is the silent runner log:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "Rlir" = "C:\WINDOWS\system32\PLORER~1.EXE" [null data] "Microsoft Windowsx DLL Services Configuration" = "windir32.exe" [file not found] "AKiller" = ""C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"" [empty string] "strtas" = "lo31.exe" [file not found] "Sabt" = ""C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe" -vt ndrv" [null data] "NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++} "wininet.dll" = "dfrgsrv.exe" [file not found] "dcomcfg.exe" = "dcomcfg.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Mouse Suite 98 Daemon" = "ICO.EXE" [file not found] "SonyPowerCfg" = "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" ["Sony Corporation"] "HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"] "Microsoft Windowsx DLL Services Configuration" = "windir32.exe" [file not found] "VAIO Recovery" = "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."] "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "F-Secure Manager" = ""C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] "News Service" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"" ["F-Secure Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallP rovider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {0C11AF95-E852-4F49-8D04-89D6D921511c}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\hlupestn.dll" [null data] {658C2066-9489-BA79-A149-EF2B5BC883E1}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\oycitfsv.dll" [null data] {827DC836-DD9F-4A68-A602-5812EB50A834}\(Default) = (no title provided) -> {HKLM...CLSID} = "MSEvents Object" \InProcServer32\(Default) = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}\(Default) = (no title provided) -> {HKLM...CLSID} = "Nothing" \InProcServer32\(Default) = "C:\WINDOWS\system32\hpDE9A.tmp" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\ INFECTION WARNING! "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" = "USB Ware" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [file not found] INFECTION WARNING! "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}" = "XenaDot Software" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\xenadot.dll" [file not found] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = " C:\WINDOWS\system32\mmc.dll" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! pdhwqjbq\DLLName = "pdhwqjbq.dll" [null data] INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS] INFECTION WARNING! winc\DLLName = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\aaa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS] Startup items in "Blake" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Charter High-Speed Security Suite" -> shortcut to: "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "] Enabled Scheduled Tasks: ------------------------ "Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS] "Registration reminder 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS] "Scheduled scanning task" -> launches: "C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\CHARTE~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: winsflt.dll [empty string], 01 - 05, 23 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] "{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" -> {HKLM...CLSID} = "SecurityToolbar" \InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] "{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" = (no title provided) -> {HKLM...CLSID} = "SecurityToolbar" \InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] Explorer Bars Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\(Default) = "SecurityToolbar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.savewealth.com Missing lines (compared with English-language version): [Strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ "{1209315D-DDB5-F61A-90A1-F18AD1A2FBE9}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\fxo.dll" [file not found] "{658C2066-9489-BA79-A149-EF2B5BC883E1}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\oycitfsv.dll" [null data] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Charter High-Speed Security Suite, BackWeb Plug-in - 3528733, "C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERV IC~1.EXE" ["BackWeb Technologies Inc. "] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure HTTP Server, fshttps, ""C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE"" ["F-Secure Corporation"] FSBWSYS, FSBWSYS, ""C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe"" ["F-Secure Corp."] FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"] VAIO Entertainment File Import Service, VAIO Entertainment File Import Service, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe" ["Sony Corporation"] VAIO Media Integrated Server, VAIOMediaPlatform-IntegratedServer-AppServer, "C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe" ["Sony Corporation"] VAIO Media Integrated Server (HTTP), VAIOMediaPlatform-IntegratedServer-HTTP, ""C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP"" ["Sony Corporation"] VAIO Media Integrated Server (UPnP), VAIOMediaPlatform-IntegratedServer-UPnP, "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe" ["Sony Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 73 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 19 seconds. ---------- (total run time: 130 seconds)
|
|
#8
July 10th, 2006, 02:34 AM
|
||||
|
||||
|
Ok, it is Vundo (and Conhook) but it looks as though we will have to get rid of these files manually.
I need some information first. go to Start > Run and type: cmd.exe and ok. Copy and paste the below string after the prompt > and hit Enter. dir /s /a "c:\pdhwqjbq*.*" > c:\find.txt & start notepad c:\find.txt Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread. Now do the same for the below strings and copy and paste that information here too. dir /s /a "c:\winc*.*" > c:\find1.txt & start notepad c:\find1.txt dir /s /a "c:\cniw*.*" > c:\find2.txt & start notepad c:\find2.txt
|
|
#9
July 10th, 2006, 03:43 AM
|
|||
|
|||
|
Here is the first:
Volume in drive C has no label. Volume Serial Number is 9846-EBFB Directory of c:\WINDOWS\system32 06/20/2006 11:20 PM 312,852 pdhwqjbq.dll 1 File(s) 312,852 bytes Total Files Listed: 1 File(s) 312,852 bytes 0 Dir(s) 37,198,831,616 bytes free Here is the 2nd: Volume in drive C has no label. Volume Serial Number is 9846-EBFB Directory of c:\Program Files\InterVideo\Common\Bin 06/24/2004 02:38 PM 114,688 WinCinemaMgr.exe 1 File(s) 114,688 bytes Directory of c:\Program Files\Mozilla Firefox\res 09/15/2005 07:26 PM 1,223 wincharset.properties 1 File(s) 1,223 bytes Directory of c:\WINDOWS\Drivers\Atheros Wireless LAN 08/31/2005 10:48 AM 516,116 winc.dll 1 File(s) 516,116 bytes Directory of c:\WINDOWS\Help\MUI\040C 08/23/2001 06:47 PM 18,336 winchat.chm 08/23/2001 06:47 PM 12,541 winchat.hlp 2 File(s) 30,877 bytes Directory of c:\WINDOWS\Help\MUI\0416 09/06/2001 01:40 AM 18,901 winchat.chm 09/06/2001 01:40 AM 12,434 winchat.hlp 2 File(s) 31,335 bytes Directory of c:\WINDOWS\Help\MUI\0C0A 08/21/2001 03:26 PM 16,966 winchat.chm 08/21/2001 03:26 PM 8,269 winchat.hlp 2 File(s) 25,235 bytes Directory of c:\WINDOWS\I386 08/04/2004 08:00 AM 10,262 WINCHAT.CH_ 08/04/2004 08:00 AM 15,622 WINCHAT.EX_ 08/04/2004 08:00 AM 2,060 WINCHAT.HL_ 3 File(s) 27,944 bytes Directory of c:\WINDOWS\mui\FALLBACK\040C 08/23/2001 09:56 PM 8,192 winchat.exe.mui 1 File(s) 8,192 bytes Directory of c:\WINDOWS\mui\FALLBACK\0416 09/06/2001 03:42 AM 8,192 winchat.exe.mui 1 File(s) 8,192 bytes Directory of c:\WINDOWS\mui\FALLBACK\0C0A 08/23/2001 02:23 AM 7,680 winchat.exe.mui 1 File(s) 7,680 bytes Directory of c:\WINDOWS\system32\dllcache 08/04/2004 08:00 AM 35,328 winchat.exe 1 File(s) 35,328 bytes Directory of c:\WINDOWS\system32\oobe 07/17/2003 12:46 PM 49,152 winchip.dll 1 File(s) 49,152 bytes Total Files Listed: 17 File(s) 855,962 bytes 0 Dir(s) 37,198,827,520 bytes free And here is the last one: Volume in drive C has no label. Volume Serial Number is 9846-EBFB Directory of c:\WINDOWS\Drivers\Atheros Wireless LAN 06/29/2006 06:24 PM 841,231 cniw.bak1 07/09/2006 11:19 AM 841,260 cniw.bak2 11/29/2005 05:54 PM 538,824 cniw.ini 07/09/2006 10:37 PM 841,406 cniw.ini2 11/29/2005 05:54 PM 538,824 cniw.tmp 5 File(s) 3,601,545 bytes Total Files Listed: 5 File(s) 3,601,545 bytes 0 Dir(s) 37,198,827,520 bytes free
|
|
#10
July 10th, 2006, 05:31 AM
|
||||
|
||||
|
Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked but do not reboot.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch2005.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.savewealth.com/support/ie6/welcome.html R3 - URLSearchHook: (no name) - {1209315D-DDB5-F61A-90A1-F18AD1A2FBE9} - C:\WINDOWS\system32\fxo.dll (file missing) R3 - URLSearchHook: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 202.67.220.232 win.mail.ru (did you put this entry in your hosts file? If not, please check to fix it) O2 - BHO: (no name) - {0C11AF95-E852-4F49-8D04-89D6D921511c} - C:\WINDOWS\system32\hlupestn.dll O2 - BHO: (no name) - {658C2066-9489-BA79-A149-EF2B5BC883E1} - C:\WINDOWS\system32\oycitfsv.dll O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpDE9A.tmp (file missing) O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll O4 - HKLM\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [Rlir] C:\WINDOWS\system32\PLORER~1.EXE O4 - HKCU\..\Run: [Microsoft Windowsx DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [strtas] lo31.exe O4 - HKCU\..\Run: [Sabt] "C:\PROGRA~1\COMMON~1\FNTS~1\lsass.exe" -vt ndrv O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll O20 - Winlogon Notify: pdhwqjbq - C:\WINDOWS\SYSTEM32\pdhwqjbq.dll O20 - Winlogon Notify: winc - C:\WINDOWS\Drivers\ATHERO~1\winc.dll Download The Avenger from here http://swandog46.geekstogo.com/avenger.zip to your Desktop and unzip it. Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy" Code:
Files to delete: C:\WINDOWS\system32\pdhwqjbq.dll C:\WINDOWS\Drivers\Atheros Wireless LAN\winc.dll C:\WINDOWS\Drivers\Atheros Wireless LAN\cniw.bak1 C:\WINDOWS\Drivers\Atheros Wireless LAN\cniw.bak2 C:\WINDOWS\Drivers\Atheros Wireless LAN\cniw.ini C:\WINDOWS\Drivers\Atheros Wireless LAN\cniw.ini2 C:\WINDOWS\Drivers\Atheros Wireless LAN\cniw.tmp C:\WINDOWS\system32\mmc.dll The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip. Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log, a new Silent Runners log. There may be still some junk to cleanout.
|
|
#11
July 10th, 2006, 06:11 PM
|
|||
|
|||
|
Everything seemed to go as planned with a couple of exceptions... When fixing the files in Hijackthis I recieved an error which read:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll) Error #5 - Invalid procedure call or argument Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 6.0.2900.2180 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. And then when windows rebooted and the black command window was brought up it kept saying that several files were missing and then it closed and then another message came up which said: Cannot open C:\avenger.txt the file could not be found. But anyways here is my Hijackthis and Silent Runners logs: Logfile of HijackThis v1.99.1 Scan saved at 1:11:21 PM, on 7/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\system32\PLORER~1.EXE C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe O1 - Hosts: 202.67.220.232 win.mail.ru O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" O4 - HKCU\..\Run: [AKiller] "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe" O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [Rlir] C:\WINDOWS\system32\PLORER~1.EXE O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - http://www.mathxl.com/applets/PearsonInstallAsst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC8BE28-A132-4E85-AD31-5777FB2C8317}: NameServer = 24.197.96.16,24.197.96.15 O20 - AppInit_DLLs: mmc.dll O20 - Winlogon Notify: pdhwqjbq - C:\WINDOWS\SYSTEM32\pdhwqjbq.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winc - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHar dwareResourceManager.exe O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing) O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing) O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
|
|
#12
July 10th, 2006, 06:13 PM
|
|||
|
|||
|
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "AKiller" = ""C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"" [empty string] "NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."] "Rlir" = "C:\WINDOWS\system32\PLORER~1.EXE" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++} "wininet.dll" = "dfrgsrv.exe" [file not found] "dcomcfg.exe" = "dcomcfg.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Mouse Suite 98 Daemon" = "ICO.EXE" [file not found] "SonyPowerCfg" = "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" ["Sony Corporation"] "HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"] "VAIO Recovery" = "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."] "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "F-Secure Manager" = ""C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] "News Service" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"" ["F-Secure Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallP rovider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {827DC836-DD9F-4A68-A602-5812EB50A834}\(Default) = (no title provided) -> {HKLM...CLSID} = "MSEvents Object" \InProcServer32\(Default) = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\ INFECTION WARNING! "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" = "USB Ware" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [file not found] INFECTION WARNING! "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}" = "XenaDot Software" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\xenadot.dll" [file not found] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = " mmc.dll" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! pdhwqjbq\DLLName = "pdhwqjbq.dll" [null data] INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS] INFECTION WARNING! winc\DLLName = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\aaa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS] Startup items in "Blake" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Charter High-Speed Security Suite" -> shortcut to: "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "] Enabled Scheduled Tasks: ------------------------ "Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS] "Registration reminder 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS] "Scheduled scanning task" -> launches: "C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\CHARTE~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: winsflt.dll [empty string], 01 - 05, 23 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] "{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" -> {HKLM...CLSID} = "SecurityToolbar" \InProcServer32\(Default) = "C:\Program Files\Security Toolbar\Security Toolbar.dll" [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.savewealth.com Missing lines (compared with English-language version): [Strings]: 1 line HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Charter High-Speed Security Suite, BackWeb Plug-in - 3528733, "C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERV IC~1.EXE" ["BackWeb Technologies Inc. "] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure HTTP Server, fshttps, ""C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE"" ["F-Secure Corporation"] FSBWSYS, FSBWSYS, ""C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe"" ["F-Secure Corp."] FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"] VAIO Entertainment File Import Service, VAIO Entertainment File Import Service, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe" ["Sony Corporation"] VAIO Media Integrated Server, VAIOMediaPlatform-IntegratedServer-AppServer, "C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe" ["Sony Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 22 seconds, including 4 seconds for message boxes)
|
|
#13
July 11th, 2006, 12:37 AM
|
||||
|
||||
|
Ok, we will try an Ewido scan and see what it can remove.
Download the trial version of Ewido Security Suite from here to your Desktop and doubleclick on the executable to install it. Launch Ewido (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido. ewido manual updates http://www.ewido.net/en/download/updates/. Do not run a scan yet. When you have done this, boot into Safe Mode (see here for help if you need it), Run Ewido now. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido. Reboot and post a new Hijack This log, a new Silent Runners log and your Ewido report.
|
|
#14
July 11th, 2006, 04:16 AM
|
|||
|
|||
|
OK, I think that fixed most of the errors but i dont think it got rid of the crypt.o trojan because it is still being detected be Ewido, but here is the logs:
Logfile of HijackThis v1.99.1 Scan saved at 11:15:20 PM, on 7/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\guard.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe C:\Program Files\Apoint\Apvfb.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\PLORER~1.EXE C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe O1 - Hosts: 202.67.220.232 win.mail.ru O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [AKiller] "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe" O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [Rlir] C:\WINDOWS\system32\PLORER~1.EXE O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - http://www.mathxl.com/applets/PearsonInstallAsst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC8BE28-A132-4E85-AD31-5777FB2C8317}: NameServer = 24.197.96.16,24.197.96.15 O20 - AppInit_DLLs: mmc.dll O20 - Winlogon Notify: pdhwqjbq - C:\WINDOWS\SYSTEM32\pdhwqjbq.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winc - C:\WINDOWS\Drivers\ATHERO~1\winc.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVI C~1.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\guard.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHar dwareResourceManager.exe O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing) O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing) O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
|
|
#15
July 11th, 2006, 04:18 AM
|
|||
|
|||
|
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "AKiller" = ""C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"" [empty string] "NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."] "Rlir" = "C:\WINDOWS\system32\PLORER~1.EXE" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++} "wininet.dll" = "dfrgsrv.exe" [file not found] "dcomcfg.exe" = "dcomcfg.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Mouse Suite 98 Daemon" = "ICO.EXE" [file not found] "SonyPowerCfg" = "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" ["Sony Corporation"] "HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"] "VAIO Recovery" = "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."] "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "F-Secure Manager" = ""C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] "News Service" = ""C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"" ["F-Secure Corporation"] "!ewido" = ""C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallP rovider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {827DC836-DD9F-4A68-A602-5812EB50A834}\(Default) = (no title provided) -> {HKLM...CLSID} = "MSEvents Object" \InProcServer32\(Default) = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = " mmc.dll" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! pdhwqjbq\DLLName = "pdhwqjbq.dll" [null data] INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS] INFECTION WARNING! winc\DLLName = "C:\WINDOWS\Drivers\ATHERO~1\winc.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\aaa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS] Startup items in "Blake" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Charter High-Speed Security Suite" -> shortcut to: "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "] Enabled Scheduled Tasks: ------------------------ "Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS] "Registration reminder 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS] "Scheduled scanning task" -> launches: "C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\CHARTE~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: winsflt.dll [empty string], 01 - 05, 23 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Charter High-Speed Security Suite, BackWeb Plug-in - 3528733, "C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERV IC~1.EXE" ["BackWeb Technologies Inc. "] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Documents and Settings\aaa\Desktop\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure HTTP Server, fshttps, ""C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE"" ["F-Secure Corporation"] FSBWSYS, FSBWSYS, ""C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe"" ["F-Secure Corp."] FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"] VAIO Entertainment File Import Service, VAIO Entertainment File Import Service, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe" ["Sony Corporation"] VAIO Media Integrated Server, VAIOMediaPlatform-IntegratedServer-AppServer, "C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe" ["Sony Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 31 seconds, including 4 seconds for message boxes)
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| win32- startpage and win32:crypt-bkk | acsdeb | Malware Removal | 74 | January 23rd, 2010 02:05 AM |
| Trojan Horse Crypt.Fky | Rudy | Malware Removal | 25 | August 1st, 2009 05:36 AM |
| trojan.win32.crypt.o | 05taco | Malware Removal | 5 | September 27th, 2005 11:18 PM |
| trojan.win32.crypt.o | antihero | Malware Removal | 7 | September 25th, 2005 10:12 PM |
| Evil trojan, win32.crypt.o | TifaLockheart | Malware Removal | 19 | September 25th, 2005 07:02 PM |
All times are GMT +1. The time now is 12:32 AM.